Miscellaneous fixes for running Podman as a confined user #383
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -1631,3 +1631,43 @@ tunable_policy(`deny_ptrace',`',` | |
| # netavark needs to write to /run/sysctl.d and needs the right label for systemd to read it. | ||
| # https://issues.redhat.com/browse/RHEL-91380 | ||
| files_pid_filetrans(container_runtime_t, system_conf_t, dir, "sysctl.d") | ||
|
|
||
| # Needed for "bootc status" to work (via sudo) as a confined user. | ||
| gen_require(` | ||
| attribute_role install_roles; | ||
| type sysadm_t; | ||
| ') | ||
|
|
||
| roleattribute sysadm_r install_roles; | ||
| allow sysadm_t install_t:process transition; | ||
| type_transition sysadm_t install_exec_t:process install_t; | ||
|
Comment on lines
+1642
to
+1643
There was a problem hiding this comment. The transition to If There was a problem hiding this comment. Yuck, but I am fine with allowing this. |
||
|
|
||
| # Needed to be able to build an rpm-ostree/bootc image, inside of a container | ||
| # ran by a confined user. | ||
| allow container_t container_ro_file_t:dir watch; | ||
| allow container_t devpts_t:filesystem mount; | ||
| allow container_t proc_t:filesystem mount; | ||
| allow container_t tmpfs_t:filesystem remount; | ||
|
Comment on lines
+1648
to
+1650
There was a problem hiding this comment. Granting Consider if these permissions can be narrowed:
While user namespaces in rootless containers mitigate some host-level risks, these broad permissions for There was a problem hiding this comment. These look fine to me. the first one should definitely be allowed. We should allow watch access for all container file types. There was a problem hiding this comment.
Watch access already seems to be allowed for |
||
|
|
||
| # Needed to allow systemd socket activation of containers ran by confined users | ||
| allow userdomain container_runtime_t:tcp_socket { bind create getopt listen setopt }; | ||
| allow userdomain container_runtime_t:udp_socket { bind create getopt listen setopt }; | ||
|
Comment on lines
+1653
to
+1654
There was a problem hiding this comment. The target type SELinux rules for object access are generally If And then, As written, these rules imply There was a problem hiding this comment. This is a very strange AVC? This looks like podman is running under a confined user domain? or the confined user transitioned to confined_user_t? There was a problem hiding this comment.
Yes, I'm running some rootless Podman containers via systemd Quadlets as
The AI comments above are mostly nonsense, but I think that what's happening (but I might be wrong) is that for socket-activated units, systemd creates the socket using the context of the target binary:
which in this case, is There was a problem hiding this comment. Ok lets wrap some of these in boolean. |
||
|
|
||
| # When shutting down, systemd will stop the container before the socket unit, so | ||
| # ignore any AVC denials from systemd trying to accept the socket | ||
| dontaudit userdomain container_runtime_t:tcp_socket accept; | ||
|
There was a problem hiding this comment. Similar to the comment on lines 1653-1654, using This likely masks an underlying type enforcement issue or a misunderstanding of how the socket is typed and managed. The socket object itself should have a proper socket type. Please review the types involved in this interaction. |
||
|
|
||
| # Allow systemd to kill containers (needed for when stopping a Quadlet service | ||
| # times out) | ||
| allow userdomain container_runtime_t:process { sigkill signal signull }; | ||
| allow userdomain container_t:process { sigkill signal signull }; | ||
|
|
||
| # Needed for "podman build" to work as a confined user | ||
| allow userdomain container_ro_file_t:dir mounton; | ||
| allow userdomain self:capability setuid; | ||
|
There was a problem hiding this comment. Granting the Rootless Podman typically relies on user namespaces and setuid-root helpers like This permission needs extremely strong justification.
Unless there's an unavoidable, well-understood, and narrowly-scoped reason for this, this line should be removed to maintain the security posture of confined user domains. There was a problem hiding this comment.
There was a problem hiding this comment. Are you running rootful or rootless? There was a problem hiding this comment. Rootless, as $ id
uid=1006(builder) gid=1006(builder) groups=1006(builder) context=user_u:user_r:user_t:s0-s0:c0.c1023There was a problem hiding this comment. Ok so these are newuidmap and newgidmap causing the AVC, lets wrap it in a boolean. |
||
|
|
||
| # Harmless AVC denial | ||
| dontaudit container_runtime_t self:process2 nnp_transition; | ||
|
|
||
| # Ignore containers trying to chown stdin/stdout/stderr | ||
| dontaudit container_t container_runtime_t:fifo_file setattr; | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Container_runtime_t is a very permissive (unconfined) domain, does this tool basically run podman?
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/usr/bin/prometheus-podman-exporteris this tool, which is essentially a network-facing wrapper aroundpodman psandpodman stats.I can test labelling it with a different domain, do you have any suggestions? This one was giving me bizarre errors (see the commit message for “Label prometheus-podman-exporter as container_runtime_exec_t”), so I have no idea which domains to try.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What avc's are generated by leaving it bin_t?