Open cgwalters opened 6 years ago
/cc @rhatdan
Its funny I was working on a policy to allow all of the mounts yesterday for running buildah in a container, but we decided to pull the errort and run buildah in a different way. I would guess this would be best to have a different container type, which allowed all of the mounts. container_userns_t (I was working on container_build_t).
What is the issue with seccomp?
What is the issue with seccomp?
The default docker seccomp policy denies clone(...CLONE_NEWUSER)
.
With this policy https://github.com/projectatomic/container-selinux/pull/53
You would need to do podman run -ti --security-opt label=type:container_userns_t ...
@rhatdan I'm trying to call:
$ podman run --rm -ti --security-opt label=type:container_userns_t <image>
[jboss@2c4192b81742 ~]$ bwrap --unshare-all --ro-bind / / echo ok
bwrap: umount old root: Permission denied
but, with setenforce 0
it works:
$ sudo setenforce 0
$ podman run --rm -ti --security-opt label=type:container_userns_t <image>
[jboss@56e2f60fd67f ~]$ bwrap --unshare-all --ro-bind / / echo ok
ok
Running with both: --security-opt seccomp=unconfined --security-opt label=type:container_userns_t
also doesn't help.
My podman-info.yaml, and the SElinux report.
Today the container-selinux policy denies
mount("tmpfs")
. Arguably...this is a bug in the policy with the advent of user namespaces. However, we could just use a temporary directory in an existing tmpfs (or just the container overlayfs which is semantically tmpfs-like). The downside of doing so is that the outer container could see/affect the inner fs, but eh.For reference today,