containers
Support running inside default docker/podman w/container-selinux
Today the container-selinux policy denies mount("tmpfs"). Arguably...this is a bug in the policy with the advent of user namespaces. However, we could just use a temporary directory in an existing tmpfs (or just the container overlayfs which is semantically tmpfs-like). The downside of doing so is that the outer container could see/affect the inner fs, but eh.
For reference today,
host$ podman run --security-opt seccomp=unconfined --rm -ti <container>
container$ bwrap --unshare-all --ro-bind / / echo ok
bwrap: Failed to mount tmpfs: Permission denied
<ctrl-d>
host$ sudo setenforce 0
host$ podman run --security-opt seccomp=unconfined --rm -ti <container>
container$ bwrap --unshare-all --ro-bind / / echo ok
ok
Its funny I was working on a policy to allow all of the mounts yesterday for running buildah in a container, but we decided to pull the errort and run buildah in a different way. I would guess this would be best to have a different container type, which allowed all of the mounts. container_userns_t (I was working on container_build_t).
What is the issue with seccomp?
What is the issue with seccomp?
The default docker seccomp policy denies clone(...CLONE_NEWUSER).
With this policy https://github.com/projectatomic/container-selinux/pull/53
You would need to do podman run -ti --security-opt label=type:container_userns_t ...
@rhatdan I'm trying to call:
$ podman run --rm -ti --security-opt label=type:container_userns_t <image>
[jboss@2c4192b81742 ~]$ bwrap --unshare-all --ro-bind / / echo ok
bwrap: umount old root: Permission denied
but, with setenforce 0 it works:
$ sudo setenforce 0
$ podman run --rm -ti --security-opt label=type:container_userns_t <image>
[jboss@56e2f60fd67f ~]$ bwrap --unshare-all --ro-bind / / echo ok
ok
Running with both: --security-opt seccomp=unconfined --security-opt label=type:container_userns_t also doesn't help.
My podman-info.yaml, and the SElinux report.
