Don't allow containers by default setexec setfscreate

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Containers need to use hsa devices for ROCM
2025-07-14 14:36:28 -04:00 · 2025-07-03 08:43:18 -04:00 · 2025-05-30 16:00:49 +00:00 · 2025-05-30 11:43:54 -04:00 · 2025-05-30 11:42:45 -04:00 · 2025-05-30 16:14:40 +02:00
2 changed files with 32 additions and 2 deletions
--- a/container.te
+++ b/container.te
@ -1,7 +1,8 @@
-policy_module(container, 2.236.0)
+policy_module(container, 2.240.0)

 gen_require(`
 	class passwd rootok;
+	type system_conf_t;
 ')

 ########################################
@ -59,6 +60,13 @@ gen_tunable(container_use_dri_devices, true)
 ## </desc>
 gen_tunable(container_manage_cgroup, false)

+## <desc>
+## <p>
+## Allow containers to manipulate SELinux labels
+## </p>
+## </desc>
+gen_tunable(container_modify_selinux_labels, false)
+
 ## <desc>
 ##  <p>
 ##  Determine whether container can
@ -576,6 +584,10 @@ userdom_use_user_ptys(container_runtime_domain)
 userdom_connectto_stream(container_runtime_domain)
 allow container_domain init_t:socket_class_set { accept ioctl read getattr lock write append getopt };

+tunable_policy(`container_modify_selinux_labels',`
+	allow container_domain self:process { setexec setfscreate};
+')
+
 tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_dirs(container_runtime_domain)
 	fs_manage_nfs_files(container_runtime_domain)
@ -706,6 +718,14 @@ optional_policy(`
 	udev_read_db(container_runtime_domain)
 ')

+optional_policy(`
+	require {
+		type hsa_device_t;
+	}
+
+	allow container_domain hsa_device_t:chr_file rw_chr_file_perms;
+')
+
 optional_policy(`
 	gen_require(`
 		role unconfined_r;
@ -927,7 +947,7 @@ allow container_domain self:netlink_xfrm_socket create_socket_perms;
 allow container_domain self:packet_socket create_socket_perms;
 allow container_domain self:passwd rootok;
 allow container_domain self:peer recv;
-allow container_domain self:process { execmem execstack fork getattr getcap getpgid getsched getsession setcap setpgid setrlimit setsched sigchld sigkill signal signull sigstop setexec setfscreate};
+allow container_domain self:process { execmem execstack fork getattr getcap getpgid getsched getsession setcap setpgid setrlimit setsched sigchld sigkill signal signull sigstop};
 allow container_domain self:sem create_sem_perms;
 allow container_domain self:shm create_shm_perms;
 allow container_domain self:socket create_socket_perms;
@ -984,6 +1004,7 @@ allow container_domain container_runtime_domain:socket_class_set { accept append

 kernel_getattr_proc(container_domain)
 kernel_list_all_proc(container_domain)
+kernel_mounton_all_proc(container_domain)
 kernel_read_all_sysctls(container_domain)
 kernel_dontaudit_write_kernel_sysctl(container_domain)
 kernel_read_network_state(container_domain)
@ -1615,6 +1636,8 @@ allow container_domain container_ro_file_t:file { entrypoint execmod execute exe
 allow container_domain container_var_lib_t:file entrypoint;
 allow container_domain fusefs_t:file { append create entrypoint execmod execute execute_no_trans getattr ioctl link lock map mounton open read rename setattr unlink watch watch_reads write };

+allow install_t container_runtime_t:process2 { nnp_transition nosuid_transition };
+
 corecmd_entrypoint_all_executables(container_kvm_t)
 allow svirt_sandbox_domain exec_type:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };
 allow svirt_sandbox_domain mountpoint:file entrypoint;
@ -1623,3 +1646,7 @@ tunable_policy(`deny_ptrace',`',`
 	allow container_domain self:process ptrace;
 	allow spc_t self:process ptrace;
 ')
+
+# netavark needs to write to /run/sysctl.d and needs the right label for systemd to read it.
+# https://issues.redhat.com/browse/RHEL-91380
+files_pid_filetrans(container_runtime_t, system_conf_t, dir, "sysctl.d")
--- a/rpm/container-selinux.spec
+++ b/rpm/container-selinux.spec
@ -111,6 +111,9 @@ fi
 %posttrans
 %selinux_relabel_post

