containers
SE label for podman socket
I think the main question is why podman socket is not labeled?
Distribution: openSUSE Tumbleweed selinux-policy-targeted-20250305-1.2.noarch
I'm trying to run CI with SELinux active (I read a lot of articles from Dan about SELinux and buildah inside container, although they recommend disable labeling it worked until recent update).
I had to create custom policy (based on what udica produces) where I had (.cil file):
{# Communicate to outer podman #}
(allow process container_runtime_t (unix_stream_socket ( connectto )))
(allow process var_run_t (sock_file ( write )))
But after recent Tumbleweed update I got again:
type=AVC msg=audit(1741759030.641:404): avc: denied { connectto } for pid=3285 comm="forgejo-runner" path="/run/user/1005/podman/podman.sock" scontext=system_u:system_r:systemd-forgejo-runner.process:s0:c58,c947 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
which says that socket file is unlabeled (or default-labeled). Neither podman.sock is labeled:
# ls -lZ /run/podman/podman.sock
srw-rw----. 1 root root system_u:object_r:var_run_t:s0 0 Mar 11 20:45 /run/podman/podman.sock
Which looks very unspecific (var_t vs container_var_t).
My idea is to run a lingering podman socket for a user and pass it to the container with CI runner (so that all images are cached on the host). You may argue if it's a good or bad one, but was cool to learn something :)
Volume=/run/user/1005/podman/podman.sock:/run/podman/podman.sock:rw,U,Z
User=1000
Group=0
