toolbox icon indicating copy to clipboard operation
toolbox copied to clipboard
verified publisher icon containers

Toolbox does currently not work with SELinux's 'confined user' accounts (affected: Fedora and CentOS, maybe also RHEL)

Open py0xc3 opened this issue 2 years ago • 0 comments

Describe the bug Once SELinux's 'confined user' [1] accounts are used, toolbox does no longer work on Fedora and CentOS:

The issue is not logged in journalctl, neither at user nor at root, only the immediate terminal output of toolbox.

Three examples of confined user accounts:

confined user: staff_u (Fedora)

bash-5.2$ id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023
bash-5.2$ toolbox enter
exec: Permission denied
Error:

confined user: staff_u with sysadm_r through sudo (Fedora)

bash-5.2$ id -Z
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
bash-5.2$ toolbox enter
Error: failed to initialize container fedora-toolbox-38

-> Only sysadm_u:sysadm_r:sysadm_t (in the test case, xdm_sysadm_login was set true) seems to work on Fedora, but I guess for several use cases, this is not appropriate, especially on CentOS/RHEL -> I have not tested sysadm_u:sysadm_r:sysadm_t on CentOS, but staff_u is already the highest privilege after sysadm_u, so CentOS needs at least sysadm_u.

confined user: staff_u (CentOS)

[user@localhost ~]$ id -Z
staff_u:staff_r:staff_t:s0
[user@localhost ~]$ toolbox enter
Error: invalid entry point PID of container rhel-toolbox-latest

In all cases, once the user confinement is removed by unconfined_u (or alternatively, at least on Fedora, set to sysadm_u with xdm_sysadm_login=true), toolbox works again properly.

I have not tested with RHEL.

If toolbox is not intended to work with confined user accounts, feel free to close the ticket.

[1] elaboration of SELinux user confinement, e.g., on https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/8/html/using_selinux/managing-confined-and-unconfined-users_using-selinux

Steps how to reproduce the behaviour Applicable to Fedora 38 and CentOS:

  1. Confine user with user_u or staff_u (including staff_u that can become sysadm_r through sudo)
  2. (if applicable: logout, then:) Login (if confinement is added or changed, the user has to logout and login again after the change in order to enable the new setting)
  3. do toolbox enter -> issue occurs
  4. Set user account to sysadm_u or unconfined_u
  5. Logout+Login
  6. do toolbox enter -> toolbox works again

Expected behaviour Toolbox should work in confined user accounts.

Actual behaviour Toolbox does not work in confined user accounts.

Output of toolbox --version (v0.0.90+) toolbox version 0.0.99.4

Toolbox package info (rpm -q toolbox) toolbox-0.0.99.4-1.fc38.x86_64

Output of podman version

Client:       Podman Engine
Version:      4.5.1
API Version:  4.5.1
Go Version:   go1.20.4
Built:        Fri May 26 19:58:48 2023
OS/Arch:      linux/amd64

Podman package info (rpm -q podman) podman-4.5.1-1.fc38.x86_64

Info about your OS Fedora 38 KDE Spin, up to date as of today, only default repos, no additional software/modules CentOS Stream 9, up to date as of today, only default repos, no additional software/modules

Additional context I tested it today the first time. For testing, I used both on Fedora and CentOS the default image that is deployed when starting with toolbox enter.

py0xc3 avatar Jul 05 '23 22:07 py0xc3