Closed penn5 closed 1 year ago
Could you try to reinstall container-selinux, I think something blew up during the installation.
sudo dnf reinstall container-selinux -y
Could you try to reinstall container-selinux, I think something blew up during the installation.
sudo dnf reinstall container-selinux -y
Forgot to mention that I already did 😅
If you give me a few minutes I'll verify the issue is also present on another machine that was clean installed two days ago.
I'm encountering the same issue on another machine. Both are Fedora 38 Workstation, this time it was a clean install two days ago. Both of them have got a GitLab Runner on them, but it's running in its own user account and has no sepolicy (I installed it myself, the only things I added are user accounts and systemd units running podman under those users, so it shouldn't be interfering). The issue still occurs after reinstalling container-selinux on the other machine, too.
Right, so it works fine in a Fedora 38 live ISO in a VM (using container-selinux 2.209.0), with the exception that CAP_SYS_CHROOT is disabled by default, so I had to pass --cap-add=CAP_SYS_CHROOT to podman. I'm now going to add some storage to the VM and try installing to see if it works in an installed environment. Update: It also works in the installed environment, with container-selinux 2.209.0. I'll try installing updates, maybe this is a regression (more likely a configuration issue on my machine, though idk how it arose).
Yes CAP_SYS_CHROOT should come back on updates, make sure you fully update the system.
Like you said, updating brought back CAP_SYS_CHROOT. However, it also brought back the issue I was encountering initially, so it's either a regression or a bug in the update process. I'll try downgrading to 2.209.0.
Downgrading to 2.209.0 has fixed the issue, so this is a regression. Time for a binary search.
Using packages from https://koji.fedoraproject.org/koji/packageinfo?packageID=23542, build 2.213.0-1 works fine while 2.215.0-1 and 2.215.0-2 do not work.
Installing from source with make && sudo make install-policy
works on 2.218.0, so it is a packaging issue.
You can see the bug in detection at https://kojipkgs.fedoraproject.org//packages/container-selinux/2.218.0/1.fc38/data/logs/noarch/build.log
Basically if rhel is undefined, then 0%{?rhel} <= 9 evaluates to true because 0 <= 9 (and vice versa for fedora), so one branch of the %if was always true.
Thanks @penn5 for reporting and fixing this bug. I hit it and can confirm it's now fixed.
I'm using a default clean Fedora 38 install, running as a normal user.
I've tried running
sudo semodule --refresh
, this made no difference. I also ransudo semodule -e container
to make sure the module was enabled, but this didn't produce any output and made no difference.However, when I manually added the policy corresponding to https://github.com/containers/container-selinux/blob/main/container.te#L891 to my system, it worked:
I don't really understand why the rule specified in container-selinux policies isn't applying. Perhaps I'm missing some required user role or something? I don't know much about selinux so I can't hypothesize much, but it probably ought to work under the default setup.