policy on sockets

[roelandjansen]

when we run something as

docker run /opt/nfast:/opt/nfast:Z debian /opt/nfast/bin/ckinfo

it b0rks, as nfast tries to connect to a socket on the host:

ckinfo: C_Initialize failed rv = 00000006 (CKR_FUNCTION_FAILED)

and the logs state type=AVC msg=audit(1563352304.654:943005): avc: denied { connectto } path="/opt/nfast/sockets/nserver

So, to get things work we need either:

1) disable selinux (not a good plan) 2) --permissive (not a good plan either) 3) --security-opt label:disable

The best so far is 3) as nfast including all the other stuff is not supported and would have other issues towards an Hardware Security Module (HSM)

We would love to see support for this kind of operations in udica.

Roeland

[wrabcak]

HI @roelandjansen , Could you please share raw AVC msg from your issue description? You sent only part of the message. Did you try to run udica on mentioned container?

Thanks, Lukas.

[roelandjansen]

cmd: docker run --rm -it -v /opt/nfast:/opt/nfast:Z debian /opt/nfast/bin/ckinfo

log:

type=AVC msg=audit(1563441451.649:1028150): avc: denied { connectto } for pid=19337 comm="ckinfo" path="/opt/nfast/sockets/nserver" scontext=system_u:system_r:container_t:s0:c278,c497 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket permissive=0

we did not run udica because I was informed that there was no support yet for sockets.

[wrabcak]

@roelandjansen, I added new feature which could help you with this issue. https://github.com/containers/udica/commit/40742ebaa2f459c40cf9617b7e81d18efed776a6

You can test it using:

1. Install udica from sources
2. Create policy for your container
3. load policy and run your container with generated policy
4. collect SELinux denials (like one from your previous comment)
5. re-generate SELinux policy using udica and new option '--append rules' where you add also file with all the SELinux denials.

Hope its helps, Lukas.

[wrabcak]

Closing this issue, for more questions feel free to discuss it here.