From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=maxchernoff.ca
Authentication-Results: passt.top;
	dkim=pass (2048-bit key; secure) header.d=maxchernoff.ca header.i=@maxchernoff.ca header.a=rsa-sha256 header.s=key1 header.b=cPxYmIIp;
	dkim-atps=neutral
Received: from out-173.mta1.migadu.com (out-173.mta1.migadu.com [95.215.58.173])
	by passt.top (Postfix) with ESMTPS id 4A9335A027E
	for <passt-dev@passt.top>; Fri, 16 May 2025 14:23:18 +0200 (CEST)
Message-ID: <99d5f0fb46342ef9675612e64464444e187e4ee7.camel@maxchernoff.ca>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=maxchernoff.ca;
	s=key1; t=1747398197;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=h5tTVFPjaI/jlASGyDejMfQus+A3MDRM5y2btcCLQ9k=;
	b=cPxYmIIpkY4XumD9W0GKlujlJnscrGZ3nJt5JiMeiCLmkqdtcs2p58UK9pzg6cLce4hvhy
	a+9HHdUpjpHn8uYfmaibc4a+CRKQJX9Ew6pP3l+xTCjOFzOg9BpbBcHBAeIvpQeQOdKVpy
	ThHNK8a5F8a/A6i/046q3j9i0Grh5E4lb5EsGH9gEiKJrMBlLkwTD4Z1kTaiUp3cmr0Dtb
	vGHgWvbPk38owWK7oi1ljlc+4M8YEKB4X+wYUiDL7eeCMXcOZTbvZRLznqKtm2IoSet7g1
	TohN4z6ooI1rpz1LPkJxatXumMYnxwp9Oz9IJ/Mq155FcatqY8sbblHEswZdKA==
Subject: Re: [PATCH v2 1/1] selinux: Transition to pasta_t in containers
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers.
From: Max Chernoff <git@maxchernoff.ca>
To: Paul Holzinger <pholzing@redhat.com>, passt-dev@passt.top
Date: Fri, 16 May 2025 06:22:30 -0600
In-Reply-To: <2a88e380-05ad-44cd-93c7-b4073e72f242@redhat.com>
References: <20250514104413.197448-2-git@maxchernoff.ca>
	 <20250516051105.432590-2-git@maxchernoff.ca>
	 <2a88e380-05ad-44cd-93c7-b4073e72f242@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Migadu-Flow: FLOW_OUT
X-MailFrom: git@maxchernoff.ca
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation
Message-ID-Hash: TJXBQMY4CUQTX6JXMOQGFIYTTTNGP4XS
X-Message-ID-Hash: TJXBQMY4CUQTX6JXMOQGFIYTTTNGP4XS
X-Mailman-Approved-At: Fri, 16 May 2025 18:11:54 +0200
CC: Stefano Brivio <sbrivio@redhat.com>, Max Chernoff <git@maxchernoff.ca>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/99d5f0fb46342ef9675612e64464444e187e4ee7.camel@maxchernoff.ca/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/TJXBQMY4CUQTX6JXMOQGFIYTTTNGP4XS/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

Hi Paul,

On Fri, 2025-05-16 at 13:59 +0200, Paul Holzinger wrote:

> So I did test this patch with podman's system and e2e test on podman
> v5.5.0 on fedora rawhide and I noticed one problem that caused some
> failures:
>
> podman build is broken with this policy. And I assume that means buildah
> would not work as well. The difference is that in the build case we do
> not pass a bind mounted namespace path under /run but rather
> /proc/$pid/ns/net as path to pasta. We get this error:
>
> pasta failed with exit code 1:
> Couldn't open network namespace /proc/360143/ns/net: Permission denied
>
> Logged avc:
> denied=C2=A0 { search } for=C2=A0 pid=3D360144 comm=3D"pasta.avx2" name=
=3D"360143"
> dev=3D"proc" ino=3D2030208
> scontext=3Dunconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023
> tcontext=3Dunconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023
> tclass=3Ddir permissive=3D0

Odd, it works for me:

    $ id -Z
    user_u:user_r:user_t:s0-s0:c0.c1023

    $ podman --version
    podman version 5.4.2

    $ pasta --version
    pasta 0^20250512.g8ec1341-1.fc42.x86_64
    Copyright Red Hat
    GNU General Public License, version 2 or later
      <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.

    $ cat Containerfile
    FROM registry.fedoraproject.org/fedora-minimal:42
    RUN dnf install --assumeyes python3

    $ podman build --no-cache --network=3Dpasta .
    STEP 1/2: FROM registry.fedoraproject.org/fedora-minimal:42
    STEP 2/2: RUN dnf install --assumeyes python3
    Updating and loading repositories:
     Fedora 42 - x86_64 - Updates           100% |   8.3 MiB/s |   6.8 MiB =
|  00m01s
     Fedora 42 openh264 (From Cisco) - x86_ 100% |   7.7 KiB/s |   6.0 KiB =
|  00m01s
     Fedora 42 - x86_64                     100% |  12.3 MiB/s |  35.4 MiB =
|  00m03s
    Repositories loaded.
    Package                     Arch   Version        Repository      Size
    Installing:
     python3                    x86_64 3.13.3-2.fc42  updates     28.7 KiB
    Installing dependencies:
     expat                      x86_64 2.7.1-1.fc42   fedora     290.2 KiB
     libb2                      x86_64 0.98.1-13.fc42 fedora      46.1 KiB
     libgomp                    x86_64 15.1.1-1.fc42  updates    538.5 KiB
     mpdecimal                  x86_64 4.0.1-1.fc42   updates    217.2 KiB
     python-pip-wheel           noarch 24.3.1-2.fc42  fedora       1.2 MiB
     python3-libs               x86_64 3.13.3-2.fc42  updates     39.9 MiB
     readline                   x86_64 8.2-13.fc42    fedora     485.0 KiB
     tzdata                     noarch 2025b-1.fc42   fedora       1.6 MiB
    Installing weak dependencies:
     python-unversioned-command noarch 3.13.3-2.fc42  updates     23.0   B

