Make the container work on an SELinux-enforcing systems #8
Conversation
achilleas-k
changed the title
|
Testing on the distros you listed using osbuild |
|
Manually tested the build process with this PR and it's working on:
|
|
If this is meant to work on an M1, let me know and I would happily sanity check! |
When building an image, we need to make sure that the target system is correctly labeled. This becomes challenging if the target system contains labels that are unknown to the host because the process setting the label needs to have CAP_MAC_ADMIN if the host is SELinux-enforcing. CAP_MAC_ADMIN isn't a common capability on a SELinux-enforcing system. Even unconfined_t doesn't have it (same for spc_t - label used by --privileged containers). Thus, we need to ensure that we transition to a domain that actually has it. This commit relabels osbuild as install_t, a domain that has CAP_MAP_ADMIN. A bit of mount-dancing is needed in order to achieve that, see prepare.sh. I decided to make prepare.sh a separate script. This is useful for debugging: host # podman run -it \ --privileged \ --security-opt label=type:unconfined_t \ --entrypoint bash \ localhost/osbuild-deploy-container container # ./prepare.sh This way, you get the same environment as if you run the container the default way. See #6 (comment) and links in this comment for further information.
|
This is now ready to be merged. @teg AFAIK, the container should work on ARM. Once this is merged, you can just build the container yourself (clone the repository and |
| # Note that the transition to `install_t` must happen at this point. Osbuild stages run in `bwrap` that creates | ||
| # a nosuid, no_new_privs environment. In such an environment, we cannot transition from `unconfined_t` to `install_t`, | ||
| # because we would get more privileges. | ||
| chcon system_u:object_r:install_exec_t:s0 "${TMP}/osbuild" |
There was a problem hiding this comment.
It would have been better to do
chcon -t install_exec_t "${TMP}/osbuild"
But this is fine.
Sanity tested on my M2. The container builds and runs, but we run into the (expected?) loop issue. |
When building an image, we need to make sure that the target system is
correctly labeled. This becomes challenging if the target system contains
labels that are unknown to the host because the process setting the label
needs to have CAP_MAC_ADMIN if the host is SELinux-enforcing.
CAP_MAC_ADMIN isn't a common capability on a SELinux-enforcing system.
Even unconfined_t doesn't have it (same for spc_t - label used by
--privileged containers). Thus, we need to ensure that we transition to
a domain that actually has it.
This commit relabels osbuild as install_t, a domain that has CAP_MAP_ADMIN.
A bit of mount-dancing is needed in order to achieve that, see prepare.sh.
I decided to make prepare.sh a separate script. This is useful for debugging:
host # podman run -it
--privileged
--security-opt label=type:unconfined_t
--entrypoint bash
localhost/osbuild-deploy-container
container # ./prepare.sh
This way, you get the same environment as if you run the container the
default way.
See #6 (comment)
and links in this comment for further information.
Open questions:
ostree.container.deploystage?Fixes #6