From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=VS6QY6T8; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by passt.top (Postfix) with ESMTPS id B15325A027E for ; Fri, 16 May 2025 18:11:10 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1747411869; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=WTxD2GWZXfbjifkazTzd4DUFTdVqlx+iOjvJVLC0edk=; b=VS6QY6T8+D9wcazRiH4CHvdSE8cyPfQ6yt9AqyN8RkmA+0b8BokhUYPlCedgpNe4ACnLPA qZHPrqoT8l4oAtdcgTDQ7uNUrFunXSmJHd3KxiMLvn+F4TChiuDrkePoEBzcLLarMvhByx BPo7nbT6OAv/S431kO+2JTrW4ACo+dc= Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-587--NcEpYhrNKiSHVhPUwaFQw-1; Fri, 16 May 2025 12:11:08 -0400 X-MC-Unique: -NcEpYhrNKiSHVhPUwaFQw-1 X-Mimecast-MFC-AGG-ID: -NcEpYhrNKiSHVhPUwaFQw_1747411867 Received: by mail-wm1-f70.google.com with SMTP id 5b1f17b1804b1-43d5ca7c86aso13120185e9.0 for ; Fri, 16 May 2025 09:11:08 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747411866; x=1748016666; h=content-transfer-encoding:mime-version:organization:references :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=+wbfQhOgiwDP30RN9FcJ7yjSHfMrp4Qj2QzmN8eedrQ=; b=P2dmTOe8evKz5FHw2Ws3RJrhtH8Db7vrPqOIGnF+QQgemjpaizMFGnpd05aqmInrJP diFMpfS4VeMXUOQZWy+aJiV1uWy1hJak9bMxf45yTeVJBU+VGxjt42s0aPUaqklSO9NQ poOYbeFNg0HEqPvK4HDg+DkrsGjk1t/rGCYtZzXpFCZEAeYQ/43i/FouFnjYv/NAEUif c+5M6dx1cMN/u7cv1GrC9Reui5qAA8j58ckcmgrpHRFRFtlmQG4tkeru+4D90vwoHumm Mwd4TuMlNXXnufIkU9h+r567jRbNbLcrYOoGVwRTMJ/AQwQ1/ZKiuqn3Ot6dH/jOcI52 Ib+g== X-Gm-Message-State: AOJu0YxJNH7PTfLfGILNiG864Rl+th3VErN0PHKlIoblARjThwZD95mU 0ahTpbdBuBVsE+9HFs8i7Tg5v1lMSmgh4R8mWHX8PZBbyz7NteO9a8YcO81pcM6R9s9nnQm4NuL FwZvgvkixGf46H1DU24QvttQNR19Tz426bOzsu6XDwDtXQvOntgxqvA== X-Gm-Gg: ASbGncu7Y8gI5557ozdriKccAOwgMNpz26uA2FLCT05hXbxMzWfyHhSNF2MJkoZFKf5 bUTaxJei9hm7x7/F/mXIfYt6iybr/8Ox17iYz/LPe5HZyHvsJVdTq7jkqNAcnfjjLFKfuYyEUbs hGsIz6f8SFiain9xAgbrx6TtsJ1+E/GINus5iy4kOpPGXERnK4EIEXjRGnx2uJ0XADz8gytQ7PU PdzhmTXwFY7RUmRhZ/Yc+F90p5pvduzqo2e/SIQMwK2tVak6ZgYEcRh3grDZCImDdCDuGMyvMY2 fxY4hBIvPAAouKSwwB79ICM4+pczayEFMpWk7/QW X-Received: by 2002:a05:600c:1c03:b0:43d:2313:7b49 with SMTP id 5b1f17b1804b1-442fd627744mr38692405e9.12.1747411865554; Fri, 16 May 2025 09:11:05 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHWR4a9S6LgQK59I+01UTVmmeQAQyqjoHHnuP0THpNMF4ML4wl6WumPBbFYs5uMP9jEfHYsag== X-Received: by 2002:a05:600c:1c03:b0:43d:2313:7b49 with SMTP id 5b1f17b1804b1-442fd627744mr38691885e9.12.1747411864993; Fri, 16 May 2025 09:11:04 -0700 (PDT) Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [176.103.220.4]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-442f39e852fsm117668285e9.27.2025.05.16.09.11.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 16 May 2025 09:11:04 -0700 (PDT) Date: Fri, 16 May 2025 18:11:02 +0200 From: Stefano Brivio To: Paul Holzinger , Max Chernoff Subject: Re: [PATCH v2 1/1] selinux: Transition to pasta_t in containers Message-ID: <20250516181102.6647635f@elisabeth> In-Reply-To: <8703e232-0763-4d07-8803-e2f54aaed3f2@redhat.com> References: <20250514104413.197448-2-git@maxchernoff.ca> <20250516051105.432590-2-git@maxchernoff.ca> <2a88e380-05ad-44cd-93c7-b4073e72f242@redhat.com> <99d5f0fb46342ef9675612e64464444e187e4ee7.camel@maxchernoff.ca> <8703e232-0763-4d07-8803-e2f54aaed3f2@redhat.com> Organization: Red Hat X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu) MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: oNKMOKXLbZlCy8CidkWLlhTvaU3rSXgwH_mAw1Shzxk_1747411867 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Message-ID-Hash: BHAHJYLNSM5Q5HGHOP6NUYUKE2NICTPX X-Message-ID-Hash: BHAHJYLNSM5Q5HGHOP6NUYUKE2NICTPX X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Fri, 16 May 2025 14:35:14 +0200 Paul Holzinger wrote: > On 16/05/2025 14:22, Max Chernoff wrote: > > Hi Paul, > > > > On Fri, 2025-05-16 at 13:59 +0200, Paul Holzinger wrote: > > =20 > >> So I did test this patch with podman's system and e2e test on podman > >> v5.5.0 on fedora rawhide and I noticed one problem that caused some > >> failures: > >> > >> podman build is broken with this policy. And I assume that means build= ah > >> would not work as well. The difference is that in the build case we do > >> not pass a bind mounted namespace path under /run but rather > >> /proc/$pid/ns/net as path to pasta. We get this error: > >> > >> pasta failed with exit code 1: > >> Couldn't open network namespace /proc/360143/ns/net: Permission denied > >> > >> Logged avc: > >> denied=C2=A0 { search } for=C2=A0 pid=3D360144 comm=3D"pasta.avx2" nam= e=3D"360143" > >> dev=3D"proc" ino=3D2030208 > >> scontext=3Dunconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 > >> tcontext=3Dunconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c102= 3 > >> tclass=3Ddir permissive=3D0 =20 > > Odd, it works for me: > > > > $ id -Z > > user_u:user_r:user_t:s0-s0:c0.c1023 > > > > $ podman --version > > podman version 5.4.2 > > > > $ pasta --version > > pasta 0^20250512.g8ec1341-1.fc42.x86_64 > > Copyright Red Hat > > GNU General Public License, version 2 or later > > > > This is free software: you are free to change and redistribute it. > > There is NO WARRANTY, to the extent permitted by law. > > > > $ cat Containerfile > > FROM registry.fedoraproject.org/fedora-minimal:42 > > RUN dnf install --assumeyes python3 > > > > $ podman build --no-cache --network=3Dpasta . > > STEP 1/2: FROM registry.fedoraproject.org/fedora-minimal:42 > > STEP 2/2: RUN dnf install --assumeyes python3 > > Updating and loading repositories: > > Fedora 42 - x86_64 - Updates 100% | 8.3 MiB/s | 6.8= MiB | 00m01s > > Fedora 42 openh264 (From Cisco) - x86_ 100% | 7.7 KiB/s | 6.0= KiB | 00m01s > > Fedora 42 - x86_64 100% | 12.3 MiB/s | 35.4= MiB | 00m03s > > Repositories loaded. > > Package Arch Version Repository = Size > > Installing: > > python3 x86_64 3.13.3-2.fc42 updates 28.7= KiB > > Installing dependencies: > > expat x86_64 2.7.1-1.fc42 fedora 290.2= KiB > > libb2 x86_64 0.98.1-13.fc42 fedora 46.1= KiB > > libgomp x86_64 15.1.1-1.fc42 updates 538.5= KiB > > mpdecimal x86_64 4.0.1-1.fc42 updates 217.2= KiB > > python-pip-wheel noarch 24.3.1-2.fc42 fedora 1.2= MiB > > python3-libs x86_64 3.13.3-2.fc42 updates 39.9= MiB > > readline x86_64 8.2-13.fc42 fedora 485.0= KiB > > tzdata noarch 2025b-1.fc42 fedora 1.6= MiB > > Installing weak dependencies: > > python-unversioned-command noarch 3.13.3-2.fc42 updates 23.0= B > > > > Transaction Summary: > > Installing: 10 packages > > > > Total size of inbound packages is 12 MiB. Need to download 12 MiB. > > After this operation, 44 MiB extra will be used (install 44 MiB, r= emove 0 B). > > [ 1/10] python3-0:3.13.3-2.fc42.x86_64 100% | 109.6 KiB/s | 29.7= KiB | 00m00s > > [...] > > [12/12] Installing python-unversioned-c 100% | 9.6 KiB/s | 424.0= B | 00m00s > > Complete! > > COMMIT =20 > > --> edfb5d3fee4c =20 > > edfb5d3fee4c729c0ec373150bd382e5a8461bc6ce18b14bcc12606d65ee185f > > > > $ ps auxZ | grep pasta # In another terminal while the above is r= unning > > user_u:user_r:container_runtime_t:s0-s0:c0.c1023 test-us+ 497555 0= .4 0.1 2533448 48028 pts/2 Sl+ 06:11 0:00 podman build --no-cache --netw= ork=3Dpasta . > > user_u:user_r:pasta_t:s0-s0:c0.c1023 test-us+ 497680 1.1 0.0 2064= 44 17188 ? Ss 06:11 0:00 /usr/sbin/pasta --config-net --dns-forward= 169.254.1.1 -t none -u none -T none -U none --no-map-gw --quiet --netns /p= roc/497672/ns/net --map-guest-addr 169.254.1.2 > > > > What are the SELinux contexts of the network namespaces? This is what I > > get: > > > > $ ls -laZ $XDG_RUNTIME_DIR/netns $XDG_RUNTIME_DIR/containers/netwo= rks/rootless-netns /proc/self/ns/net > > ls: cannot access '/run/user/959/netns': No such file or directory > > lrwxrwxrwx. 1 test-user test-user user_u:user_r:user_t:s0-s0:c0.c1= 023 0 May 16 06:15 /proc/self/ns/net -> 'net:[4026531840]' =20 >=20 > It seems to be unconfined for me >=20 > lrwxrwxrwx. 1 test test=20 > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023=C2=A0 0 May 16 08:3= 2=20 > /proc/self/ns/net -> 'net:[4026531840]' >=20 > > > > /run/user/959/containers/networks/rootless-netns: > > total 0 > > drwx------. 2 test-user test-user user_u:object_r:ifconfig_var_run= _t:s0 40 May 16 06:05 ./ > > drwx------. 3 test-user test-user user_u:object_r:user_tmp_t:s0 = 60 May 16 06:05 ../ =20 > /run/user/1001/containers/networks/rootless-netns: > total 0 > drwx------. 2 test test unconfined_u:object_r:ifconfig_var_run_t:s0 40=20 > May 16 06:26 . > drwx------. 4 test test unconfined_u:object_r:user_tmp_t:s0 120 May 16=20 > 06:26 .. >=20 > /run/user/1001/netns: > total 0 > drwxr-xr-x. 2 test test unconfined_u:object_r:ifconfig_var_run_t:s0 40=20 > May 16 07:31 . > drwx------. 9 test test unconfined_u:object_r:user_tmp_t:s0 200 May 16=20 > 06:19 .. I'm getting the same issue with 'podman build' and the Containerfile shared by Max. Running with SELinux in permissive mode, I'm getting: # cat /var/log/audit/audit.log type=3DAVC msg=3Daudit(1747410763.621:130615): avc: denied { search } for= pid=3D1352409 comm=3D"pasta.avx2" name=3D"1352408" dev=3D"proc" ino=3D702= 2238 scontext=3Dunconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext= =3Dunconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=3Ddi= r permissive=3D1 type=3DAVC msg=3Daudit(1747410763.621:130616): avc: denied { read } for = pid=3D1352409 comm=3D"pasta.avx2" name=3D"net" dev=3D"proc" ino=3D7022285 s= context=3Dunconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=3Duncon= fined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=3Dlnk_file p= ermissive=3D1 type=3DAVC msg=3Daudit(1747410763.622:130617): avc: denied { read } for = pid=3D1352409 comm=3D"pasta.avx2" scontext=3Dunconfined_u:unconfined_r:past= a_t:s0-s0:c0.c1023 tcontext=3Dunconfined_u:unconfined_r:container_runtime_t= :s0-s0:c0.c1023 tclass=3Dfile permissive=3D1 type=3DAVC msg=3Daudit(1747410763.622:130618): avc: denied { read } for = pid=3D1352409 comm=3D"pasta.avx2" name=3D"ns" dev=3D"proc" ino=3D7022284 sc= ontext=3Dunconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=3Dunconf= ined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=3Ddir permiss= ive=3D1 type=3DAVC msg=3Daudit(1747410763.622:130619): avc: denied { open } for = pid=3D1352409 comm=3D"pasta.avx2" path=3D"/proc/1352408/ns" dev=3D"proc" in= o=3D7022284 scontext=3Dunconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tco= ntext=3Dunconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass= =3Ddir permissive=3D1 type=3DAVC msg=3Daudit(1747410764.622:130620): avc: denied { read } for = pid=3D1352417 comm=3D"pasta.avx2" name=3D"net" dev=3D"proc" ino=3D7022285 s= context=3Dunconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=3Dsyste= m_u:system_r:container_t:s0:c609,c838 tclass=3Dlnk_file permissive=3D1 and: # audit2allow -a #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D pasta_t =3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D allow pasta_t container_runtime_t:dir { open read search }; allow pasta_t container_runtime_t:file read; allow pasta_t container_runtime_t:lnk_file read; allow pasta_t container_t:lnk_file read; If I add those rules, everything works (well, I'm not saying that's the solution...). This is a Fedora virtual machine with: # uname -a Linux passt.top 6.11.0-0.rc3.30.fc41.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Aug = 12 14:18:21 UTC 2024 x86_64 GNU/Linux # rpm -qe podman passt podman-5.5.0~rc2-1.fc43.x86_64 passt-0^20250512.g8ec1341-1.fc43.x86_64 To me those denials look reasonable, in the sense that I would expect the namespace links to have container_runtime_t type. By the way: $ ls -laZ $XDG_RUNTIME_DIR/netns $XDG_RUNTIME_DIR/containers/networks/rootl= ess-netns /proc/self/ns/net lrwxrwxrwx. 1 sbrivio sbrivio unconfined_u:unconfined_r:unconfined_t:s0-s0:= c0.c1023 0 May 16 15:59 /proc/self/ns/net -> 'net:[4026531840]' /run/user/1001/containers/networks/rootless-netns: total 0 drwx------. 2 sbrivio sbrivio unconfined_u:object_r:ifconfig_var_run_t:s0 = 40 May 15 15:00 . drwx------. 4 sbrivio sbrivio unconfined_u:object_r:user_tmp_t:s0 1= 20 May 15 15:00 .. /run/user/1001/netns: total 0 drwxr-xr-x. 2 sbrivio sbrivio unconfined_u:object_r:ifconfig_var_run_t:s0 = 40 May 15 15:00 . drwx------. 