Allow container-selinux to be built on Debian

[ghost]

Debian is using refpolicy instead of fedora-selinux where it included a container module,

https://github.com/SELinuxProject/refpolicy

As the results, it failed to build container-selinux probably complaining container_unit_file_t was not defined.

Compiling refpolicy container module
m4:container.te:415: Warning: modutils_domtrans_insmod(container_runtime_t) has been deprecated, please use modutils_domtrans() instead.
/usr/bin/checkmodule: loading policy configuration from tmp/container.tmp
container.te:76:ERROR 'syntax error' at token 'systemd_unit_file' on line 8702:
systemd_unit_file(container_unit_file_t)
type container_unit_file_t alias docker_unit_file_t;
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make[1]: *** [/usr/share/selinux/devel/include/Makefile:162: tmp/container.mod] Error 1
make[1]: Leaving directory '/home/debian/container-selinux'
make: *** [Makefile:12: container.pp] Error 2

[rhatdan]

Could you comment out those two lines and see if it works. (You probably need to comment out a line in container-selinux.fc as well, that uses that type.

[ghost]

Endless errors follows...

container.te:148:ERROR 'syntax error' at token 'userdom_admin_home_dir_filetrans' on line 9463:
userdom_admin_home_dir_filetrans(container_runtime_t, container_home_t, dir, ".container")

container.te:219:ERROR 'syntax error' at token 'term_use_all_inherited_terms' on line 10294:
term_use_all_inherited_terms(container_runtime_t)

container.te:226:ERROR 'syntax error' at token 'kernel_read_all_proc' on line 10555:
kernel_read_all_proc(container_runtime_t)

....

[rhatdan]

Yup the Fedora Policy has diverged a lot from the upstream policy and it is very difficult to merge them back together. I would comment out all of the container_runtime_t conflicts and just make the container_runtime_t an unconfined domain.
Conflicts on the container_t and container_domain might be more difficult.

[Conan-Kudo]

@qiancai I would also consider shipping the Fedora variant of the policy for Debian, as it's likely to be much more functional across the board. I'm currently working on using it in openSUSE and it wasn't terribly difficult to do so...

[rhatdan]

Would it help to have a openSUSE Branch?

[rhatdan]

I have not heard anything on this in many months, closing.

[yrro]

Thought I'd take a quick look to see if this has become any easier or more difficult. Currently I get:

$ make
make -f /usr/share/selinux/devel/Makefile container.pp
make[1]: Entering directory '/tmp/container-selinux'
Compiling default container module
m4:container.te:192: Warning: corenet_tcp_sendrecv_all_ports(container_runtime_domain) has been deprecated, please remove.
m4:container.te:193: Warning: corenet_udp_sendrecv_all_ports(container_runtime_domain) has been deprecated, please remove.
m4:container.te:362: Warning: corenet_tcp_sendrecv_generic_port(container_runtime_domain) has been deprecated, please remove.
m4:container.te:368: Warning: corenet_udp_sendrecv_all_ports(container_runtime_domain) has been deprecated, please remove.
m4:container.te:739: Warning: corenet_tcp_sendrecv_all_ports(container_runtime_domain) has been deprecated, please remove.
m4:container.te:1008: Warning: dev_mounton_sysfs(container_t) has been deprecated, please use dev_mounton_sysfs_dirs() instead.
m4:container.te:1046: Warning: corenet_tcp_sendrecv_all_ports(container_net_domain) has been deprecated, please remove.
m4:container.te:1047: Warning: corenet_udp_sendrecv_all_ports(container_net_domain) has been deprecated, please remove.
m4:container.te:1187: Warning: dev_mounton_sysfs(container_userns_t) has been deprecated, please use dev_mounton_sysfs_dirs() instead.
m4:container.te:1194: Warning: kernel_mounton_proc(container_userns_t) has been deprecated, please use kernel_mounton_proc_dirs() instead.
m4:container.te:1334: Warning: kernel_mounton_proc(container_kvm_t) has been deprecated, please use kernel_mounton_proc_dirs() instead.
m4:container.te:1362: Warning: dev_mounton_sysfs(container_init_domain) has been deprecated, please use dev_mounton_sysfs_dirs() instead.
m4:container.te:1370: Warning: kernel_mounton_proc(container_init_t) has been deprecated, please use kernel_mounton_proc_dirs() instead.
m4:container.te:1411: Warning: kernel_mounton_proc(container_engine_t) has been deprecated, please use kernel_mounton_proc_dirs() instead.
container.te:65:ERROR 'syntax error' at token 'kernel_read_all_proc' on line 4101:
#line 65
	kernel_read_all_proc(container_runtime_t)
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make[1]: *** [/usr/share/selinux/devel/include/Makefile:166: tmp/container.mod] Error 1
make[1]: Leaving directory '/tmp/container-selinux'
make: *** [Makefile:16: container.pp] Error 2

So there are fewer errors than before but the use of kernel_read_all_proc is still a problem.

[abn0mad]

Same error on Debian 12.. With Red Hats move to signal the beginning of the end of all downstream RHEL projects combined with the infeasible nature of CentOS Stream and / or Fedora as useable environments for professional use => small organisations that are unable to pay for RHEL subscriptions are essentially forced to turn to Debian as an alternative.. but container-selinux will need to be available on Debian for that to be possible. SELinux is a must for proper security.

Any chance for container-selinux to take Debian into account in the near future?

Edit: it seems a valiant expert has already found the solution. Happy days!

[rhatdan]

container-selinux is built on top of fedora/selinux-policy. So debian would need to pull in fedora/selinux-policy and container-selinux.

[rhatdan]

BTW I am not sure why you think centos-stream is not good for downstream use. But I don't feel like debating that here.

https://medium.com/@gordon.messmer/in-favor-of-centos-stream-e5a8a43bdcf8

[abn0mad]

@rhatdan thanks for the reply and the link; a good read and many interesting points.

I was however not trying to start a debate, nor did I make judgement on suitability for downstream use (or judgement on the decisions of RH leading up to the questions some in the community now have) - I instead mentioned suitability for production use, primarily based on Red Hats own posts, i.e. this one. It would be great if all the various communities could make it all work out so that small organisations can enjoy a top tier IT infrastructure foundation while they grow their activities and become paying RH customers when they are able.

In the face of insecurity on that front however, it doesn't hurt to play it safe and look for viable alternatives. As both a RH and Debian user since the early 90s, I recognise and appreciate the tremendous contributions made by both and make no judgement; Just looking for a way to have SELinux secured container hosts in relative peace and quiet.

Luckily it seems that refpolicy has a workable solution as pointed out by @yrro. Still need to test it with MLS, but outlook is good. May we all enjoy and contribute if we can to FOSS, OCI and others in harmony.

Apologies for my earlier somewhat nervous post.