Comments (14)
lsm5
commented on July 18, 2024
@rhatdan @wrabcak I don't see fs_rw_nsfs_files defined anywhere /usr/share/selinux/devel/include with selinux-policy-3.13.1-93.el7.noarch. Is that the right reason for this issue?
from container-selinux.
rhatdan
commented on July 18, 2024
Yes we need an updated version of selinux-policy with that interface, or we need to carry it ourselves.
from container-selinux.
rhatdan
commented on July 18, 2024
@wrabcak Could you fix this?
from container-selinux.
lsm5
commented on July 18, 2024
@rhatdan is this something I could just include in docker.if or another interface file in docker-selinux ? Might be a much quicker fix than spinning up a new selinux-policy?
from container-selinux.
lsm5
commented on July 18, 2024
@rhatdan @wrabcak I added lsm5@e543d2e and now it's erroring out syntax error at token 'virt_stub_svirt_sandbox_file'. Seems like I don't hit the original issue anymore, so let me know if it's ok to proceed.
from container-selinux.
ssekidde
commented on July 18, 2024
@lsm5 that stub interface is missing as well in RHEL7 and needs to be added.
from container-selinux.
lsm5
commented on July 18, 2024
@ssekidde hi, RE: nsfs I just copied that over from tracefs that I found in kernel/filsystems.if, but not sure how to proceed with stub interface. Could you please add them both in selinux-policy and update the rpm, docker 7.3 builds are blocked on this currently
from container-selinux.
ssekidde
commented on July 18, 2024
@lsm5 both interfaces will have to be added by @wrabcak in selinux-policy. Does a BZ exist?
For testing purposes see if you can try to add this to docker.if
interface(virt_stub_svirt_sandbox_file',
gen_require(`
type svirt_sandbox_file_t;
')
')
from container-selinux.
lsm5
commented on July 18, 2024
On Thu, Sep 01, 2016 at 11:59:07AM -0700, Simon Sekidde wrote:
@lsm5 both interfaces will have to be added by @wrabcak in selinux-policy. Does a BZ exist?
For testing purposes see if you can try to add this to docker.if########################################
svirt_sandbox_file_t stub interface. No access allowed.
Domain allowed access.
interface(
virt_stub_svirt_sandbox_file',
gen_require(`
type svirt_sandbox_file_t;
')
')
Dan added a temporary fix for this in docker-selinux itself. I'll file a bz
for selinux-policy.
Lokesh
Freenode: lsm5
GPG: 0xC7C3A0DD
from container-selinux.
rhatdan
commented on July 18, 2024
Yes we can just hack the docker.te until we have these interfaces in the selinux-policy package.
from container-selinux.
wrabcak
commented on July 18, 2024
Sorry for delay. Problem here is quite bigger. We don't have labeling for nsfs filesystem in rhel-7.3. @lsm5 could you create BZ to add this interface to selinux-policy on rhel-7.3 ? I assume this is blocker for you guys.
Thanks.
from container-selinux.
rhatdan
commented on July 18, 2024
@wrabcak We worked around it by embedding the code into docker.te. We actually need to interfaces to remove this hack.
45be230
from container-selinux.
lsm5
commented on July 18, 2024
@wrabcak https://bugzilla.redhat.com/show_bug.cgi?id=1372705
from container-selinux.
rhatdan
commented on July 18, 2024
Fixed in current release.
from container-selinux.
Related Issues (20)
- SELinux blocks ansible from doing DNF updates with the nsenter connection plugin HOT 8
- Branch protection for main branch HOT 3
- gating tests? HOT 2
- iptables-restore cannot read file from inside a container HOT 6
- allow user_u to work with containers HOT 8
- Packit: Use packit for bumping official fedora package HOT 1
- CI: check for long-running relabels HOT 1
- [packit] Propose downstream failed for release v2.213.0 HOT 3
- Issues on Fedora (container-selinux-2.211.1) with container_domain_template HOT 5
- Issue on RHEL with iscsiadm on v2.205 HOT 4
- user_namespace { create } rule not working HOT 11
- Concern with use of dac_override in home_container.cil HOT 3
- `avc: denied { shutdown }` when using socket activation with rootless podman quadlet HOT 3
- dri_device_t cannot be accessed correctly by pods using device plugins. HOT 12
- Add support for `rpm --verify` HOT 2
- container_init_t does not possess ptrace process context HOT 13
- CRI-O CI broken due to SELinux AVC Denials with latest runc (main branch) build HOT 20
- systemd crashes while attempting to start under container_user_r role HOT 11
- /etc/kubernetes filetrans? HOT 1
- container_user_u issues related to `podmansh` HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from container-selinux.