cgwalters
commented
6 years ago Open cgwalters opened 6 years ago
cgwalters
commented
6 years ago cgwalters
commented
6 years ago /cc @rhatdan
rhatdan
commented
6 years ago Its funny I was working on a policy to allow all of the mounts yesterday for running buildah in a container, but we decided to pull the errort and run buildah in a different way. I would guess this would be best to have a different container type, which allowed all of the mounts. container_userns_t (I was working on container_build_t).
What is the issue with seccomp?
cgwalters
commented
6 years ago What is the issue with seccomp?
The default docker seccomp policy denies clone(...CLONE_NEWUSER).
rhatdan
commented
6 years ago With this policy https://github.com/projectatomic/container-selinux/pull/53
You would need to do podman run -ti --security-opt label=type:container_userns_t ...
cardil
commented
11 months ago @rhatdan I'm trying to call:
$ podman run --rm -ti --security-opt label=type:container_userns_t <image>
[jboss@2c4192b81742 ~]$ bwrap --unshare-all --ro-bind / / echo ok
bwrap: umount old root: Permission deniedbut, with setenforce 0 it works:
$ sudo setenforce 0
$ podman run --rm -ti --security-opt label=type:container_userns_t <image>
[jboss@56e2f60fd67f ~]$ bwrap --unshare-all --ro-bind / / echo ok
okRunning with both: --security-opt seccomp=unconfined --security-opt label=type:container_userns_t also doesn't help.
My podman-info.yaml, and the SElinux report.
Today the container-selinux policy denies
mount("tmpfs"). Arguably...this is a bug in the policy with the advent of user namespaces. However, we could just use a temporary directory in an existing tmpfs (or just the container overlayfs which is semantically tmpfs-like). The downside of doing so is that the outer container could see/affect the inner fs, but eh.For reference today,