Comments (11)
BTW I am not sure why you think centos-stream is not good for downstream use. But I don't feel like debating that here.
https://medium.com/@gordon.messmer/in-favor-of-centos-stream-e5a8a43bdcf8
from container-selinux.
Could you comment out those two lines and see if it works. (You probably need to comment out a line in container-selinux.fc as well, that uses that type.
from container-selinux.
Endless errors follows...
container.te:148:ERROR 'syntax error' at token 'userdom_admin_home_dir_filetrans' on line 9463:
userdom_admin_home_dir_filetrans(container_runtime_t, container_home_t, dir, ".container")
container.te:219:ERROR 'syntax error' at token 'term_use_all_inherited_terms' on line 10294:
term_use_all_inherited_terms(container_runtime_t)
container.te:226:ERROR 'syntax error' at token 'kernel_read_all_proc' on line 10555:
kernel_read_all_proc(container_runtime_t)
....
from container-selinux.
Yup the Fedora Policy has diverged a lot from the upstream policy and it is very difficult to merge them back together. I would comment out all of the container_runtime_t conflicts and just make the container_runtime_t an unconfined domain.
Conflicts on the container_t and container_domain might be more difficult.
from container-selinux.
@qiancai I would also consider shipping the Fedora variant of the policy for Debian, as it's likely to be much more functional across the board. I'm currently working on using it in openSUSE and it wasn't terribly difficult to do so...
from container-selinux.
Would it help to have a openSUSE Branch?
from container-selinux.
I have not heard anything on this in many months, closing.
from container-selinux.
Thought I'd take a quick look to see if this has become any easier or more difficult. Currently I get:
$ make
make -f /usr/share/selinux/devel/Makefile container.pp
make[1]: Entering directory '/tmp/container-selinux'
Compiling default container module
m4:container.te:192: Warning: corenet_tcp_sendrecv_all_ports(container_runtime_domain) has been deprecated, please remove.
m4:container.te:193: Warning: corenet_udp_sendrecv_all_ports(container_runtime_domain) has been deprecated, please remove.
m4:container.te:362: Warning: corenet_tcp_sendrecv_generic_port(container_runtime_domain) has been deprecated, please remove.
m4:container.te:368: Warning: corenet_udp_sendrecv_all_ports(container_runtime_domain) has been deprecated, please remove.
m4:container.te:739: Warning: corenet_tcp_sendrecv_all_ports(container_runtime_domain) has been deprecated, please remove.
m4:container.te:1008: Warning: dev_mounton_sysfs(container_t) has been deprecated, please use dev_mounton_sysfs_dirs() instead.
m4:container.te:1046: Warning: corenet_tcp_sendrecv_all_ports(container_net_domain) has been deprecated, please remove.
m4:container.te:1047: Warning: corenet_udp_sendrecv_all_ports(container_net_domain) has been deprecated, please remove.
m4:container.te:1187: Warning: dev_mounton_sysfs(container_userns_t) has been deprecated, please use dev_mounton_sysfs_dirs() instead.
m4:container.te:1194: Warning: kernel_mounton_proc(container_userns_t) has been deprecated, please use kernel_mounton_proc_dirs() instead.
m4:container.te:1334: Warning: kernel_mounton_proc(container_kvm_t) has been deprecated, please use kernel_mounton_proc_dirs() instead.
m4:container.te:1362: Warning: dev_mounton_sysfs(container_init_domain) has been deprecated, please use dev_mounton_sysfs_dirs() instead.
m4:container.te:1370: Warning: kernel_mounton_proc(container_init_t) has been deprecated, please use kernel_mounton_proc_dirs() instead.
m4:container.te:1411: Warning: kernel_mounton_proc(container_engine_t) has been deprecated, please use kernel_mounton_proc_dirs() instead.
container.te:65:ERROR 'syntax error' at token 'kernel_read_all_proc' on line 4101:
#line 65
kernel_read_all_proc(container_runtime_t)
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make[1]: *** [/usr/share/selinux/devel/include/Makefile:166: tmp/container.mod] Error 1
make[1]: Leaving directory '/tmp/container-selinux'
make: *** [Makefile:16: container.pp] Error 2
So there are fewer errors than before but the use of kernel_read_all_proc
is still a problem.
from container-selinux.
Same error on Debian 12.. With Red Hats move to signal the beginning of the end of all downstream RHEL projects combined with the infeasible nature of CentOS Stream and / or Fedora as useable environments for professional use => small organisations that are unable to pay for RHEL subscriptions are essentially forced to turn to Debian as an alternative.. but container-selinux will need to be available on Debian for that to be possible. SELinux is a must for proper security.
Any chance for container-selinux to take Debian into account in the near future?
Edit: it seems a valiant expert has already found the solution. Happy days!
from container-selinux.
container-selinux is built on top of fedora/selinux-policy. So debian would need to pull in fedora/selinux-policy and container-selinux.
from container-selinux.
@rhatdan thanks for the reply and the link; a good read and many interesting points.
I was however not trying to start a debate, nor did I make judgement on suitability for downstream use (or judgement on the decisions of RH leading up to the questions some in the community now have) - I instead mentioned suitability for production use, primarily based on Red Hats own posts, i.e. this one. It would be great if all the various communities could make it all work out so that small organisations can enjoy a top tier IT infrastructure foundation while they grow their activities and become paying RH customers when they are able.
In the face of insecurity on that front however, it doesn't hurt to play it safe and look for viable alternatives. As both a RH and Debian user since the early 90s, I recognise and appreciate the tremendous contributions made by both and make no judgement; Just looking for a way to have SELinux secured container hosts in relative peace and quiet.
Luckily it seems that refpolicy has a workable solution as pointed out by @yrro. Still need to test it with MLS, but outlook is good. May we all enjoy and contribute if we can to FOSS, OCI and others in harmony.
Apologies for my earlier somewhat nervous post.
from container-selinux.
Related Issues (20)
- SELinux blocks ansible from doing DNF updates with the nsenter connection plugin HOT 8
- Branch protection for main branch HOT 3
- gating tests? HOT 2
- iptables-restore cannot read file from inside a container HOT 6
- allow user_u to work with containers HOT 8
- Packit: Use packit for bumping official fedora package HOT 1
- CI: check for long-running relabels HOT 1
- [packit] Propose downstream failed for release v2.213.0 HOT 3
- Issues on Fedora (container-selinux-2.211.1) with container_domain_template HOT 5
- Issue on RHEL with iscsiadm on v2.205 HOT 4
- user_namespace { create } rule not working HOT 11
- Concern with use of dac_override in home_container.cil HOT 3
- `avc: denied { shutdown }` when using socket activation with rootless podman quadlet HOT 3
- dri_device_t cannot be accessed correctly by pods using device plugins. HOT 12
- Add support for `rpm --verify` HOT 2
- container_init_t does not possess ptrace process context HOT 13
- CRI-O CI broken due to SELinux AVC Denials with latest runc (main branch) build HOT 20
- systemd crashes while attempting to start under container_user_r role HOT 11
- /etc/kubernetes filetrans? HOT 1
- container_user_u issues related to `podmansh` HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from container-selinux.