Comments (8)
You can modify the roles available to the staff_u user or create a new user to run as staff_r without sysadm_r, system_r and unconfined_r.
Or better yet create a user record for millerthegorilla which just runs as the staff_r role.
from container-selinux.
BTW Staff_r getting to unconfined_r is a risk but you still need to use a setuid program like sudo to get to a different type. staff_t can not easily transition to unconfined_t.
from container-selinux.
Thanks for the reply.
I have managed to use selinux for an alternative treatment of the same problem, one not using containers, so I am beginning to find my way through. However, I want to use containerised microservices for a site I am creating, and am going to want to lock down the containers as much as possible.
I have tried using udica, and experience this issue - containers/udica#8 - it looks unlikely that libsepol is going to be updated to address this, and I am scratching my head as to why udica isn't updated to name the resulting type without special characters etc.
I have one question though. I have been reading and reading, and cannot seem to locate the docs regarding the editing of roles. I figure that I can copy an existing role and then edit it, but am uncertain as to whether this is done entirely through policy updates or whether there is a ground zero creation of a role. If you could supply me with a reference re creation or editing of roles, I would be extremely grateful.
Thanks for all your help
from container-selinux.
I would not edit roles. If you goal is to create a user on a system that can't reach a role, you can define that as a user.
sh-5.2# semanage user -a -R staff_r -r s0-s0:c0.c1023 container_u
sh-5.2# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
container_u user s0 s0-s0:c0.c1023 staff_r
guest_u user s0 s0 guest_r
root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r
user_u user s0 s0-s0:c0.c1023 user_r
xguest_u user s0 s0 xguest_r
# useradd testu
# semanage login -a -s container_u testu
Now if you login as testu, you are in the staff_r role, but can not switch to any other role.
from container-selinux.
That's great, thanks, but I don't want to use staff_r, as it includes a massive amount of domains, in comparison to the domains I actually want to use, so I would prefer to create a new role, or copy an existing role and edit it.
role staff_r types { abrt_helper_t alsa_home_t antivirus_home_t audio_home_t auth_home_t bluetooth_helper_t bootloader_t cache_home_t cdrecord_t chfn_t chkpwd_t chrome_sandbox_home_t chrome_sandbox_nacl_t chrome_sandbox_t chronyc_t config_home_t container_home_t container_init_t container_kvm_t container_runtime_t container_t container_userns_t cronjob_t crontab_t cvs_home_t data_home_t dbus_home_t ddclient_t exim_t fetchmail_home_t freqset_t fsadm_t gconf_home_t gconfd_t git_session_t git_user_content_t gkeyringd_gnome_home_t gnome_home_t gpg_agent_t gpg_helper_t gpg_pinentry_t gpg_secret_t gpg_t groupadd_t gstreamer_home_t hddtemp_t home_bin_t home_cert_t httpd_user_script_t icc_data_home_t iceauth_home_t iceauth_t ifconfig_t iotop_t iptables_t irc_home_t irc_t irc_tmp_t irssi_home_t irssi_t journalctl_t kismet_home_t kmod_t kpatch_t krb5_home_t load_policy_t loadkeys_t local_login_home_t lpr_t lvm_t mail_home_rw_t mail_home_t mailman_mail_t mandb_home_t mock_build_t mock_t mount_t mozilla_home_t mozilla_plugin_config_t mozilla_plugin_t mpd_home_t mpd_user_data_t mplayer_home_t mysqld_home_t namespace_init_t newrole_t nscd_t ntpd_t obex_t oddjob_mkhomedir_t oddjob_t openshift_initrc_t openshift_var_lib_t pam_console_t pam_timestamp_t passwd_t ping_t policykit_auth_t policykit_grant_t polipo_cache_home_t polipo_config_home_t polipo_session_t postfix_postdrop_t postfix_postqueue_t pppd_t procmail_home_t ptchown_t pulseaudio_home_t pulseaudio_t qmail_inject_t qmail_queue_t rlogind_home_t rpcd_t rpm_script_t rpm_t rssh_ro_t rssh_rw_t sandbox_file_t sandbox_min_client_t sandbox_min_t sandbox_net_client_t sandbox_net_t sandbox_web_client_t sandbox_web_t sandbox_x_client_t sandbox_x_t sandbox_xserver_t screen_home_t semanage_t sepgsql_ranged_proc_t sepgsql_trusted_proc_t setfiles_t setsebool_t smbmount_t spamc_home_t speech_dispatcher_home_t ssh_home_t ssh_t sssd_t staff_consolehelper_t staff_dbusd_t staff_gkeyringd_t staff_screen_t staff_seunshare_t staff_ssh_agent_t staff_sudo_t staff_t staff_wine_t svirt_home_t svirt_socket_t svirt_t svirt_tcg_t system_mail_t systemd_home_t targetclid_home_t telepathy_cache_home_t telepathy_data_home_t telepathy_gabble_cache_home_t telepathy_gabble_t telepathy_idle_t telepathy_logger_cache_home_t telepathy_logger_data_home_t telepathy_logger_t telepathy_mission_control_cache_home_t telepathy_mission_control_data_home_t telepathy_mission_control_home_t telepathy_mission_control_t telepathy_msn_t telepathy_salut_t telepathy_sofiasip_t telepathy_stream_engine_t telepathy_sunshine_home_t telepathy_sunshine_t texlive_home_t thumb_home_t thumb_t traceroute_t tvtime_home_t udev_t uml_ro_t uml_rw_t updpwd_t user_fonts_cache_t user_fonts_config_t user_fonts_t user_home_dir_t user_home_t user_mail_t user_tmp_t useradd_t utempter_t virt_bridgehelper_t virt_content_t virt_home_t vlock_t vmtools_helper_t vmtools_t vmware_conf_t vmware_file_t wine_home_t wireshark_home_t wireshark_t xauth_home_t xauth_t xdm_home_t xserver_t };
I want a role that only has domains pertaining to container usage, and maybe a few others, I definitely don't want to allow sudo or any other privilege escalation, as it kind of defeats the use of rootless containers via podman, but I haven't been able to find information or tutorials/references pertaining to the editing or creation of new roles.
from container-selinux.