    Transaction Summary:
     Installing:        10 packages

    Total size of inbound packages is 12 MiB. Need to download 12 MiB.
    After this operation, 44 MiB extra will be used (install 44 MiB, remove=
 0 B).
    [ 1/10] python3-0:3.13.3-2.fc42.x86_64  100% | 109.6 KiB/s |  29.7 KiB =
|  00m00s
    [...]
    [12/12] Installing python-unversioned-c 100% |   9.6 KiB/s | 424.0   B =
|  00m00s
    Complete!
    COMMIT
    --> edfb5d3fee4c
    edfb5d3fee4c729c0ec373150bd382e5a8461bc6ce18b14bcc12606d65ee185f

    $ ps auxZ | grep pasta  # In another terminal while the above is runnin=
g
    user_u:user_r:container_runtime_t:s0-s0:c0.c1023 test-us+ 497555 0.4  0=
.1 2533448 48028 pts/2 Sl+ 06:11   0:00 podman build --no-cache --network=
=3Dpasta .
    user_u:user_r:pasta_t:s0-s0:c0.c1023 test-us+ 497680 1.1  0.0 206444 17=
188 ?     Ss   06:11   0:00 /usr/sbin/pasta --config-net --dns-forward 169.=
254.1.1 -t none -u none -T none -U none --no-map-gw --quiet --netns /proc/4=
97672/ns/net --map-guest-addr 169.254.1.2

What are the SELinux contexts of the network namespaces? This is what I
get:

    $ ls -laZ $XDG_RUNTIME_DIR/netns $XDG_RUNTIME_DIR/containers/networks/r=
ootless-netns /proc/self/ns/net
    ls: cannot access '/run/user/959/netns': No such file or directory
    lrwxrwxrwx. 1 test-user test-user user_u:user_r:user_t:s0-s0:c0.c1023  =
  0 May 16 06:15 /proc/self/ns/net -> 'net:[4026531840]'

    /run/user/959/containers/networks/rootless-netns:
    total 0
    drwx------. 2 test-user test-user user_u:object_r:ifconfig_var_run_t:s0=
 40 May 16 06:05 ./
    drwx------. 3 test-user test-user user_u:object_r:user_tmp_t:s0        =
 60 May 16 06:05 ../

> I am not familiar with the selinux stuff but if this is a boolean that
> users can configure should this be documented in the man page here?

I guess more documentation is always a good thing, but most of the other
container-related SELinux booleans seem to be undocumented:

    $ sudo semanage boolean --list | grep ^container_
    container_connect_any          (off  ,  off)  Determine whether contain=
er can connect to all TCP ports.
    container_manage_cgroup        (on   ,   on)  Allow sandbox containers =
to manage cgroup (systemd)
    container_read_certs           (off  ,  off)  Allow all container domai=
ns to read cert files and directories
    container_use_cephfs           (off  ,  off)  Determine whether contain=
er can use ceph file system
    container_use_devices          (off  ,  off)  Allow containers to use a=
ny device volume mounted into container
    container_use_dri_devices      (on   ,   on)  Allow containers to use a=
ny dri device volume mounted into container
    container_use_ecryptfs         (off  ,  off)  Determine whether contain=
er can use ecrypt file system
    container_use_xserver_devices  (off  ,  off)  Allow containers to use a=
ny xserver device volume mounted into container, mostly used for GPU accele=
ration
    container_user_exec_content    (on   ,   on)  Allow container to user e=
xec content

    $ man -wK container_connect_any
    No manual entry for container_connect_any

    $ man -wK container_manage_cgroup
    /usr/share/man/man1/podman-create.1.gz
    /usr/share/man/man1/podman-run.1.gz
    /usr/share/man/man7/podman-troubleshooting.7.gz

    $ man -wK container_read_certs
    No manual entry for container_read_certs

    $ man -wK container_use_cephfs
    No manual entry for container_use_cephfs

    $ man -wK container_use_devices
    /usr/share/man/man1/sesearch.1.gz
    /usr/share/man/man1/podman-pod-clone.1.gz
    /usr/share/man/man1/podman-pod-create.1.gz
    /usr/share/man/man1/podman-build.1.gz
    /usr/share/man/man1/podman-farm-build.1.gz
    /usr/share/man/man1/podman-create.1.gz
    /usr/share/man/man1/podman-run.1.gz
    /usr/share/man/man8/setsebool.8.gz

    $ man -wK container_user_exec_content
    No manual entry for container_user_exec_content

I'll send a patch for the man pages tomorrow.

Thanks,
-- Max