Unable to run systemd container with custom SELinux policy

[darrenfoong]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind feature

Description

I've been playing around with podman and udica, and it seems that while it is possible to run most containers with custom policy modules (--security-opt label=type:my_policy.process), it is not possible for containers running systemd. This is because containers running systemd are run with the container_init_t label, and it cannot be overwritten (to the best of my knowledge) with --security-opt label.

This is a limitation for those who'd like to run a systemd container with a custom SELinux policy. Some ideas:

1. Add a init_container.cil template to udica (this should be under the udica project).
2. Make podman allow a custom policy when running systemd containers.

Steps to reproduce the issue:

1. Run podman run -d --name init_ctr --systemd always registry.access.redhat.com/ubi8/ubi-init

2. Use udica to generate a policy module: podman inspect init_ctr | sudo udica test_policy. The actual contents of the module are irrelevant.

3. Load the policy module: sudo semodule -i test_policy.cil /usr/share/udica/templates/base_container.cil.

4. Stop the container: podman stop init_ctr && podman rm init_ctr.

5. Run the container with the new policy: podman run -d --name init_ctr --systemd always --security-opt label=type:test_policy.process registry.access.redhat.com/ubi8/ubi-init.

Describe the results you received:

ps -efZ | grep init shows that the init process runs with the container_init_t label. systemd is running in the container.

Describe the results you expected:

Expected the test_policy.process label with systemd running in the container.

Additional information:

Running podman 3.2.0 on Fedora 34 Workstation.

[rhatdan]

This is an issue with udica not with Podman. Transfering to udica repo.

[rhatdan]

@wrabcak PTAL

[wrabcak]

Hi All,

This needs to be solved on both sides, udica and also podman. It looks like container_init_t label is hard coded in the podman code. Correct, @rhatdan ?

From udica POV, it should be simple to catch if systemd is inside the container. We'll look "--systemd always" parameter is used. But how to fix it from podman side? @rhatdan WDYT?

FYI: @vmojzis

[vmojzis]

@rhatdan Is there any way to override the "container_init_t" label for init containers?

[rhatdan]

--security-opt label=type:foo_t should work.

[darrenfoong]

Hi @rhatdan, I've repeated "Steps to reproduce the issue" on podman 3.2.3 on Fedora 34 Workstation, and --security-opt label=type:foo_t does not work:

podman run -d --name init_ctr --systemd always --security-opt label=type:test_policy.process registry.access.redhat.com/ubi8/ubi-init

ps -efZ | grep init shows that the init process runs with the container_init_t label, and not the test_policy.process label that I had expected.

On the other hand, I managed to run another container (without systemd) with the expected test_policy.process label:

# differences:
# - removed "--systemd always"
# - changed ubi-init to ubi-minimal (non-systemd)
# - added "sleep 60" to keep it running

podman run -d --name init_ctr --security-opt label=type:test_policy.process registry.access.redhat.com/ubi8/ubi-minimal sleep 60

This time, ps -efZ | grep sleep shows the sleep process running with the test_policy.process label as expected.

So it seems like if I run with --systemd always (or if podman detects a systemd container?), I cannot overwrite the container_init_t label.