Skip to content

Add support for confined SELinux users#1448

Merged
openshift-merge-robot merged 2 commits intocontainers:mainfrom
rhatdan:selinux
May 4, 2023
Merged

Add support for confined SELinux users#1448
openshift-merge-robot merged 2 commits intocontainers:mainfrom
rhatdan:selinux

Conversation

@rhatdan
Copy link
Member

@rhatdan rhatdan commented May 3, 2023

The original SELinux support in Docker and Podman does not follow the default SELinux rules for how label transitions are supposed to be handled. Containers always switch their user and role to system_u:system_r, rather then maintain the collers user and role. For example
unconfined_u:unconfined_r:container_t:s0:c1,c2

Advanced SELinux administrators want to confine users but still allow them to create containers from their role, but not allow them to launch a privileged container like spc_t.

This means if a user running as
container_user_u:container_user_r:container_user_t:s0

Ran a container they would get

container_user_u:container_user_r:container_t:s0:c1,c2

If they run a privileged container they would run it with:

container_user_u:container_user_r:container_user_t:s0

If they want to force the label they would get an error

podman run --security-opt label=type:spc_t ...

Should fail. Because the container_user_r can not run with the spc_t.

SELinux rules would also prevent the user from forcing system_u user and the sytem_r role.

@openshift-ci openshift-ci bot added the approved label May 3, 2023
vrothberg
vrothberg approved these changes May 3, 2023
View reviewed changes
Copy link
Member

@vrothberg vrothberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@openshift-ci
Copy link
Contributor

openshift-ci bot commented May 3, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rhatdan, vrothberg

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@rhatdan
Add support for confined SELinux users
7e387de 
The original SELinux support in Docker and Podman does not follow the
default SELinux rules for how label transitions are supposed to be
handled. Containers always switch their user and role to
system_u:system_r, rather then maintain the collers user and role.
For example
unconfined_u:unconfined_r:container_t:s0:c1,c2

Advanced SELinux administrators want to confine users but still allow
them to create containers from their role, but not allow them to launch
a privileged container like spc_t.

This means if a user running as
container_user_u:container_user_r:container_user_t:s0

Ran a container they would get

container_user_u:container_user_r:container_t:s0:c1,c2

If they run a privileged container they would run it with:

container_user_u:container_user_r:container_user_t:s0

If they want to force the label they would get an error

podman run --security-opt label=type:spc_t ...

Should fail. Because the container_user_r can not run with the spc_t.

SELinux rules would also prevent the user from forcing system_u user and
the sytem_r role.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
@rhatdan
Copy link
Member Author

rhatdan commented May 3, 2023

Testing this PR:
containers/podman#18439

@rhatdan
Copy link
Member Author

rhatdan commented May 3, 2023

@mheon @ashley-cui @umohnani8 @Luap99 PTAL

ashley-cui
ashley-cui reviewed May 3, 2023
View reviewed changes
@rhatdan @ashley-cui
Update docs/containers.conf.5.md
177c3d3 
Co-authored-by: Ashley Cui <ashleycui16@gmail.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
@ashley-cui
Copy link
Member

ashley-cui commented May 3, 2023

LGTM

vrothberg
vrothberg reviewed May 4, 2023
View reviewed changes
Copy link
Member

@vrothberg vrothberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm label May 4, 2023
@openshift-merge-robot openshift-merge-robot merged commit b6cb0af into containers:main May 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vrothberg vrothberg vrothberg approved these changes

+1 more reviewer

@ashley-cui ashley-cui ashley-cui left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@vrothberg vrothberg

Labels

approved lgtm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@rhatdan @ashley-cui @vrothberg @openshift-merge-robot