Comments (16)
If i understand correctly from op, then this does not happen with cp -a
. I wonder whether that is because coreutils is built with libselinux whereas python is not built with selinux awareness. (As per the container spec, entities linked against libselinux should know what to do and what not to do when selinuxfs is mounted r/o)
from container-selinux.
If i understand correctly from op, then this does not happen with
cp -a
.
correct.
from container-selinux.
In this container could you run id -Z
, to see if the container thinks SELinux is disabled. It looks like Python3 is attempting to do an SELinux action, but it is not supposed to think SELinux is enabled within the container.
from container-selinux.
In this container could you run
id -Z
, to see if the container thinks SELinux is disabled.
# id -Z
id: --context (-Z) works only on an SELinux-enabled kernel
It looks like Python3 is attempting to do an SELinux action, but it is not supposed to think SELinux is enabled within the container.
As mentioned above, this is stock fedora:latest
container. Should I be running something different?
from container-selinux.
In this container could you run
id -Z
, to see if the container thinks SELinux is disabled.# id -Z id: --context (-Z) works only on an SELinux-enabled kernel
Regarding the reliability of id -Z
, I'd like to cite @rhatdan from another bug report here:
Sorry id -Z might be lying to you.
Inside the container do:
cat /proc/self/current/attr
There is a small swapping mistake in the path argument there, yet here we go.
Inside the container:
# cat /proc/self/attr/current
system_u:system_r:container_t:s0:c189,c689
Outside the container:
$ getenforce
Enforcing
Yet I'm not really sure what to do with this information. Is Python looking at the wrong info here? I.e. not asking libselinux
?
from container-selinux.
This is what I am thinking. Could you open a bugzilla on Python and add me as a CC. Then we can discuss it with the packagers.
from container-selinux.
Thanks for your help here.
Could you open a bugzilla on Python and add me as a CC. Then we can discuss it with the packagers.
https://bugs.python.org/issue38893
I hope the description is correct. If not, feel free to add information or let me know what to change about it.
from container-selinux.
@rhatdan, Is it expected / correct that with rootless podman containers and FUSE, the content of the image inside of the container is labelled with fusefs_t
, instead of container_file_t
? If the labels were container_file_t
, python would likely not try to set the attributes and thus would not do the relabelling.
from container-selinux.
@giuseppe Could you try to use fuse-overlayfs with a context mount?
context="system_u:system_r:container_file_t:s0:c1,c2"
If this worked we could solve the issue.
from container-selinux.
@rhatdan How can that be done for the /
filesystem? I tried to change this rootless container
$ podman run --rm -v /data registry.fedoraproject.org/fedora:31 ls -laZ /data
total 8
drwxr-xr-x. 2 root root system_u:object_r:container_file_t:s0 4096 Feb 28 14:23 .
drwxr-xr-x. 3 root root system_u:object_r:fusefs_t:s0 4096 Feb 28 14:23 ..
to have container_file_t
on the parent (/
) directory but --security-opt=label=filetype:container_file_t
did not seem to help:
$ podman run --security-opt=label=filetype:container_file_t --rm -v /data registry.fedoraproject.org/fedora:31 ls -laZ /data
total 8
drwxr-xr-x. 2 root root system_u:object_r:container_file_t:s0 4096 Feb 28 14:25 .
drwxr-xr-x. 3 root root system_u:object_r:fusefs_t:s0 4096 Feb 28 14:25 ..
from container-selinux.
Rootless containers use a fuse-overlay system for the host image, which basically is labeled fusefs_t. Their is no way currently to do what you want.
@giuseppe Does fuse-overlay support a context mount? I am not sure if fuse file systems do this at all.
@adelton The --security-opt is only for process labels, we don't allow users to specify mount_labels directly.
from container-selinux.
@giuseppe Does fuse-overlay support a context mount? I am not sure if fuse file systems do this at all.
AFAICS, the context=
option has no effect with FUSE
from container-selinux.
@stephensmalley WDYT
from container-selinux.
I'm not sure I follow. The context= mount option is handled by SELinux not by the individual filesystems (the security-related options get extracted from the mount option list by the kernel and fed to the security modules to consume, then the rest go to the filesystem). The context= mount option should work with FUSE just as it does for other filesystems that do not truly support file security labeling, e.g. vfat or nfs < 4.2.
from container-selinux.
That means in rootless containers we should be mounting the fuse-overlay fs with context_mount of the container.
from container-selinux.
This issue has nothing to do with container-selinux and can not be fixed in this repo. Now that the kernel supports rootless overly mounts, this problem may not exist any longer.
from container-selinux.
Related Issues (20)
- SELinux blocks ansible from doing DNF updates with the nsenter connection plugin HOT 8
- Branch protection for main branch HOT 3
- gating tests? HOT 2
- iptables-restore cannot read file from inside a container HOT 6
- allow user_u to work with containers HOT 8
- Packit: Use packit for bumping official fedora package HOT 1
- CI: check for long-running relabels HOT 1
- [packit] Propose downstream failed for release v2.213.0 HOT 3
- Issues on Fedora (container-selinux-2.211.1) with container_domain_template HOT 5
- Issue on RHEL with iscsiadm on v2.205 HOT 4
- user_namespace { create } rule not working HOT 11
- Concern with use of dac_override in home_container.cil HOT 3
- `avc: denied { shutdown }` when using socket activation with rootless podman quadlet HOT 3
- dri_device_t cannot be accessed correctly by pods using device plugins. HOT 12
- Add support for `rpm --verify` HOT 2
- container_init_t does not possess ptrace process context HOT 13
- CRI-O CI broken due to SELinux AVC Denials with latest runc (main branch) build HOT 20
- systemd crashes while attempting to start under container_user_r role HOT 11
- /etc/kubernetes filetrans? HOT 1
- container_user_u issues related to `podmansh` HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from container-selinux.