only embed module source in Linux builds

Author: capnspacehook

assets/install-scripts/install-selinux.sh

@@ -41,7 +41,7 @@ while getopts "c:t:" opt; do
 done
 
 # Write SELinux module source to a temporary directory
-WORK_DIR="$(mktemp -d teleport-selinux.XXXXXXXX)"
+WORK_DIR="$(mktemp -d --suffix teleport-selinux.XXXXXXXX)"
 trap 'rm -rf "${WORK_DIR}"' EXIT INT TERM
 
 "${TELEPORT}" selinux-ssh module-source > "${WORK_DIR}/teleport_ssh.te"

lib/selinux/module.go

@@ -0,0 +1,57 @@
+// Copyright 2025 Open Container Initiative
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Original source: https://github.com/opencontainers/selinux/blob/main/go-selinux/selinux_linux.go#L229
+//
+// Modified to return an error.
+
+package selinux
+
+import (
+	"bufio"
+	"bytes"
+	"os"
+
+	"github.com/gravitational/trace"
+)
+
+func readConfig(target string) (string, error) {
+	in, err := os.Open(selinuxConfig)
+	if err != nil {
+		return "", trace.Wrap(err)
+	}
+	defer in.Close()
+
+	scanner := bufio.NewScanner(in)
+
+	for scanner.Scan() {
+		line := bytes.TrimSpace(scanner.Bytes())
+		if len(line) == 0 {
+			// Skip blank lines
+			continue
+		}
+		if line[0] == ';' || line[0] == '#' {
+			// Skip comments
+			continue
+		}
+		fields := bytes.SplitN(line, []byte{'='}, 2)
+		if len(fields) != 2 {
+			continue
+		}
+		if string(fields[0]) == target {
+			return string(bytes.Trim(fields[1], `"`)), nil
+		}
+	}
+
+	return "", nil
+}

lib/selinux/read_config_linux.go

@@ -19,70 +19,68 @@
 package selinux
 
 import (
-	"bufio"
 	"bytes"
 	"context"
+	_ "embed"
 	"io/fs"
 	"log/slog"
-	"os"
 	"path/filepath"
 	"strings"
+	"text/template"
 
 	"github.com/gravitational/trace"
 	ocselinux "github.com/opencontainers/selinux/go-selinux"
+
+	"github.com/gravitational/teleport/lib/versioncontrol"
 )
 
 const (
 	selinuxConfig        = "/etc/selinux/config"
 	selinuxTypeTag       = "SELINUXTYPE"
+	moduleName           = "teleport_ssh"
+	domain               = "teleport_ssh_t"
 	permissiveModuleName = "permissive_" + domain
 )
 
-// Copyright 2025 Open Container Initiative
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//	http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-//
-// Original source: https://github.com/opencontainers/selinux/blob/main/go-selinux/selinux_linux.go#L229
-// Modified to return an error.
-func readConfig(target string) (string, error) {
-	in, err := os.Open(selinuxConfig)
+//go:embed teleport_ssh.te
+var module string
+
+//go:embed teleport_ssh.fc.tmpl
+var fileContexts string
+
+// ModuleSource returns the source of the SELinux SSH module.
+func ModuleSource() string {
+	return module
+}
+
+type filePaths struct {
+	InstallDir     string
+	DataDir        string
+	ConfigPath     string
+	UpgradeUnitDir string
+}
+
+// FileContexts returns file contexts for the SELinux SSH module.
+func FileContexts(installDir, dataDir, configPath string) (string, error) {
+	fcTempl, err := template.New("selinux file contexts").Parse(fileContexts)
 	if err != nil {
-		return "", trace.Wrap(err)
+		return "", trace.Wrap(err, "failed to parse file contexts template")
 	}
-	defer in.Close()
 
-	scanner := bufio.NewScanner(in)
-
-	for scanner.Scan() {
-		line := bytes.TrimSpace(scanner.Bytes())
-		if len(line) == 0 {
-			// Skip blank lines
-			continue
-		}
-		if line[0] == ';' || line[0] == '#' {
-			// Skip comments
-			continue
-		}
-		fields := bytes.SplitN(line, []byte{'='}, 2)
-		if len(fields) != 2 {
-			continue
-		}
-		if string(fields[0]) == target {
-			return string(bytes.Trim(fields[1], `"`)), nil
-		}
+	// Generate a file specifying the locations of important dirs so SELinux
+	// will allow Teleport SSH to be able to access them.
+	var buf bytes.Buffer
+	err = fcTempl.Execute(&buf, filePaths{
+		InstallDir:     installDir,
+		DataDir:        dataDir,
+		ConfigPath:     configPath,
+		UpgradeUnitDir: versioncontrol.UnitConfigDir,
+	})
+	if err != nil {
+		return "", trace.Wrap(err, "failed to expand file contexts template")
 	}
 
-	return "", nil
+	return buf.String(), nil
 }
 
 // CheckConfiguration returns an error if SELinux is not configured to

lib/selinux/selinux_linux.go

@@ -21,20 +21,31 @@
 package selinux
 
 import (
-	"errors"
 	"log/slog"
+
+	"github.com/gravitational/trace"
 )
 
