Use semodule -lfull --checksum instead of the datastore

SELinux userspace release 3.4 introduced a new command line option
[-m|--checksum] to `semodule` which adds sha256 checksum of modules to
its output. It can be used to check whether the same module is already
installed or not. Given that selinuxd installed modules use priority 350
we can  use semodule checksum and priority 350 as an indicator whether a
module was already installed by selinuxd or not and therefore there's no
need to track the state of modules in a separate datastore.

`semodule --checksum` is supported since Red Hat Enterprise Linux 8.6

The behavior of status_server has been changed:

/policies/ return list of policy modules consting of
  { Name, Ext, Checksum }, e.g

    [{"Name":"ssh","Ext":"cil","Checksum":"sha256:004955cac8f0714d0c99feead64cd9b904cd798850d96a1881c3d085f934beaf"}]

/policies/{policy}
  - returns { Name, Ext, Checksum } if the policy is installed

  - returns NotFound if policy is not installed, message:
    "policy is not installed"

  - returns NotFound if file in /etc/selinud.d doesn't match the
  installed module, e.g. when user ran `semodule -X 350 module.cil`,
  message:
    "Installed policy ssh does not much policy file /etc/selinux.d/ssh.cil"

Signed-off-by: Petr Lautrbach <[email protected]>

Author: bachradsusi

pkg/daemon/action.go

@@ -1,8 +1,6 @@
 package daemon
 
 import (
-	"bytes"
-	"errors"
 	"fmt"
 
 	"github.com/containers/selinuxd/pkg/datastore"
@@ -40,34 +38,14 @@ func (pi *policyInstall) do(modulePath string, sh seiface.Handler, ds datastore.
 		return "", fmt.Errorf("installing policy: %w", csErr)
 	}
 
-	p, getErr := ds.Get(policyName)
+	module, getErr := sh.GetPolicyModule(policyName)
 	// If the checksums are equal, the policy is already installed
 	// and in an appropriate state
-	if getErr == nil && bytes.Equal(p.Checksum, cs) {
+	if getErr == nil && module.Checksum == cs {
 		return "", nil
-	} else if getErr != nil && !errors.Is(getErr, datastore.ErrPolicyNotFound) {
-		return "", fmt.Errorf("installing policy: couldn't access datastore: %w", getErr)
 	}
 
 	installErr := sh.Install(pi.path)
-	status := datastore.InstalledStatus
-	var msg string
-
-	if installErr != nil {
-		status = datastore.FailedStatus
-		msg = installErr.Error()
-	}
-
-	ps := datastore.PolicyStatus{
-		Policy:   policyName,
-		Status:   status,
-		Message:  msg,
-		Checksum: cs,
-	}
-	puterr := ds.Put(ps)
-	if puterr != nil {
-		return "", fmt.Errorf("failed persisting status in datastore: %w", puterr)
-	}
 
 	if installErr != nil {
 		return "", fmt.Errorf("failed executing install action: %w", installErr)
@@ -96,19 +74,13 @@ func (pi *policyRemove) do(modulePath string, sh seiface.Handler, ds datastore.D
 	}
 
 	if !pi.moduleInstalled(sh, policyArg) {
-		if err := ds.Remove(policyArg); err != nil {
-			return "Module is not in the system", fmt.Errorf("failed removing policy from datastore: %w", err)
-		}
 		return "No action needed; Module is not in the system", nil
 	}
 
 	if err := sh.Remove(policyArg); err != nil {
 		return "", fmt.Errorf("failed executing remove action: %w", err)
 	}
 
-	if err := ds.Remove(policyArg); err != nil {
-		return "", fmt.Errorf("failed removing policy from datastore: %w", err)
-	}
 	return "", nil
 }
 
@@ -119,7 +91,7 @@ func (pi *policyRemove) moduleInstalled(sh seiface.Handler, policy string) bool
 	}
 
 	for _, mod := range currentModules {
-		if policy == mod {
+		if policy == mod.Name {
 			return true
 		}
 	}

pkg/daemon/daemon.go

@@ -39,7 +39,7 @@ func Daemon(opts *SelinuxdOptions, mPath string, sh seiface.Handler, ds datastor
 		defer ds.Close()
 	}
 
-	ss, err := initStatusServer(opts.StatusServerConfig, ds.GetReadOnly(), l)
+	ss, err := initStatusServer(opts.StatusServerConfig, ds.GetReadOnly(), sh, l, mPath)
 	if err != nil {
 		l.Error(err, "Unable initialize status server")
 		panic(err)

pkg/daemon/status_server.go

@@ -11,6 +11,8 @@ import (
 	"time"
 
 	"github.com/containers/selinuxd/pkg/datastore"
+	seiface "github.com/containers/selinuxd/pkg/semodule/interface"
+	"github.com/containers/selinuxd/pkg/utils"
 	"github.com/go-logr/logr"
 	"github.com/gorilla/mux"
 )
@@ -31,12 +33,20 @@ type StatusServerConfig struct {
 type statusServer struct {
 	cfg   StatusServerConfig
 	ds    datastore.ReadOnlyDataStore
+	sh    seiface.Handler
 	l     logr.Logger
+	mPath string
 	lst   net.Listener
 	ready bool
 }
 
-func initStatusServer(cfg StatusServerConfig, ds datastore.ReadOnlyDataStore, l logr.Logger) (*statusServer, error) {
+func initStatusServer(
+	cfg StatusServerConfig,
+	ds datastore.ReadOnlyDataStore,
+	sh seiface.Handler,
+	l logr.Logger,
+	mPath string,
+) (*statusServer, error) {
 	if cfg.Path == "" {
 		cfg.Path = DefaultUnixSockAddr
 	}
@@ -48,7 +58,7 @@ func initStatusServer(cfg StatusServerConfig, ds datastore.ReadOnlyDataStore, l
 		return nil, fmt.Errorf("setting up socket: %w", err)
 	}
 
-	ss := &statusServer{cfg, ds, l, lst, false}
+	ss := &statusServer{cfg, ds, sh, l, mPath, lst, false}
 	return ss, nil
 }
 
@@ -111,7 +121,7 @@ func (ss *statusServer) initializeRoutes(r *mux.Router) {
 }
 
 func (ss *statusServer) listPoliciesHandler(w http.ResponseWriter, r *http.Request) {
-	modules, err := ss.ds.List()
+	modules, err := ss.sh.List()
 	if err != nil {
 		http.Error(w, "Cannot list modules", http.StatusInternalServerError)
 		return
@@ -127,17 +137,29 @@ func (ss *statusServer) listPoliciesHandler(w http.ResponseWriter, r *http.Reque
 func (ss *statusServer) getPolicyStatusHandler(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
 	policy := vars["policy"]
-	status, err := ss.ds.Get(policy)
-	if errors.Is(err, datastore.ErrPolicyNotFound) {
-		http.Error(w, "couldn't find requested policy", http.StatusNotFound)
+	module, err := ss.sh.GetPolicyModule(policy)
+	if errors.Is(err, seiface.ErrPolicyNotFound) {
+		http.Error(w, "policy is not installed", http.StatusNotFound)
 		return
 	} else if err != nil {
 		ss.l.Error(err, "error getting status")
 		http.Error(w, "Cannot get status", http.StatusInternalServerError)
 		return
 	}
 
-	err = json.NewEncoder(w).Encode(status)
+	policyFile := ss.mPath + "/" + module.Name + "." + module.Ext
+	cs, csErr := utils.Checksum(policyFile)
+
+	if csErr != nil {
+		http.Error(w, "cannot find policy file "+policyFile, http.StatusNotFound)
+		return
+	}
+
+	if cs != module.Checksum {
+		http.Error(w, "Installed policy "+module.Name+" does not much policy file "+policyFile, http.StatusNotFound)
+		return
+	}
+	err = json.NewEncoder(w).Encode(module)
 	if err != nil {
 		ss.l.Error(err, "error writing status response")
 		http.Error(w, "Cannot get status", http.StatusInternalServerError)

pkg/semodule/interface/interface.go

@@ -5,6 +5,12 @@ import (
 	"fmt"
 )
 
+type PolicyModule struct {
+	Name     string
+	Ext      string
+	Checksum string
+}
+
 // errors
 var (
 	// ErrHandleCreate is an error when getting a handle to semanage
@@ -23,6 +29,8 @@ var (
 	ErrCannotInstallModule = errors.New("cannot install module")
 	// ErrCommit is an error when committing the changes to the SELinux policy
 	ErrCommit = errors.New("cannot commit changes to policy")
+	// ErrPolicyNotFound is an error policy is not found in SELinux policy modules store
+	ErrPolicyNotFound = errors.New("policy not found in SELinux store")
 )
 
 func NewErrCannotRemoveModule(mName string) error {
@@ -42,7 +50,8 @@ func NewErrCommit(origErrVal int, msg string) error {
 type Handler interface {
 	SetAutoCommit(bool)
 	Install(string) error
-	List() ([]string, error)
+	List() ([]PolicyModule, error)
+	GetPolicyModule(string) (PolicyModule, error)
 	Remove(string) error
 	Commit() error
 	Close() error

pkg/semodule/policycoreutils/policycoreutils.go

@@ -46,22 +46,42 @@ func (smt *SEModulePcuHandler) Install(modulePath string) error {
 	return nil
 }
 
-func (smt *SEModulePcuHandler) List() ([]string, error) {
-	out, err := runSemodule("-lfull")
+func (smt *SEModulePcuHandler) List() ([]seiface.PolicyModule, error) {
+	out, err := runSemodule("-lfull", "--checksum")
 	if err != nil {
 		smt.logger.Error(err, "Listing policies")
 		return nil, seiface.ErrList
 	}
-	modules := make([]string, 0)
+	modules := make([]seiface.PolicyModule, 0)
 	for _, line := range strings.Split(string(out), "\n") {
-		module := strings.Split(line, " ")
+		module := strings.Fields(line)
+		if len(module) != 4 {
+			continue
+		}
 		if module[0] == "350" {
-			modules = append(modules, module[1])
+			policyModule := seiface.PolicyModule{module[1], module[2], module[3]}
+			modules = append(modules, policyModule)
 		}
 	}
 	return modules, nil
 }
 
+func (smt *SEModulePcuHandler) GetPolicyModule(moduleName string) (seiface.PolicyModule, error) {
+	modules, err := smt.List()
+	if err != nil {
+		smt.logger.Error(err, "Getting module checksum")
+		return seiface.PolicyModule{}, seiface.ErrList
+	}
+	for _, module := range modules {
+		// 350 module  cil  sha256:dadb16b11a1d298e57cbd965f5fc060b7a9263b8d6b23af7763e68ac22fb5265
+		if module.Name == moduleName {
+			smt.logger.Info(moduleName, "checksum", module.Checksum)
+			return module, nil
+		}
+	}
+	return seiface.PolicyModule{}, seiface.ErrPolicyNotFound
+}
+
 func (smt *SEModulePcuHandler) Remove(modToRemove string) error {
 	out, err := runSemodule("-X", "350", "-r", modToRemove)
 	if err != nil {

pkg/semodule/semanage/semanage.go

@@ -14,12 +14,13 @@ void wrap_set_cb(semanage_handle_t *handle, void *arg);
 
 */
 import "C"
+
 import (
 	"bytes"
-	"github.com/containers/selinuxd/pkg/semodule/interface"
 	"sync"
 	"unsafe"
 
+	"github.com/containers/selinuxd/pkg/semodule/interface"
 	"github.com/go-logr/logr"
 )
 

pkg/semodule/test/testhandler.go

@@ -49,11 +49,23 @@ func (smt *SEModuleTestHandler) IsModuleInstalled(module string) bool {
 	return false
 }
 
-func (smt *SEModuleTestHandler) List() ([]string, error) {
+func (smt *SEModuleTestHandler) List() ([]seiface.PolicyModule, error) {
 	// Return a copy
 	smt.mu.Lock()
 	defer smt.mu.Unlock()
-	return append([]string(nil), smt.modules...), nil
+	policyModules := []seiface.PolicyModule{}
+	for _, module := range smt.modules {
+		m, err := smt.GetPolicyModule(module)
+		if err != nil {
+			return policyModules, err
+		}
+		policyModules = append(policyModules, m)
+	}
+	return policyModules, nil
+}
+
+func (smt *SEModuleTestHandler) GetPolicyModule(moduleName string) (seiface.PolicyModule, error) {
+	return seiface.PolicyModule{Name: "policy", Ext: "cil", Checksum: "sha256"}, nil
 }
 
 func (smt *SEModuleTestHandler) Remove(modToRemove string) error {

pkg/utils/utils.go

@@ -1,7 +1,8 @@
 package utils
 
 import (
-	"crypto/sha512"
+	"crypto/sha256"
+	"encoding/hex"
 	"errors"
 	"fmt"
 	"io"
@@ -35,17 +36,17 @@ func PolicyNameFromPath(path string) (string, error) {
 }
 
 // Checksum returns a checksum for a file on a given path
-func Checksum(path string) ([]byte, error) {
+func Checksum(path string) (string, error) {
 	f, err := os.Open(path)
 	if err != nil {
-		return nil, fmt.Errorf("unable to calculate checksum: %w", err)
+		return "", fmt.Errorf("unable to calculate checksum: %w", err)
 	}
 	defer f.Close()
 
-	h := sha512.New()
+	h := sha256.New()
 	if _, err := io.Copy(h, f); err != nil {
-		return nil, fmt.Errorf("unable to calculate checksum: %w", err)
+		return "", fmt.Errorf("unable to calculate checksum: %w", err)
 	}
 
-	return h.Sum(nil), nil
+	return fmt.Sprintf("sha256:%s", hex.EncodeToString(h.Sum(nil))), nil
 }