AI also stared to think about how selinux interacts with containers
Grpm-ostree or podman? I'm thinking rpm-ostree but idk
AJust plain dnf install on a fedora container shows the errors
AThe bugs are probably in the packaging
GAh
Brpm-ostree is essentially just downloading packages then using rpm to install them on a seperate root filesystem (with help of --root argument)(its a bit more complex but thats the gist of it)
Bok then it creates a ostree thing from it and sets it as a what to be booted to on next boot
AI guess the first thing to fix is to get
lsetxattr()I don’t see any reasons why it doesn’t work
Ahttps://github.com/containers/common/blob/main/pkg/seccomp/seccomp.json#L244C6-L244C6
afaict it should be allowed
afaict it should be allowed
Bis that in any way connected to selinux cause selinux is one of rare mysteries to me in linux
Aselinux file labels are just extended filesystem attributes
AThis setfattr command is equivalent to
chconin theory we should able to relabel a file manually by calling setfattr
AThis is failing inside a container
Bpossibly a limitation of overlayFS
Bcould that be it
KNoticed this recently, can't setcap either
GIt fails in a normal container too
GIn a fedora container I mean
AMm maybe but then it should work on bind mounts no?
ASome research suggest overlayfs supports selinux
AG@akdev did you report the podman restorecon issue?
ANo, but I did identify why I was getting container_t - turns out that rootful podman sets the filesystem label for the underlying overlayfs
AI’m not really sure what issue to file tbh, restorecon works on bind mounts
ASo it is related to overlayfs somehow
AMm I found:
label=nested: Allows SELinux modifications within the container. Containers are allowed to modify SELinux labels on files and processes, as long as SELinux policy allows. Without nested, containers view SELinux as disabled, even when it is enabled on the host. Containers are prevented from setting any labels.
AThis could be the solution
GDo we want to try to fix the podman build action then?
AI tried locally and it looks like it doesn't fix this
Ait's more complex than I thought:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-working_with_selinux-mounting_file_systems
so:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-working_with_selinux-mounting_file_systems
To mount a file system with the specified context, overriding existing contexts if they exist, or to specify a different, default context for a file system that does not support extended attributes, as the root user, use the mount -o context=SELinux_user:role:type:level command when mounting the required file system.
Newly-created files and directories on this file system appear to have the SELinux context specified with -o context. However, since these changes are not written to disk, the context specified with this option does not persist between mounts.
so:
- podman sets context=container_t
- this stops restorecon from working
- no clue what that means for ostree
Aon another note I found out this super cool podman usage:
the
the
--rootfs /:OIs there any way to get around this or is it just an inherent limitation then?
GHow does ostree/rpm-ostree handle it?
GBecause they do have SELinux policies loaded by default
GIdk of those are from the OCI
GMight want to see if there's a way to define it in ostree?
Awhat I am thinking that happens is that ostree is running restorecon on the deployment
GHmmmm
GHow do we define it in ostree?
GThat's the question
Alooks like I was right about that, they relabel on deployment:
https://github.com/ostreedev/ostree/blob/a2663e8041ffadb764c71a055dd63dba4e7ff378/src/libostree/ostree-sysroot-deploy.c#L799
https://github.com/ostreedev/ostree/blob/a2663e8041ffadb764c71a055dd63dba4e7ff378/src/libostree/ostree-sysroot-deploy.c#L737C8-L737C34
https://github.com/ostreedev/ostree/blob/main/src/libostree/ostree-sepolicy.c#L593
https://github.com/ostreedev/ostree/blob/a2663e8041ffadb764c71a055dd63dba4e7ff378/src/libostree/ostree-sysroot-deploy.c#L799
https://github.com/ostreedev/ostree/blob/a2663e8041ffadb764c71a055dd63dba4e7ff378/src/libostree/ostree-sysroot-deploy.c#L737C8-L737C34
https://github.com/ostreedev/ostree/blob/main/src/libostree/ostree-sepolicy.c#L593
Amm I think
ostree_sepolicy_restorecon()according to this ostree is trying to follow the selinux policy
Athis is reimplementing
restoreconSo the issue was in the right place?
Grpm-ostree?
Ano, just plain ostree
