Dangerzone requires SELinux to be turned to "permissive" on Fedora 38

[pizzadude]

Dangerzone requires SELinux to be turned to "permissive" temporarily on Fedora 38, else the conversion process fails.

Attached is a log file of the error messages.
dangerzone-log.txt

Disabling SELinux doesn't completely solve the issue in the latest version though, the conversion process fails for a different reason in the new version, where it claims I have run out of space mid-way through conversion.

SELinux troubleshooter shows this:

[apyrgio]

I think I understand what's going on here. In #335, we wanted to fix an SELinux issue (#157), so we used the :Z argument when mounting a temporary directory to a container. This argument effectively relabels the directory with an SELinux label that only a single container can use. We assumed that this directory is not shared simultaneously with other containers, so it should be fine and more secure to do so.

However, Dangerzone employs a two-step approach to sanitization, and creates one container for converting the document to pixels, and then another one for converting the pixels to PDF. So, the relabeled temp dir at some point has to be used by another container. This requires a relabelto action, and that's why SELinux shows an error.

I guess we should use instead a :z mount flag. I don't have an SELinux system in front of me, but I can spin one up. We'll keep you posted once we've reproduced and fixed this issue.

[deeplow]

I guess we should use instead a :z mount flag. I don't have an SELinux system in front of me, but I can spin one up. We'll keep you posted once we've reproduced and fixed this issue.

From playing around a little bit with SELinux, this does not appear to be the case. With the :Z flag, this appears to relabel to only the second container (pixels to PDF), when it does start. If for some reason container 1 (doc to pixels) was still running it would simply have its access to /safezone revoked.

However, in my case (freshly installed Fedora 38) I was unable to find any SELinux policy violations. And and it's in enforcing mode by default. This leads me to think that the SELinux failure is somehow a consequence of the out of space issue. So I'd advocate for solving that one first and then seeing if this one still exists.

[apyrgio]

With the :Z flag, this appears to relabel to only the second container (pixels to PDF), when it does start.

This exact behavior is what I'd expect to trigger an SELinux error. Out of curiosity, can you remove the :Z flag, and make sure that we see an error? It could be that we're misunderstanding something there.

@pizzadude Have you perhaps further configured SELinux in your installation, or are you running a stock OS?

This leads me to think that the SELinux failure is somehow a consequence #518. So I'd advocate for solving that one first and then seeing if this one still exists.

That would be very surprising, but we'll get to the bottom of it and find out.

[pizzadude]

I haven't further configured SELinux, but I have some other podman containers on my system and I moved ~/.local/share/containers to another drive and symlinked it back, because my internal SSD is too small.

[deeplow]

Could this be a duplicate of #127 ?

[apyrgio]

As of #625, we no longer mount files to Podman containers, so relabeling is not necessary. Also, we have recently verified that Dangerzone works in Fedora systems with SELinux in enforcing mode (see #880). That's to say, I believe we won't encounter this issue in the upcoming 0.8.0 release.