-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SELinux denial when checkpointing a container #2334
Comments
@rhatdan PTAL |
We removed this service, because it is a huge security hole. Allowing this access would allow a container process to gain access to the docker.sock and create a --privileged root running container. The way to fix this is for the tool creating the socket to label it with the containers label or at least label.SetSockLabel($CONTAINERPROCESLABEL) This would then require allow container_t container_t:unix_stream_socket connectto; Which is allowed in the current policy. Is this socket being created in runc? Now container_t appending to a file labeled container_var_lib_t, is another matter? Is this debugging code or something else? |
It is created directly from CRIU. I started a discussion upstream CRIU to be able to use an existing socket or to tell CRIU which label the socket should have. Then we could tell runc which label it should have and runc can pass it to CRIU.
This is for debug output which is currently always written. It is hard-coded in runc. If we could add a policy to allow this, this would be great. |
What is the path to the file. I would rather we label it something like container_log_t so that we would not be able to append to any file in /var/lib/containers. Does CRIU create the socket or runc? Could you explain the process for the socket to be created? |
The path to the file is: So something like this could be used:
Not sure if that is the correct way to do it. But creating an empty log file with the right label should fix this. Then the processes in the container would need to be able to write that log file.
CRIU creates the socket in the destination network namespace https://github.com/checkpoint-restore/criu/blob/master/compel/src/lib/infect.c#L1030 , once CRIU infects the destination process with the parasite code, the parasite code tries to connect to that socket and that fails ( |
The code for libpod/container_internal/linux.go looks pretty good. Is this code "infect.c" called by runc or podman? |
If I do For the socket I have to use setsockcreate(processlabel) in CRIU. If I do it in runc it seems to fail creating runc sockets. For the socket my plan is to add a CRIU feature to specify the SELinux label of the socket. So Podman calls Is the |
Does runc fail in permissive mode? |
If I add
But if I reset the socket label to default in runc with I will prepare a Podman pull request for the CRIU log file labelling and a runc pull request for the CRIU socket labelling and CC you. Thanks for your help. |
Excellent. |
runc changes for CRIU socket labelling available at: opencontainers/runc#1992 Podman changes to fix CRIU log file labelling and to use new runc features available at: #2382 |
The log file denial is solved with #2382. For the |
There is currently still one SELinux related checkpoint/restore problem: containers#2334 To avoid unnecessary CI failures the checkpoint/restore tests are temporarily disabled on Fedora. It is not necessary to disable the tests on Ubuntu as it is running without SELinux and it is also not necessary to disable the RHEL 7 tests as RHEL's CRIU is too old to run the checkpoint/restore tests at all. Signed-off-by: Adrian Reber <[email protected]>
@adrianreber Is this complete, can we close this issue now? |
@rhatdan with your changes to container-selinux and once my CRIU PR (checkpoint-restore/criu#648) gets merged, all should be resolved. |
When I try to checkpoint a container on Fedora 29 or RHEL8 with the latest available podman package I get the following SELinux denial:
The same steps are running in CI every time successfully, so something is different during CI and when actually using it. The
connectto
is coming from CRIU's parasite code which is injected in the destination process trying to talk to the main CRIU binary.To be able to checkpoint a container I need following two SELinux rules:
What is the right place or package to add these two rules.
The text was updated successfully, but these errors were encountered: