From: Stefano Brivio <sbrivio@redhat.com>
To: Max Chernoff <git@maxchernoff.ca>
Cc: Paul Holzinger <pholzing@redhat.com>, passt-dev@passt.top
Subject: Re: [PATCH v2 1/1] selinux: Transition to pasta_t in containers
Date: Mon, 19 May 2025 09:39:41 +0200 [thread overview]
Message-ID: <20250519093941.4503ae47@elisabeth> (raw)
In-Reply-To: <3eaa88568e808eed15c49a05515954b51cf35c4e.camel@maxchernoff.ca>
On Sat, 17 May 2025 03:34:42 -0600
Max Chernoff <git@maxchernoff.ca> wrote:
> Hi Stefano
>
> On Fri, 2025-05-16 at 18:11 +0200, Stefano Brivio wrote:
> > Max, could it be that you're running stuff with some customised SELinux
> > policy? By the way, with "unconfined disabled":
>
> Simpler than that: I was testing something with SELinux permissive, and
> I forgot to reenable it. Whoops. I'm getting the same results as you
> now.
>
> > Running with SELinux in permissive mode, I'm getting:
> >
> > # cat /var/log/audit/audit.log
> > type=AVC msg=audit(1747410763.621:130615): avc: denied { search } for pid=1352409 comm="pasta.avx2" name="1352408" dev="proc" ino=7022238 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=dir permissive=1
> > type=AVC msg=audit(1747410763.621:130616): avc: denied { read } for pid=1352409 comm="pasta.avx2" name="net" dev="proc" ino=7022285 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=lnk_file permissive=1
> > type=AVC msg=audit(1747410763.622:130617): avc: denied { read } for pid=1352409 comm="pasta.avx2" scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=file permissive=1
> > type=AVC msg=audit(1747410763.622:130618): avc: denied { read } for pid=1352409 comm="pasta.avx2" name="ns" dev="proc" ino=7022284 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=dir permissive=1
> > type=AVC msg=audit(1747410763.622:130619): avc: denied { open } for pid=1352409 comm="pasta.avx2" path="/proc/1352408/ns" dev="proc" ino=7022284 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=dir permissive=1
> > type=AVC msg=audit(1747410764.622:130620): avc: denied { read } for pid=1352417 comm="pasta.avx2" name="net" dev="proc" ino=7022285 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:system_r:container_t:s0:c609,c838 tclass=lnk_file permissive=1
> >
> > and:
> >
> > # audit2allow -a
> >
> >
> > #============= pasta_t ==============
> > allow pasta_t container_runtime_t:dir { open read search };
> > allow pasta_t container_runtime_t:file read;
> > allow pasta_t container_runtime_t:lnk_file read;
> > allow pasta_t container_t:lnk_file read;
> >
> > If I add those rules, everything works
>
> Yes, adding those rules also fixes things for me.
>
> > To me those denials look reasonable, in the sense that I would expect
> > the namespace links to have container_runtime_t type.
>
> I'm a little surprised that "container_runtime_t:file read" is necessary
> since I thought that "container_runtime_t:lnk_file read" would be
> sufficient to get the target of the link, but it indeed does not work
> without it.
>
> > (well, I'm not saying that's the solution...).
>
> I guess the options are:
>
> 1. Add the above rules to the pasta SELinux policy
>
> 2. Have Podman change the context of /proc/self/ns/net to pasta_t
>
> 3. Have Podman pass a file descriptor to the netns instead of the path
> to the netns.
>
> (1) is arguably the least secure, but is probably fine in practice?
Well:
2. is probably the most restrictive but it doesn't really feel
correct to me (pasta is not, at least conceptually, the exclusive
user of the network namespace link)
3. is pretty much a way to dodge LSM policies (SELinux / AppArmor can't
see this, done)
...so I would opt for 1.
I see why you mention it's less secure: we didn't really want to be
able to open and read *any* container_runtime_t:dir or
container_t:lnk_file. But that's not really the part of "fine-grained"
security that we typically delegate to SELinux anyway.
> > Max, could it be that you're running stuff with some customised SELinux
> > policy? By the way, with "unconfined disabled":
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=2330512
> >
> > we seem to have unconfined_t as type for those links:
> >
> > type=AVC msg=audit(1733378482.320:31258): avc: denied { open } for pid=651955 comm="pasta.avx2" path="/proc/651954/ns" dev="proc" ino=2904841 scontext=staff_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir permissive=1
> >
> > ...but I'm not sure at which point in time exactly.
>
> Ah, I wonder if that might be related to this:
>
> https://github.com/containers/buildah/issues/6160
>
> But with the workaround documented there, and the rules from above,
> "podman build" works as expected with the unconfined module disabled.
Ah, great, then I guess we don't need to fix something that's not
broken.
> > Wait a moment. I don't think something SELinux-specific belongs to
> > pasta's man page, because that's not relevant for all users and
> > distributions.
> >
> > We could maintain that as an addition for Fedora and perhaps Gentoo,
> > but I wonder if it's really worth the effort.
>
> +1
...so I guess the only remaining point, other than adding those rules,
is to figure out why %selinux_relabel_post isn't enough and what we can
add to the spec file instead. I'll try to have a look at it within a
couple of days unless you find an explanation / solution before then.
--
Stefano
next prev parent reply other threads:[~2025-05-19 7:39 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-14 10:44 [PATCH 0/1] selinux: Transition to pasta_t in containers Max Chernoff
2025-05-14 10:44 ` [PATCH 1/1] " Max Chernoff
2025-05-15 13:40 ` Stefano Brivio
2025-05-15 15:55 ` Stefano Brivio
2025-05-14 12:26 ` [PATCH 0/1] " Stefano Brivio
2025-05-16 5:11 ` [PATCH v2 " Max Chernoff
2025-05-16 6:22 ` Stefano Brivio
2025-05-16 5:11 ` [PATCH v2 1/1] " Max Chernoff
2025-05-16 11:59 ` Paul Holzinger
2025-05-16 12:22 ` Max Chernoff
2025-05-16 12:35 ` Paul Holzinger
2025-05-16 16:11 ` Stefano Brivio
2025-05-17 9:34 ` Max Chernoff
2025-05-19 7:39 ` Stefano Brivio [this message]
2025-05-20 10:37 ` [PATCH v3 0/1] " Max Chernoff
2025-05-20 16:08 ` Stefano Brivio
2025-05-24 7:16 ` [PATCH v4 " Max Chernoff
2025-05-24 7:16 ` [PATCH v4 1/1] " Max Chernoff
2025-05-20 10:37 ` [PATCH v3 " Max Chernoff
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250519093941.4503ae47@elisabeth \
--to=sbrivio@redhat.com \
--cc=git@maxchernoff.ca \
--cc=passt-dev@passt.top \
--cc=pholzing@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).