container-selinux icon indicating copy to clipboard operation
container-selinux copied to clipboard

Published 20 hours ago verified publisher icon containers

container_user_u issues related to `podmansh`

Open bachradsusi opened this issue 1 year ago • 2 comments

  • podmansh(1) mentions label=user:container_user_u which is defined in this policy. This repository ships container_u file to assign correct context during login - it should follow seuser_id so the right file should be container_user_u and it's probably not necessary at all unless it's expected that container_user_u would be used for users who log in.

  • In order to make container_user_u available for this use case, it's necessary to run semanage user -a -r s0-s0:c0.c1023 -R "container_user_r" container_user_u or use gen_user() macro

  • there are few missing rules to make it work with unconfined_t:

(roleallow unconfined_r container_user_r)

(allow container_runtime_t container_user_t ( process ( transition )))
(allow container_runtime_t container_user_t ( process2 ( nnp_transition )))

(allow container_user_t container_file_t ( chr_file ( ioctl read write )))
(allow container_user_t container_file_t ( file ( entrypoint )))
(allow container_user_t container_runtime_t ( fifo_file ( write )))

bachradsusi avatar Jan 08 '24 12:01 bachradsusi

How can I do (roleallow unconfined_r container_user_r) Using traditional container.te rules?

rhatdan avatar Jan 17 '24 20:01 rhatdan

Would a simple allow rule do the job? https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/system/userdomain.if#L43

zpytela avatar Jan 19 '24 10:01 zpytela