Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support running inside default docker/podman w/container-selinux #269

Open
cgwalters opened this issue Jun 6, 2018 · 6 comments
Open

Support running inside default docker/podman w/container-selinux #269

cgwalters opened this issue Jun 6, 2018 · 6 comments

Comments

@cgwalters
Copy link
Collaborator

Today the container-selinux policy denies mount("tmpfs"). Arguably...this is a bug in the policy with the advent of user namespaces. However, we could just use a temporary directory in an existing tmpfs (or just the container overlayfs which is semantically tmpfs-like). The downside of doing so is that the outer container could see/affect the inner fs, but eh.

For reference today,

host$ podman run --security-opt seccomp=unconfined --rm -ti <container>
container$ bwrap --unshare-all --ro-bind / / echo ok
bwrap: Failed to mount tmpfs: Permission denied
<ctrl-d>
host$ sudo setenforce 0
host$ podman run --security-opt seccomp=unconfined --rm -ti <container>
container$ bwrap --unshare-all --ro-bind / / echo ok
ok
@cgwalters
Copy link
Collaborator Author

See also coreos/rpm-ostree#1329

@cgwalters
Copy link
Collaborator Author

/cc @rhatdan

@rhatdan
Copy link
Member

rhatdan commented Jun 6, 2018

Its funny I was working on a policy to allow all of the mounts yesterday for running buildah in a container, but we decided to pull the errort and run buildah in a different way.
I would guess this would be best to have a different container type, which allowed all of the mounts.
container_userns_t (I was working on container_build_t).

What is the issue with seccomp?

@cgwalters
Copy link
Collaborator Author

What is the issue with seccomp?

The default docker seccomp policy denies clone(...CLONE_NEWUSER).

@rhatdan
Copy link
Member

rhatdan commented Jun 6, 2018

With this policy
containers/container-selinux#53

You would need to do
podman run -ti --security-opt label=type:container_userns_t ...

@cgwalters cgwalters mentioned this issue Aug 21, 2018
Open
@cardil
Copy link

cardil commented Oct 9, 2023
edited
Loading

@rhatdan I'm trying to call:

$ podman run --rm -ti --security-opt label=type:container_userns_t <image>
[jboss@2c4192b81742 ~]$ bwrap --unshare-all --ro-bind / / echo ok
bwrap: umount old root: Permission denied

but, with setenforce 0 it works:

$ sudo setenforce 0
$ podman run --rm -ti --security-opt label=type:container_userns_t <image>
[jboss@56e2f60fd67f ~]$ bwrap --unshare-all --ro-bind / / echo ok
ok

Running with both: --security-opt seccomp=unconfined --security-opt label=type:container_userns_t also doesn't help.

My podman-info.yaml, and the SElinux report.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cgwalters @cardil @rhatdan