Comments (8)
Googling shows:
https://www.redhat.com/en/blog/using-container-technology-make-trusted-pipeline
https://danwalsh.livejournal.com/77830.html
from container-selinux.
The problem is the container runtime is not running ranged?
If you take the ifdef out of container.te so that the init_ranged ... always happens, does this change anything?
from container-selinux.
Actually I think the line should be
ifdef(enable_mls',
init_ranged_daemon_domain(container_runtime_t, container_runtime_exec_t, s0 - mls_systemhigh)
')
from container-selinux.
Hi, thank you for your help
I tried the following range mls_systemlow - mls_systemhigh with no luck
ifdef(`enable_mls',`
init_ranged_daemon_domain(container_runtime_t, container_runtime_exec_t, mls_systemlow - mls_systemhigh)
')
from the ausearch log the range looks correct
----
time->Tue Feb 27 22:02:22 2018
type=PROCTITLE msg=audit(1519765342.657:34192): proctitle=2F70726F632F73656C662F65786500696E6974
type=SYSCALL msg=audit(1519765342.657:34192): arch=c000003e syscall=4 success=yes exit=0 a0=c420113c30 a1=c420141b08 a2=0 a3=0 items=0 ppid=14734 pid=14745 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc:[2:INIT]" exe="/usr/bin/docker-runc" subj=system_u:system_r:container_runtime_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1519765342.657:34192): avc: denied { getattr } for pid=14745 comm="runc:[2:INIT]" path="/proc/kcore" dev="proc" ino=4026532033 scontext=system_u:system_r:container_runtime_t:s0-s15:c0.c1023 tcontext=system_u:object_r:proc_kcore_t:s15:c0.c1023 tclass=file
----
time->Tue Feb 27 22:02:22 2018
type=PROCTITLE msg=audit(1519765342.662:34193): proctitle=2F70726F632F73656C662F65786500696E6974
type=SYSCALL msg=audit(1519765342.662:34193): arch=c000003e syscall=165 success=yes exit=0 a0=c420113eb0 a1=c420113ec0 a2=c420113eba a3=1000 items=0 ppid=14734 pid=14745 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc:[2:INIT]" exe="/usr/bin/docker-runc" subj=system_u:system_r:container_runtime_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1519765342.662:34193): avc: denied { mounton } for pid=14745 comm="runc:[2:INIT]" path="/proc/kcore" dev="proc" ino=4026532033 scontext=system_u:system_r:container_runtime_t:s0-s15:c0.c1023 tcontext=system_u:object_r:proc_kcore_t:s15:c0.c1023 tclass=file
----
I still do not understand why the access is deny despite the full MLS range.
Probably I missed something from the MLS documentation
For additional info:
sesearch --allow -s container_runtime_t -t proc_kcore_t --class file
Found 1 semantic av rules:
allow container_runtime_t proc_type : file { ioctl read getattr lock mounton open } ;
ps -efZ | grep dockerd
system_u:system_r:container_runtime_t:s0-s15:c0.c1023 root 14273 1 0 21:58 ? 00:00:00 /usr/bin/dockerd
from container-selinux.
That is a lot better:
Now I think you need to add
mls_file_read_to_clearance(container_runtime_t)
mls_file_write_to_clearance(container_runtime_t)
from container-selinux.
It works. Thank you very much for your help!
I am closing this issue because I realized that everything you mentioned before is already implemented in the master branch. I will work from that branch from now on.
Let me know if I can help in any way.
from container-selinux.
Thanks, I will write a blog on this. To explain what is happening. If you find anymore issues, please ping me.
from container-selinux.
Thanks, I will write a blog on this. To explain what is happening. If you find anymore issues, please ping me.
did this ever get written?
from container-selinux.
Related Issues (20)
- SELinux blocks ansible from doing DNF updates with the nsenter connection plugin HOT 8
- Branch protection for main branch HOT 3
- gating tests? HOT 2
- iptables-restore cannot read file from inside a container HOT 6
- allow user_u to work with containers HOT 8
- Packit: Use packit for bumping official fedora package HOT 1
- CI: check for long-running relabels HOT 1
- [packit] Propose downstream failed for release v2.213.0 HOT 3
- Issues on Fedora (container-selinux-2.211.1) with container_domain_template HOT 5
- Issue on RHEL with iscsiadm on v2.205 HOT 4
- user_namespace { create } rule not working HOT 11
- Concern with use of dac_override in home_container.cil HOT 3
- `avc: denied { shutdown }` when using socket activation with rootless podman quadlet HOT 3
- dri_device_t cannot be accessed correctly by pods using device plugins. HOT 12
- Add support for `rpm --verify` HOT 2
- container_init_t does not possess ptrace process context HOT 13
- CRI-O CI broken due to SELinux AVC Denials with latest runc (main branch) build HOT 20
- systemd crashes while attempting to start under container_user_r role HOT 11
- /etc/kubernetes filetrans? HOT 1
- container_user_u issues related to `podmansh` HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from container-selinux.