Giter Site home page Giter Site logo

Comments (16)

avatar commented on July 18, 2024

If i understand correctly from op, then this does not happen with cp -a. I wonder whether that is because coreutils is built with libselinux whereas python is not built with selinux awareness. (As per the container spec, entities linked against libselinux should know what to do and what not to do when selinuxfs is mounted r/o)

from container-selinux.

leiflm avatar leiflm commented on July 18, 2024

If i understand correctly from op, then this does not happen with cp -a.

correct.

from container-selinux.

rhatdan avatar rhatdan commented on July 18, 2024

In this container could you run id -Z, to see if the container thinks SELinux is disabled. It looks like Python3 is attempting to do an SELinux action, but it is not supposed to think SELinux is enabled within the container.

from container-selinux.

leiflm avatar leiflm commented on July 18, 2024

In this container could you run id -Z, to see if the container thinks SELinux is disabled.

# id -Z
id: --context (-Z) works only on an SELinux-enabled kernel

It looks like Python3 is attempting to do an SELinux action, but it is not supposed to think SELinux is enabled within the container.

As mentioned above, this is stock fedora:latest container. Should I be running something different?

from container-selinux.

leiflm avatar leiflm commented on July 18, 2024

In this container could you run id -Z, to see if the container thinks SELinux is disabled.

# id -Z
id: --context (-Z) works only on an SELinux-enabled kernel

Regarding the reliability of id -Z, I'd like to cite @rhatdan from another bug report here:

Sorry id -Z might be lying to you.
Inside the container do:
cat /proc/self/current/attr

There is a small swapping mistake in the path argument there, yet here we go.

Inside the container:

# cat /proc/self/attr/current 
system_u:system_r:container_t:s0:c189,c689

Outside the container:

$ getenforce 
Enforcing

Yet I'm not really sure what to do with this information. Is Python looking at the wrong info here? I.e. not asking libselinux?

from container-selinux.

rhatdan avatar rhatdan commented on July 18, 2024

This is what I am thinking. Could you open a bugzilla on Python and add me as a CC. Then we can discuss it with the packagers.

from container-selinux.

leiflm avatar leiflm commented on July 18, 2024

Thanks for your help here.

Could you open a bugzilla on Python and add me as a CC. Then we can discuss it with the packagers.

https://bugs.python.org/issue38893

I hope the description is correct. If not, feel free to add information or let me know what to change about it.

from container-selinux.

adelton avatar adelton commented on July 18, 2024

@rhatdan, Is it expected / correct that with rootless podman containers and FUSE, the content of the image inside of the container is labelled with fusefs_t, instead of container_file_t? If the labels were container_file_t, python would likely not try to set the attributes and thus would not do the relabelling.

from container-selinux.

rhatdan avatar rhatdan commented on July 18, 2024

@giuseppe Could you try to use fuse-overlayfs with a context mount?
context="system_u:system_r:container_file_t:s0:c1,c2"

If this worked we could solve the issue.

from container-selinux.

adelton avatar adelton commented on July 18, 2024

@rhatdan How can that be done for the / filesystem? I tried to change this rootless container

$ podman run --rm -v /data registry.fedoraproject.org/fedora:31 ls -laZ /data
total 8
drwxr-xr-x. 2 root root system_u:object_r:container_file_t:s0 4096 Feb 28 14:23 .
drwxr-xr-x. 3 root root system_u:object_r:fusefs_t:s0         4096 Feb 28 14:23 ..

to have container_file_t on the parent (/) directory but --security-opt=label=filetype:container_file_t did not seem to help:

$ podman run --security-opt=label=filetype:container_file_t --rm -v /data registry.fedoraproject.org/fedora:31 ls -laZ /data
total 8
drwxr-xr-x. 2 root root system_u:object_r:container_file_t:s0 4096 Feb 28 14:25 .
drwxr-xr-x. 3 root root system_u:object_r:fusefs_t:s0         4096 Feb 28 14:25 ..

from container-selinux.

rhatdan avatar rhatdan commented on July 18, 2024

Rootless containers use a fuse-overlay system for the host image, which basically is labeled fusefs_t. Their is no way currently to do what you want.
@giuseppe Does fuse-overlay support a context mount? I am not sure if fuse file systems do this at all.
@adelton The --security-opt is only for process labels, we don't allow users to specify mount_labels directly.

from container-selinux.

giuseppe avatar giuseppe commented on July 18, 2024

@giuseppe Does fuse-overlay support a context mount? I am not sure if fuse file systems do this at all.

AFAICS, the context= option has no effect with FUSE

from container-selinux.

rhatdan avatar rhatdan commented on July 18, 2024

@stephensmalley WDYT

from container-selinux.

stephensmalley avatar stephensmalley commented on July 18, 2024

I'm not sure I follow. The context= mount option is handled by SELinux not by the individual filesystems (the security-related options get extracted from the mount option list by the kernel and fed to the security modules to consume, then the rest go to the filesystem). The context= mount option should work with FUSE just as it does for other filesystems that do not truly support file security labeling, e.g. vfat or nfs < 4.2.

from container-selinux.

rhatdan avatar rhatdan commented on July 18, 2024

That means in rootless containers we should be mounting the fuse-overlay fs with context_mount of the container.

from container-selinux.

rhatdan avatar rhatdan commented on July 18, 2024

This issue has nothing to do with container-selinux and can not be fixed in this repo. Now that the kernel supports rootless overly mounts, this problem may not exist any longer.

from container-selinux.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.