Bpossibly a limitation of overlayFS
Bcould that be it
KNoticed this recently, can't setcap either
GIt fails in a normal container too
GIn a fedora container I mean
AMm maybe but then it should work on bind mounts no?
ASome research suggest overlayfs supports selinux
AG@akdev did you report the podman restorecon issue?
ANo, but I did identify why I was getting container_t - turns out that rootful podman sets the filesystem label for the underlying overlayfs
AI’m not really sure what issue to file tbh, restorecon works on bind mounts
ASo it is related to overlayfs somehow
AMm I found:
label=nested: Allows SELinux modifications within the container. Containers are allowed to modify SELinux labels on files and processes, as long as SELinux policy allows. Without nested, containers view SELinux as disabled, even when it is enabled on the host. Containers are prevented from setting any labels.
AThis could be the solution
GDo we want to try to fix the podman build action then?
AI tried locally and it looks like it doesn't fix this
Ait's more complex than I thought:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-working_with_selinux-mounting_file_systems
so:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-working_with_selinux-mounting_file_systems
To mount a file system with the specified context, overriding existing contexts if they exist, or to specify a different, default context for a file system that does not support extended attributes, as the root user, use the mount -o context=SELinux_user:role:type:level command when mounting the required file system.
Newly-created files and directories on this file system appear to have the SELinux context specified with -o context. However, since these changes are not written to disk, the context specified with this option does not persist between mounts.
so:
- podman sets context=container_t
- this stops restorecon from working
- no clue what that means for ostree
Aon another note I found out this super cool podman usage:
the
the
--rootfs /:O mounts the rootfs from your current system into a temporary overlay(rw) then puts you inside thatGIs there any way to get around this or is it just an inherent limitation then?
GHow does ostree/rpm-ostree handle it?
GBecause they do have SELinux policies loaded by default
GIdk of those are from the OCI
GMight want to see if there's a way to define it in ostree?
Awhat I am thinking that happens is that ostree is running restorecon on the deployment
GHmmmm
GHow do we define it in ostree?
GThat's the question
Alooks like I was right about that, they relabel on deployment:
https://github.com/ostreedev/ostree/blob/a2663e8041ffadb764c71a055dd63dba4e7ff378/src/libostree/ostree-sysroot-deploy.c#L799
https://github.com/ostreedev/ostree/blob/a2663e8041ffadb764c71a055dd63dba4e7ff378/src/libostree/ostree-sysroot-deploy.c#L737C8-L737C34
https://github.com/ostreedev/ostree/blob/main/src/libostree/ostree-sepolicy.c#L593
https://github.com/ostreedev/ostree/blob/a2663e8041ffadb764c71a055dd63dba4e7ff378/src/libostree/ostree-sysroot-deploy.c#L799
https://github.com/ostreedev/ostree/blob/a2663e8041ffadb764c71a055dd63dba4e7ff378/src/libostree/ostree-sysroot-deploy.c#L737C8-L737C34
https://github.com/ostreedev/ostree/blob/main/src/libostree/ostree-sepolicy.c#L593
Amm I think
ostree_sepolicy_restorecon() might be buggy from ostreeAaccording to this ostree is trying to follow the selinux policy
Athis is reimplementing
restoreconGSo the issue was in the right place?
Grpm-ostree?
Ano, just plain ostree
GAh
R
That could have been bad...
SHow do I fix this?
ADidn’t it delete your homedir?
RNa. Luckily it wasn't my silverblue system
Aok I think i figured it out, ostree unpacks the tar file inside the container image and looks at the selinux policy inside
/usr/etc/selinux based on this it will relabel the final systemgreetd doesn't actually ship any policy (huh?) but rather they just label their files at build time and hope that the destination will keep those changes but podman basically destroys that information due to overlayfsAthe workaround is to ship this file: https://src.fedoraproject.org/rpms/greetd/blob/rawhide/f/greetd.fc
in
in
/usr/etc/selinux/targeted/contexts/files/file_contexts.greetdAthis should make ostree pickup the correct label at deployment time
Aoh they actually ship the policy but it is in binary form
AAnow I know a lot about ostree I guess 
TDoes
rpm-ostree install--enablerepo flag to specify which repo a package should come from? I'm trying to replace a single library with one from rawhide in a custom image.TI could probably just grab the rpm file directly by url but I'd like to make sure it stays up to date
Kinstall doesn't but replace does
