Open ganto opened 6 years ago
ganto
commented
6 years ago It seems the issue is caused by /var being mounted with the nosuid option on my system:
Removing the nosuid option makes the AVC go away.
ganto
commented
6 years ago Now I was reading Teaching an old dog new tricks what seems to be a nice fix for this issue without the requirement to give up the nosuid mount option:
nosuid_transition
While I was looking at the nnp_transition rules, I noticed that there was also a nosuid_transition permission. nosuid allows people to mount a file system with nosuid flag, this tells the kernel that even if a setuid application exists on this file system, the kernel should ignore it and not allow a process to gain privilege via the file. You always want untrusted file systems like usb sticks to be mounted with this flag. Well SELinux systems similarly ignore transition rules on labels based on a nosuid file system. Similar to nnp_transition, this blocks a process from transition from a privileged domain to a less privileged domain. But the nosuid_transtion flag allows us to tell the kernel to allow transitions from one domain to another even if the file system is marked nosuid.
_allow container_runtime_t confined_t:process2 nosuidtransition; _allow unconfined_t container_t:process2 nosuidtransition;
This means that even if a user used podman to execute a file on a nosuid file system it would be allowed to transition from the unconfined_t to container_t.
It looks to me as this should be available in container-selinux since version 2.57 (https://github.com/projectatomic/container-selinux/commit/2377c73a19fa960792b4392ddf7d0c7a85585d9a). Still I'm seeing this error with container-selinux-2.60-1.git97f8dfc.fc27.noarch.
Must be an uncovered label combination in case of LXD... @Conan-Kudo any hint on this?
When starting the
lxdservice on a Fedora 27 with SELinux enabled, the following AVC is triggered:However, the service is still successfully started and no loss of functionality could be experienced so far.