Then you would need to write a new role, say container_r role and allow it to container_domain types.
from container-selinux.
user_r has lots of types assigned to it as well.
$ seinfo -ruser_r -x
Roles: 1
role user_r types { abrt_helper_t alsa_home_t antivirus_home_t audio_home_t auth_home_t bluetooth_helper_t cache_home_t cdrecord_t chfn_t chkpwd_t chrome_sandbox_home_t chrome_sandbox_nacl_t chrome_sandbox_t chronyc_t config_home_t container_home_t container_init_t container_kvm_t container_runtime_t container_t container_userns_t cronjob_t crontab_t cvs_home_t data_home_t dbus_home_t ddclient_t exim_t fetchmail_home_t fsadm_t gconf_home_t gconfd_t git_session_t git_user_content_t gkeyringd_gnome_home_t gnome_home_t gpg_agent_t gpg_helper_t gpg_pinentry_t gpg_secret_t gpg_t gstreamer_home_t home_bin_t home_cert_t httpd_user_script_t icc_data_home_t iceauth_home_t iceauth_t irc_home_t irc_t irc_tmp_t irssi_home_t irssi_t journalctl_t kismet_home_t kmod_t krb5_home_t loadkeys_t local_login_home_t lpr_t lvm_t mail_home_rw_t mail_home_t mailman_mail_t mandb_home_t mount_t mozilla_home_t mozilla_plugin_config_t mozilla_plugin_t mpd_home_t mpd_user_data_t mplayer_home_t mysqld_home_t namespace_init_t newrole_t nscd_t obex_t oddjob_mkhomedir_t oddjob_t openshift_var_lib_t pam_timestamp_t passwd_t ping_t policykit_auth_t policykit_grant_t polipo_cache_home_t polipo_config_home_t polipo_session_t postfix_postdrop_t postfix_postqueue_t pppd_t procmail_home_t ptchown_t pulseaudio_home_t pulseaudio_t qm_container_init_t qm_container_kvm_t qmail_inject_t qmail_queue_t rlogind_home_t rpcd_t rssh_ro_t rssh_rw_t sandbox_file_t sandbox_min_client_t sandbox_min_t sandbox_net_client_t sandbox_net_t sandbox_web_client_t sandbox_web_t sandbox_x_client_t sandbox_x_t sandbox_xserver_t screen_home_t setfiles_t smbmount_t snappy_home_t spamc_home_t speech_dispatcher_home_t ssh_home_t ssh_t svirt_home_t svirt_socket_t svirt_t svirt_tcg_t systemd_home_t targetclid_home_t telepathy_cache_home_t telepathy_data_home_t telepathy_gabble_cache_home_t telepathy_gabble_t telepathy_idle_t telepathy_logger_cache_home_t telepathy_logger_data_home_t telepathy_logger_t telepathy_mission_control_cache_home_t telepathy_mission_control_data_home_t telepathy_mission_control_home_t telepathy_mission_control_t telepathy_msn_t telepathy_salut_t telepathy_sofiasip_t telepathy_stream_engine_t telepathy_sunshine_home_t telepathy_sunshine_t texlive_home_t thumb_home_t thumb_t traceroute_t tvtime_home_t uml_ro_t uml_rw_t updpwd_t user_dbusd_t user_fonts_cache_t user_fonts_config_t user_fonts_t user_gkeyringd_t user_home_dir_t user_home_t user_mail_t user_screen_t user_seunshare_t user_ssh_agent_t user_t user_tmp_t user_wine_t utempter_t virt_bridgehelper_t virt_content_t virt_home_t vlock_t vmtools_helper_t vmtools_t vmware_conf_t vmware_file_t wine_home_t wireshark_home_t xauth_home_t xauth_t xdm_home_t };
Defining a container_r and a container_user_t to allow them to login and run containers would be a interesting use case.
from container-selinux.
I believe this can be done now.
from container-selinux.
Related Issues (20)
- SELinux blocks ansible from doing DNF updates with the nsenter connection plugin HOT 8
- Branch protection for main branch HOT 3
- gating tests? HOT 2
- iptables-restore cannot read file from inside a container HOT 6
- Packit: Use packit for bumping official fedora package HOT 1
- CI: check for long-running relabels HOT 1
- [packit] Propose downstream failed for release v2.213.0 HOT 3
- Issues on Fedora (container-selinux-2.211.1) with container_domain_template HOT 5
- Issue on RHEL with iscsiadm on v2.205 HOT 4
- user_namespace { create } rule not working HOT 11
- Concern with use of dac_override in home_container.cil HOT 3
- `avc: denied { shutdown }` when using socket activation with rootless podman quadlet HOT 3
- dri_device_t cannot be accessed correctly by pods using device plugins. HOT 12
- Add support for `rpm --verify` HOT 2
- container_init_t does not possess ptrace process context HOT 13
- CRI-O CI broken due to SELinux AVC Denials with latest runc (main branch) build HOT 20
- systemd crashes while attempting to start under container_user_r role HOT 11
- /etc/kubernetes filetrans? HOT 1
- container_user_u issues related to `podmansh` HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from container-selinux.