8 sbrivio sbrivio unconfined_u:object_r:user_tmp_t:s0 2= 20 May 6 08:02 .. Max, could it be that you're running stuff with some customised SELinux policy? By the way, with "unconfined disabled": https://bugzilla.redhat.com/show_bug.cgi?id=3D2330512 we seem to have unconfined_t as type for those links: type=3DAVC msg=3Daudit(1733378482.320:31258): avc: denied { open } for p= id=3D651955 comm=3D"pasta.avx2" path=3D"/proc/651954/ns" dev=3D"proc" ino= =3D2904841 scontext=3Dstaff_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext= =3Dstaff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=3Ddir permissive= =3D1 ...but I'm not sure at which point in time exactly. > >> I am not familiar with the selinux stuff but if this is a boolean that > >> users can configure should this be documented in the man page here? = =20 > > I guess more documentation is always a good thing, but most of the othe= r > > container-related SELinux booleans seem to be undocumented: > > > > $ sudo semanage boolean --list | grep ^container_ > > container_connect_any (off , off) Determine whether co= ntainer can connect to all TCP ports. > > container_manage_cgroup (on , on) Allow sandbox contai= ners to manage cgroup (systemd) > > container_read_certs (off , off) Allow all container = domains to read cert files and directories > > container_use_cephfs (off , off) Determine whether co= ntainer can use ceph file system > > container_use_devices (off , off) Allow containers to = use any device volume mounted into container > > container_use_dri_devices (on , on) Allow containers to = use any dri device volume mounted into container > > container_use_ecryptfs (off , off) Determine whether co= ntainer can use ecrypt file system > > container_use_xserver_devices (off , off) Allow containers to = use any xserver device volume mounted into container, mostly used for GPU a= cceleration > > container_user_exec_content (on , on) Allow container to u= ser exec content > > > > $ man -wK container_connect_any > > No manual entry for container_connect_any > > > > $ man -wK container_manage_cgroup > > /usr/share/man/man1/podman-create.1.gz > > /usr/share/man/man1/podman-run.1.gz > > /usr/share/man/man7/podman-troubleshooting.7.gz > > > > $ man -wK container_read_certs > > No manual entry for container_read_certs > > > > $ man -wK container_use_cephfs > > No manual entry for container_use_cephfs > > > > $ man -wK container_use_devices > > /usr/share/man/man1/sesearch.1.gz > > /usr/share/man/man1/podman-pod-clone.1.gz > > /usr/share/man/man1/podman-pod-create.1.gz > > /usr/share/man/man1/podman-build.1.gz > > /usr/share/man/man1/podman-farm-build.1.gz > > /usr/share/man/man1/podman-create.1.gz > > /usr/share/man/man1/podman-run.1.gz > > /usr/share/man/man8/setsebool.8.gz > > > > $ man -wK container_user_exec_content > > No manual entry for container_user_exec_content > > > > I'll send a patch for the man pages tomorrow. Wait a moment. I don't think something SELinux-specific belongs to pasta's man page, because that's not relevant for all users and distributions. We could maintain that as an addition for Fedora and perhaps Gentoo, but I wonder if it's really worth the effort. Besides, I think that: # semanage boolean --list | grep pasta pasta_allow_bind_any_port (on , on) Allow pasta to allow bind any= port ...this is the common practice to document those knobs (and where I usually look for things). We wouldn't have much to add to this anyway. --=20 Stefano