Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SELinux, rootless, --pid=host: only works with vfs #7939

Closed
edsantiago opened this issue Oct 6, 2020 · 3 comments
Closed

SELinux, rootless, --pid=host: only works with vfs #7939

edsantiago opened this issue Oct 6, 2020 · 3 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@edsantiago
Copy link
Member

I'm trying to write a system test for #7902, but:

$ ./bin/podman run --pid=host alpine cat /proc/self/attr/current
unconfined_u:system_r:container_runtime_t:s0%
(expected: spc_t)

Root cause: the integration test only works because it runs on vfs. This works:

$ /bin/rm -rf /var/tmp/podman-test
$ ./bin/podman --root /var/tmp/podman-test/root --runroot /var/tmp/podman-test/runroot --storage-driver vfs run --pid=host alpine cat /proc/self/attr/current
[pull messages snipped]
unconfined_u:system_r:spc_t:s0%

This may be intentional, or at least not something that can be fixed. If so, I believe the --pid=host test in run_selinux_test.go should be clearly commented to explain this; and I think we should make a pass through all the SELinux tests to see which others are affected.

But I'm just hoping this is a bug, and we can get consistent behavior between vfs and fuse-overlay.

Originally posted by @edsantiago in #7902 (comment)
@rhatdan
Copy link
Member

rhatdan commented Oct 6, 2020

chcon -t container_runtime_exec_t ./bin/podman
Should fix the tests.

@mheon mheon added the kind/bug Categorizes issue or PR as related to a bug. label Oct 6, 2020
@edsantiago
Copy link
Member Author

It already is; sorry for not mentioning that. I should've also mentioned that I installed podman-2:2.2.0-0.21.dev.gitcaace52.fc34 on a rawhide VM and get the same behavior. (caace52 includes #7902)

@rhatdan
Copy link
Member

rhatdan commented Oct 7, 2020

Fixed in container-selinux-2.146.0

@rhatdan rhatdan closed this as completed Oct 7, 2020
edsantiago added a commit to edsantiago/libpod that referenced this issue Oct 7, 2020
@edsantiago
system tests: cleanup, and add more tests
0ab9e39 
 - images test: add test for 'table' and '\t' formatting

 - image mount test: check output from 'umount', test
   repeat umount (NOP), and test invalid-umount

 - kill test: remove kludgy workaround for crun signal bug
   ref: containers#5004 -- code is no longer needed (fingers crossed),
   and the workaround involved pulling an expensive image.

 - selinux test: add new tests for shared context in:
   * pods , w/ and w/o infra container (ref: containers#7902)
   * containers with namespace sharing: --ipc, --pid, --net

 - selinux test: new test for --pid=host (disabled pending
   propagation of container-selinux-2.146, ref: containers#7939)

Signed-off-by: Ed Santiago <[email protected]>
@edsantiago edsantiago mentioned this issue Oct 7, 2020
Merged
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 22, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@edsantiago @rhatdan @mheon