Rootless podman creates containers in system_u:system_r

[0xC0ncord]

The default behavior for rootless podman is to create a running container that transitions from the user's SELinux user and role to system_u:system_r. Instead, the default behavior should be to keep the user's user and role when the container process is created.

This is showing to be problematic in refpolicy, where userdomains do not have the can_change_object_identity attribute, and thus cannot relabel files that do not match their user. An unprivileged user can create a container with rootless podman with shared files in the container, which will cause the files to become relabeled to system_u:object_r:container_file_t:MCS, and the user can no longer relabel these files because of SELinux constraints (staff_u != system_u).

Expected behavior:

$ id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023
$ podman run --rm -it alpine:latest sh
...
$ ps -Z | grep container_t
staff_u:staff_r:container_t:s0:c556,c718 1051869 pts/0 Ss+   0:00 sh

Actual behavior:

$ id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023
$ podman run --rm -it alpine:latest sh
...
$ ps -Z | grep container_t
system_u:system_r:container_t:s0:c556,c718 1051869 pts/0 Ss+   0:00 sh

[rhatdan]

I believe this works now.

[0xC0ncord]

I'm still seeing this with podman 4.2.1.

$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0
$ podman run -it --rm ubi8 cat /proc/self/attr/current && echo
system_u:system_r:container_t:s0:c562,c897

[0xC0ncord]

Just noticed that podman 4.3.0 is out, and I see the same behavior there too.