-var errPlatformNotSupported = errors.New("platform not supported")
+const errPlatformNotSupportedMsg = "platform not supported"
+
+// ModuleSource returns the source of the SELinux SSH module.
+func ModuleSource() string {
+	return ""
+}
+
+// FileContexts returns file contexts for the SELinux SSH module.
+func FileContexts(installDir, dataDir, configPath string) (string, error) {
+	return "", trace.Errorf(errPlatformNotSupportedMsg)
+}
 
 // CheckConfiguration returns an error if SELinux is not configured to
 // enforce the SSH service correctly.
 func CheckConfiguration(ensureEnforced bool, logger *slog.Logger) error {
-	return errPlatformNotSupported
+	return trace.Errorf(errPlatformNotSupportedMsg)
 }
 
 // UserContext returns the SELinux context that should be used when
 // creating processes as a certain user.
 func UserContext(login string) (string, error) {
-	return "", errPlatformNotSupported
+	return "", trace.Errorf(errPlatformNotSupportedMsg)
 }

lib/selinux/selinux_others.go

@@ -29,6 +29,7 @@ import (
 	"os/user"
 	"path"
 	"path/filepath"
+	"runtime"
 	"slices"
 	"strconv"
 	"strings"
@@ -201,8 +202,10 @@ func Run(options Options) (app *kingpin.Application, executedCommand string, con
 		"AWS region AWS hosted database instance is running in.").Hidden().
 		StringVar(&ccf.DatabaseAWSRegion)
 	start.Flag("no-debug-service", "Disables debug service.").BoolVar(&ccf.DisableDebugService)
-	start.Flag("enable-selinux", "Enables SELinux support for Teleport SSH and exits if SELinux is not configured correctly.").Hidden().BoolVar(&ccf.EnableSELinux)
-	start.Flag("ensure-selinux-enforcing", "Exits with an error if SELinux is not configured to enforce Teleport SSH.").Hidden().BoolVar(&ccf.EnsureSELinuxEnforcing)
+	if runtime.GOOS == "linux" {
+		start.Flag("enable-selinux", "Enables SELinux support for Teleport SSH and exits if SELinux is not configured correctly.").Hidden().BoolVar(&ccf.EnableSELinux)
+		start.Flag("ensure-selinux-enforcing", "Exits with an error if SELinux is not configured to enforce Teleport SSH.").Hidden().BoolVar(&ccf.EnsureSELinuxEnforcing)
+	}
 
 	// define start's usage info (we use kingpin's "alias" field for this)
 	start.Alias(usageNotes + usageExamples)
@@ -588,11 +591,14 @@ func Run(options Options) (app *kingpin.Application, executedCommand string, con
 	collectProfilesCmd.Arg("PROFILES", fmt.Sprintf("Comma-separated profile names to be exported. Supported profiles: %s. Default: %s", strings.Join(slices.Collect(maps.Keys(debugclient.SupportedProfiles)), ","), strings.Join(defaultCollectProfiles, ","))).StringVar(&ccf.Profiles)
 	collectProfilesCmd.Flag("seconds", "For CPU and trace profiles, profile for the given duration (if set to 0, it returns a profile snapshot). For other profiles, return a delta profile. Default: 0").Short('s').Default("0").IntVar(&ccf.ProfileSeconds)
 
-	selinuxCmd := app.Command("selinux-ssh", "Commands related to SSH SELinux module.").Hidden()
-	selinuxCmd.Flag("config", fmt.Sprintf("Path to a configuration file [%v].", defaults.ConfigFilePath)).Short('c').ExistingFileVar(&ccf.ConfigFile)
-	moduleSourceCmd := selinuxCmd.Command("module-source", "Export SSH SELinux module source to stdout.").Hidden()
-	fileContextsCmd := selinuxCmd.Command("file-contexts", "Export SSH SELinux file contexts to stdout.").Hidden()
-	selinuxDirsCmd := selinuxCmd.Command("dirs", "Export directories that may need to be labeled for SSH SELinux module to work correctly.").Hidden()
+	var moduleSourceCmd, fileContextsCmd, selinuxDirsCmd *kingpin.CmdClause
+	if runtime.GOOS == "linux" {
+		selinuxCmd := app.Command("selinux-ssh", "Commands related to SSH SELinux module.").Hidden()
+		selinuxCmd.Flag("config", fmt.Sprintf("Path to a configuration file [%v].", defaults.ConfigFilePath)).Short('c').ExistingFileVar(&ccf.ConfigFile)
+		moduleSourceCmd = selinuxCmd.Command("module-source", "Export SSH SELinux module source to stdout.").Hidden()
+		fileContextsCmd = selinuxCmd.Command("file-contexts", "Export SSH SELinux file contexts to stdout.").Hidden()
+		selinuxDirsCmd = selinuxCmd.Command("dirs", "Export directories that may need to be labeled for SSH SELinux module to work correctly.").Hidden()
+	}
 
 	backendCmd := app.Command("backend", "Commands for managing backend data.")
 	backendCmd.Hidden()
@@ -1148,8 +1154,8 @@ func onSELinuxFileContexts(configPath string) error {
 	if err != nil {
 		return trace.Wrap(err)
 	}
+	fmt.Println(fileContexts)
 
-	fmt.Printf("%s", fileContexts)
 	return nil
 }