Giter Site home page Giter Site logo

Comments (8)

rhatdan avatar rhatdan commented on July 18, 2024 2

Googling shows:
https://www.redhat.com/en/blog/using-container-technology-make-trusted-pipeline
https://danwalsh.livejournal.com/77830.html

from container-selinux.

rhatdan avatar rhatdan commented on July 18, 2024

The problem is the container runtime is not running ranged?

If you take the ifdef out of container.te so that the init_ranged ... always happens, does this change anything?

from container-selinux.

rhatdan avatar rhatdan commented on July 18, 2024

Actually I think the line should be

ifdef(enable_mls',
init_ranged_daemon_domain(container_runtime_t, container_runtime_exec_t, s0 - mls_systemhigh)
')

from container-selinux.

H0neyBadger avatar H0neyBadger commented on July 18, 2024

Hi, thank you for your help
I tried the following range mls_systemlow - mls_systemhigh with no luck

ifdef(`enable_mls',`
        init_ranged_daemon_domain(container_runtime_t, container_runtime_exec_t, mls_systemlow - mls_systemhigh)
')

from the ausearch log the range looks correct

----
time->Tue Feb 27 22:02:22 2018
type=PROCTITLE msg=audit(1519765342.657:34192): proctitle=2F70726F632F73656C662F65786500696E6974
type=SYSCALL msg=audit(1519765342.657:34192): arch=c000003e syscall=4 success=yes exit=0 a0=c420113c30 a1=c420141b08 a2=0 a3=0 items=0 ppid=14734 pid=14745 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc:[2:INIT]" exe="/usr/bin/docker-runc" subj=system_u:system_r:container_runtime_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1519765342.657:34192): avc:  denied  { getattr } for  pid=14745 comm="runc:[2:INIT]" path="/proc/kcore" dev="proc" ino=4026532033 scontext=system_u:system_r:container_runtime_t:s0-s15:c0.c1023 tcontext=system_u:object_r:proc_kcore_t:s15:c0.c1023 tclass=file
----
time->Tue Feb 27 22:02:22 2018
type=PROCTITLE msg=audit(1519765342.662:34193): proctitle=2F70726F632F73656C662F65786500696E6974
type=SYSCALL msg=audit(1519765342.662:34193): arch=c000003e syscall=165 success=yes exit=0 a0=c420113eb0 a1=c420113ec0 a2=c420113eba a3=1000 items=0 ppid=14734 pid=14745 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc:[2:INIT]" exe="/usr/bin/docker-runc" subj=system_u:system_r:container_runtime_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1519765342.662:34193): avc:  denied  { mounton } for  pid=14745 comm="runc:[2:INIT]" path="/proc/kcore" dev="proc" ino=4026532033 scontext=system_u:system_r:container_runtime_t:s0-s15:c0.c1023 tcontext=system_u:object_r:proc_kcore_t:s15:c0.c1023 tclass=file
----

I still do not understand why the access is deny despite the full MLS range.
Probably I missed something from the MLS documentation

For additional info:

sesearch --allow -s container_runtime_t -t proc_kcore_t --class file
Found 1 semantic av rules:
   allow container_runtime_t proc_type : file { ioctl read getattr lock mounton open } ;

ps -efZ | grep dockerd
system_u:system_r:container_runtime_t:s0-s15:c0.c1023 root 14273 1  0 21:58 ? 00:00:00 /usr/bin/dockerd

from container-selinux.

rhatdan avatar rhatdan commented on July 18, 2024

That is a lot better:
Now I think you need to add

mls_file_read_to_clearance(container_runtime_t)
mls_file_write_to_clearance(container_runtime_t)

from container-selinux.

H0neyBadger avatar H0neyBadger commented on July 18, 2024

It works. Thank you very much for your help!
I am closing this issue because I realized that everything you mentioned before is already implemented in the master branch. I will work from that branch from now on.
Let me know if I can help in any way.

from container-selinux.

rhatdan avatar rhatdan commented on July 18, 2024

Thanks, I will write a blog on this. To explain what is happening. If you find anymore issues, please ping me.

from container-selinux.

jamescassell avatar jamescassell commented on July 18, 2024

Thanks, I will write a blog on this. To explain what is happening. If you find anymore issues, please ping me.

did this ever get written?

from container-selinux.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.