+# Empty placeholder check to silence rpmlint
+%check
+
 #define license tag if not already defined
 %{!?_licensedir:%global license %doc}
Author	SHA1	Message	Date
Daniel J Walsh	4637aaa900	Don't allow containers by default setexec setfscreate Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>	2025-07-14 14:36:28 -04:00
Daniel J Walsh	9693071320	Containers need to use hsa devices for ROCM Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>	2025-07-03 08:43:18 -04:00
openshift-merge-bot[bot]	36e8f213b7	Merge pull request #381 from rhatdan/main BUmp to v2.238.0	2025-05-30 16:00:49 +00:00
Daniel J Walsh	d84ae02fff	BUmp to v2.238.0 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>	2025-05-30 11:43:54 -04:00
Daniel J Walsh	ed59a19f5d	Merge pull request #380 from Luap99/netavark-sysctl label /run/sysctl.d correctly on creation	2025-05-30 11:42:45 -04:00
Paul Holzinger	aff164fb3e	label /run/sysctl.d correctly on creation As part of a netavark bug[1] fix I must create /run/sysctl.d to write some config files there for systemd. However in order for them to be able to get read by systemd-sysctl they must have the system_conf_t context. As I don't want to add a manual relabel in netavark add a selinux file transition rule here because netavark runs as container_runtime_t. [1] https://github.com/containers/netavark/pull/1245 Signed-off-by: Paul Holzinger <pholzing@redhat.com>	2025-05-30 16:14:40 +02:00
openshift-merge-bot[bot]	d7e420a116	Merge pull request #374 from lsm5/2-237-0 bump version to 2.237.0	2025-04-28 14:29:12 +00:00
Lokesh Mandvekar	fd56d33ed8	bump version to 2.237.0 Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>	2025-04-23 19:22:16 +05:30
Lokesh Mandvekar	1331eb275f	bootc/install_t: allow transition to container_runtime_t Generation of bootc compatible disk images is done via the command: ``` sudo podman run --rm -it --privileged \ --pull=newer \ --security-opt label=type:unconfined_t \ -v ./config.toml:/config.toml:ro \ -v ./output:/output \ -v /var/lib/containers/storage/:/var/lib/containers/storage/ \ quay.io/centos-bootc/bootc-image-builder:latest \ --type qcow2 \ quay.io/centos-bootc/centos-bootc:stream9 ``` Ref: https://github.com/osbuild/bootc-image-builder?tab=readme-ov-file#-examples And this currently results in an apparently harmless AVC denial: ``` avc: denied { nnp_transition nosuid_transition } for pid=40081 comm="bootc" \ scontext=system_u:system_r:install_t:s0:c68,c235 \ tcontext=system_u:system_r:container_runtime_t:s0:c68,c235 \ tclass=process2 permissive=0 ``` This commit adds allow rules for processes with install_t type, like bootc, to silence the AVCs. Ref: https://issues.redhat.com/browse/RHEL-85671 Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>	2025-04-23 15:34:22 +05:30
openshift-merge-bot[bot]	1f3f0f368b	Merge pull request #368 from lsm5/rpmlint RPM: empty placeholder check section to silence rpmlint	2025-04-22 18:09:32 +00:00
Lokesh Mandvekar	38779f40ee	RPM: empty placeholder check section to silence rpmlint Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>	2025-04-21 19:13:21 +05:30
Daniel J Walsh	cb32eed6d1	Merge pull request #367 from nalind/allow-container-mask-proc Allow containers to mask parts of their /proc	2025-03-29 07:43:33 -04:00
Nalin Dahyabhai	4f9fd47087	Allow containers to mask parts of their /proc Allow processes inside of a container to mount things onto parts of the /proc that they have in order to mask things which the container engine didn't for whatever reason. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>	2025-03-27 13:43:39 -04:00