bootc/install_t: allow transition to container_runtime_t

[lsm5]

Generation of bootc compatible disk images is done via the command:

sudo podman run --rm -it --privileged \
         --pull=newer \
         --security-opt label=type:unconfined_t \
         -v ./config.toml:/config.toml:ro \
         -v ./output:/output \
         -v /var/lib/containers/storage/:/var/lib/containers/storage/ \
         quay.io/centos-bootc/bootc-image-builder:latest \
         --type qcow2 \
         quay.io/centos-bootc/centos-bootc:stream9

Ref: https://github.com/osbuild/bootc-image-builder?tab=readme-ov-file#-examples

And this currently results in an apparently harmless AVC denial:

avc:  denied  { nnp_transition nosuid_transition } for  pid=40081 comm="bootc" \
        scontext=system_u:system_r:install_t:s0:c68,c235 \
        tcontext=system_u:system_r:container_runtime_t:s0:c68,c235 \
        tclass=process2 permissive=0

This commit adds allow rules for processes with install_t type, like bootc, to silence the AVCs.

Ref: https://issues.redhat.com/browse/RHEL-85671

Summary by Sourcery

Bug Fixes:

• Resolve SELinux AVC denial when running bootc image builder with privileged container transitions

[sourcery-ai]

Reviewer's Guide by Sourcery

This pull request adds SELinux policy rules to allow processes running with the install_t type (such as bootc) to transition to the container_runtime_t type. This resolves AVC denials observed during the generation of bootc-compatible disk images.

No diagrams generated as the changes look simple and do not need a visual representation.

File-Level Changes

Change	Details	Files
Added allow rules for processes with the install_t type to transition to the container_runtime_t type.	Allowed install_t to perform nnp_transition on container_runtime_t. Allowed install_t to perform nosuid_transition on container_runtime_t.	container.te

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!
• Generate a plan of action for an issue: Comment @sourcery-ai plan on
  an issue to generate a plan of action for it.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey @lsm5 - I've reviewed your changes - here's some feedback:

Overall Comments:

• It would be helpful to understand why bootc needs to transition to container_runtime_t.

Here's what I looked at during the review

• 🟢 General issues: all looks good
• 🟢 Security: all looks good
• 🟢 Testing: all looks good
• 🟢 Complexity: all looks good
• 🟢 Documentation: all looks good

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lsm5, sourcery-ai[bot]

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [lsm5]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[lsm5]

@rhatdan @wrabcak @haircommander PTAL

[rhatdan]

/lgtm

[lsm5]

Doesn't look like this will merge unless rebased. Rebasing might remove the lgtm label, so I'll take the liberty to re-add it.

[openshift-ci]

New changes are detected. LGTM label has been removed.

[lsm5]

/cherrypick rhaos-maint

[openshift-cherrypick-robot]

@lsm5: new pull request created: #371

In response to this:

/cherrypick rhaos-maint

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.