Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
SELinux denial when checkpointing a container #2334
When I try to checkpoint a container on Fedora 29 or RHEL8 with the latest available podman package I get the following SELinux denial:
The same steps are running in CI every time successfully, so something is different during CI and when actually using it. The
What is the right place or package to add these two rules.
We removed this service, because it is a huge security hole. Allowing this access would allow a container process to gain access to the docker.sock and create a --privileged root running container.
The way to fix this is for the tool creating the socket to label it with the containers label or at least
This would then require
allow container_t container_t:unix_stream_socket connectto;
Which is allowed in the current policy.
Is this socket being created in runc?
Now container_t appending to a file labeled container_var_lib_t, is another matter? Is this debugging code or something else?
It is created directly from CRIU. I started a discussion upstream CRIU to be able to use an existing socket or to tell CRIU which label the socket should have. Then we could tell runc which label it should have and runc can pass it to CRIU.
This is for debug output which is currently always written. It is hard-coded in runc. If we could add a policy to allow this, this would be great.
The path to the file is:
So something like this could be used:
Not sure if that is the correct way to do it. But creating an empty log file with the right label should fix this. Then the processes in the container would need to be able to write that log file.
CRIU creates the socket in the destination network namespace https://github.com/checkpoint-restore/criu/blob/master/compel/src/lib/infect.c#L1030 , once CRIU infects the destination process with the parasite code, the parasite code tries to connect to that socket and that fails (
If I do
For the socket I have to use setsockcreate(processlabel) in CRIU. If I do it in runc it seems to fail creating runc sockets. For the socket my plan is to add a CRIU feature to specify the SELinux label of the socket. So Podman calls
If I add
But if I reset the socket label to default in runc with
I will prepare a Podman pull request for the CRIU log file labelling and a runc pull request for the CRIU socket labelling and CC you. Thanks for your help.