Don't allow containers by default setexec setfscreate

[rhatdan]

Summary by Sourcery

Enhancements:

• Revoke default setexec and setfscreate permissions for container domains to tighten security

[sourcery-ai]

Reviewer's Guide

This PR tightens the container SELinux policy by removing default permissions for setexec and setfscreate file operations in container.te and thus prevents containers from executing or creating filesystem objects by default.

File-Level Changes

Change	Details	Files
Restrict default file operations in container_t	Remove default allow for file setexec Remove default allow for file setfscreate	container.te

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey @rhatdan - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[gemini-code-assist]

Summary of Changes

Hello @rhatdan, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the security posture of containers by tightening their default SELinux permissions. It revokes the implicit ability for containers to manipulate SELinux execution and file creation contexts, instead introducing an explicit opt-in mechanism via a new tunable. This change aims to reduce the attack surface for container escapes by limiting sensitive capabilities by default.

Highlights

• Security Hardening for Containers: I've removed the setexec and setfscreate permissions from the default container_domain SELinux policy. These permissions, which allow a process to change its execution domain or set default security contexts for new files, are now explicitly disallowed by default for containers to enhance security.
• New SELinux Tunable for Label Manipulation: A new SELinux tunable, container_modify_selinux_labels, has been introduced. This tunable defaults to false and gates the setexec and setfscreate permissions. This means that administrators must explicitly enable this tunable if a container requires the ability to manipulate SELinux labels.
• Policy Module Version Update: The container.te policy module version has been incremented from 2.239.0 to 2.240.0, reflecting the policy changes implemented in this pull request.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request enhances security by removing the setexec and setfscreate permissions from container domains by default. These permissions are moved behind a new SELinux boolean container_modify_selinux_labels, which is disabled by default. This is a solid security improvement. My only suggestion is to improve the clarity of the description for the new tunable to better inform administrators of its purpose.

[gemini-code-assist]

The description for this new tunable is a bit generic. "manipulate SELinux labels" could refer to many different permissions. For better clarity for administrators who might need to enable this, consider making it more specific to the permissions being granted (setexec and setfscreate).

A more descriptive comment could be:

## Allow containers to set the security context on process execution and file creation.

This more accurately reflects what enabling this tunable does.

## Allow containers to set the security context on process execution and file creation

[packit-as-a-service]

Ephemeral COPR build failed. @containers/packit-build please check.

[lsm5]

LGTM

centos job failures look like dnf repo issues. Nothing we can do about it apart from maybe wait.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lsm5, rhatdan, sourcery-ai[bot]

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [lsm5,rhatdan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment