Fix falco-driver-loader SELinux insmod denials

[dwindsor]

Signed-off-by: David Windsor dwindsor@secureworks.com

What type of PR is this?

Uncomment one (or more) /kind <> lines:
/kind bug

If contributing rules or changes to rules, please make sure to also uncomment one of the following line:

/kind rule-update

/kind rule-create

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:
/area build

What this PR does / why we need it:
Currently, SELinux prevents falco-driver-loader from calling insmod on falco .ko files. This is because the .ko files are mislabeled - they need to be relabeled modules_object_t:

type=AVC msg=audit(1634143507.210:1101): avc:  denied  { module_load } for  pid=15732 comm="insmod" path="/root/.falco/falco_centos_4.18.0-305.3.1.el8.x86_64_1.ko" dev="dm-0" ino=3427522 scontext=unconfined_u:unconfined_r:kmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=system permissive=0

Which issue(s) this PR fixes:

Fixes #1755

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

fix(scripts/falco-driver-loader): fix for SELinux insmod denials

[poiana]

Welcome @dwindsor! It looks like this is your first PR to falcosecurity/falco 🎉

[leodido]

Really good catch!

/lgtm

[poiana]

LGTM label has been added.

Git tree hash: 1a34b1678c3bcab594dd6ba14825a9c67bdd63a9

[LucaGuerra]

Do you think there could be issues if the OS doesn't have SELinux installed or enabled? I was also thinking about the availability of the chcon command itself but it looks much more ubiquitous than I thought!

[leodido]

Left suggestions which I believe is worth considering

[ghost]

Good catch. We were only considering CentOS 7 and 8, both of which will have chcon. LGTM.

[poiana]

@dwindsor-scwx: changing LGTM is restricted to collaborators

In response to this:

Good catch. We were only considering CentOS 7 and 8, both of which will have chcon. LGTM.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[leogr]

Thank you for submitting this PR :)

LGTM
/approve
/milestone 0.31.0

[poiana]

LGTM label has been added.

Git tree hash: d45258ea20172fe7e49136eafb4faed3741c7bc2

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dwindsor, leodido, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [leodido,leogr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[leogr]

/cc @leodido