Comments (3)
We don't currently enforce SELinux controls in containers over Capabilities, the reason for this is that container engines have their own ability to add and remove capabilities from the container. SELinux policy management for this would be too cumbersome, so we allow other parts of container security to manage it.
We treat this similarly to network access.
from container-selinux.
@rhatdan I'm concerned about that answer for several reasons, all of which revolve around the use of this repository by the community, whether directly via udica
, e.g., or indirectly via browsing this repo to learn best - or at least accepted - practices:
- The default SELinux policies generated by
udica
includedac_override
, which I think we all agree is to be avoided unless absolutely necessary - people attempting to do the right thing for their containers are inadvertently introducing a potential security exposure; - Making
dac_override
an optional policy to be enabled via boolean is not onerous, and forcing container developers/maintainers to set that boolean so at least they acknowledge the potential security hole is not (IMHO, at least) cumbersome; and - If container developers/containers choose to not use
udica
but to develop their own policies, they may well (and I would argue are likely) to visit this repository to learn what the pros are doing - seeingdac_override
baked in leaves a poor impression (one that could be interpreted in two divergent ways: "if the pros say so, it must be good" and "oh, what else did they get wrong?").
You've made the decision to close the issue, essentially as a "won't fix", and I'll respect that decision and leave this closed, I just think we are doing the wrong thing by leaving things as they are.
from container-selinux.
udica can do what it wants. The point being that if I do
podman run --cap-add dac-overide ...
Then there is no simple way to change the SELinux type to allow dac_override.
If a user runs
docker run --cap-drop=dac_override
then you will get the same thing you want, which is the kernel blocking access to dac_override.
With container policy, we are looking to limit the containers access to file systems on a MAC basis.
DAC protections in containers are provided via the capability handling along with User Namespaces.
If SELinux blocked the access then we would need to have different types for each capabilty or combination of capabilities. Which would end up with 32! different types, just for caps. Similarly we would need controlls for network stack.
Since other parts of the kernel support controlling these in a far more flexible manner then SELinux, we rely on those mechanisms to contol.
Writing general purpose policy to be used to control containers forces us to make Goldilocks compromises. Udica should be confined by default, But container-selinux needs to allow for the customization at the container engine.
from container-selinux.
Related Issues (20)
- v2.200.0 doesn't build on f37 HOT 4
- SELinux blocks ansible from doing DNF updates with the nsenter connection plugin HOT 8
- Branch protection for main branch HOT 3
- gating tests? HOT 2
- iptables-restore cannot read file from inside a container HOT 6
- allow user_u to work with containers HOT 8
- Packit: Use packit for bumping official fedora package HOT 1
- CI: check for long-running relabels HOT 1
- [packit] Propose downstream failed for release v2.213.0 HOT 3
- Issues on Fedora (container-selinux-2.211.1) with container_domain_template HOT 5
- Issue on RHEL with iscsiadm on v2.205 HOT 4
- user_namespace { create } rule not working HOT 11
- `avc: denied { shutdown }` when using socket activation with rootless podman quadlet HOT 3
- dri_device_t cannot be accessed correctly by pods using device plugins. HOT 12
- Add support for `rpm --verify` HOT 2
- container_init_t does not possess ptrace process context HOT 13
- CRI-O CI broken due to SELinux AVC Denials with latest runc (main branch) build HOT 20
- systemd crashes while attempting to start under container_user_r role HOT 11
- /etc/kubernetes filetrans? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from container-selinux.