Closed eriksjolund closed 2 years ago
I noticed that the audit2allow rules collected in this GitHub issue are identical to the audit2allow rules collected in https://github.com/containers/container-selinux/issues/176
allow container_t container_runtime_t:unix_dgram_socket { getattr getopt };
allow container_t container_runtime_t:vsock_socket { accept getattr getopt };
allow container_t unconfined_t:vsock_socket { accept getattr getopt };
Probably it would have been enough just creating one GitHub issue instead of two GitHub issues. The results look so similar.
Fixed in v2.182.0
Description
Feature request.
Add support for socket activation of an AF_VSOCK (SOCK_STREAM) socket, where the client (socat) and the systemd user service are running directly on the same host. (There is no VM involved). The systemd user service uses podman to start the container ghcr.io/eriksjolund/socket-activate-echo:vsock.
Add support for socket activation of an AF_VSOCK (SOCK_STREAM) socket, where the client (socat) and systemd-socket-activate are running directly on the same host. (There is no VM involved). systemd-socket-activate uses podman to start the container ghcr.io/eriksjolund/socket-activate-echo:vsock.
Follow these steps to see the audit logs
Open three Bash terminals, terminal 1, terminal 2, terminal 3 on a Fedora 35 Linux computer.
Make sure you are running container-selinux 2.181.0. I installed the RPM from https://bodhi.fedoraproject.org/updates/FEDORA-2022-32eea4f938
Terminal 1 and terminal 3 are used for running commands as the regular user.
Terminal 2 is used for running commands as root.
In terminal 1 run
In terminal 2 run
In terminal 1 run
The special number 1 in
CID=1
meansVMADDR_CID_LOCAL
(seeman vsock
)In terminal 2 run
In terminal 1 run
In terminal 3 run
In terminal 2 run