Lack of 'range' field in fcontext causes error in go-linux.NewContext()

[kenya888]

Hi I enjoy my container life with podman and have an issue on Gentoo with SELinux targeted environment.

Here is the output of running container from the podman tutorial.

kenya888@xps13 ~ $ sudo podman run -dt -e HTTPD_VAR_RUN=/var/run/httpd -e HTTPD_MAIN_CONF_D_PATH=/etc/httpd/conf.d -e HTTPD_MAIN_CONF_PATH=/etc/httpd/conf -e HTTPD_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/httpd/ registry.fedoraproject.org/f27/httpd /usr/bin/run-httpd
panic: runtime error: index out of range

goroutine 1 [running]:
github.com/projectatomic/libpod/vendor/github.com/opencontainers/selinux/go-selinux.NewContext(0xc42024108b, 0x21, 0xc)
        /var/tmp/portage/app-emulation/podman-9999/work/podman-9999/src/github.com/projectatomic/libpod/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go:300 +0x2af
.
.
.

It seems that the environment which doesn't have the 'range' field (like 's0') in fcontext is not considered in the go-linux.NewContext() (and ReserveLabel() below)

In the Gentoo's SELinux instruction labeling fcontext with targeted type doesn't provide the 'range' field because it isn't MLS/MCS type.

kenya888@xps13 ~/ctr $ LANG=C ls -lZ
total 0
drwxr-xr-x. 1 kenya888 wheel unconfined_u:object_r:user_home_t 42 Feb  6 20:50 lib
drwxr-xr-x. 1 kenya888 wheel unconfined_u:object_r:user_home_t  0 Feb  6 20:49 run

I know it doesn't occur in Fedora/RHEL because they are always provided with 'range' fcontext.
Should I label it to my system even if I don't use the field? I cannot find right information that this field is always needed as SELinux spec.

We can easily reproduce this issue with the code as following.

package main

import (
        "fmt"
        "strings"
)

func main() {
        label := "unconfined_u:object_r:user_home_t"
//      label := "unconfined_u:object_r:user_home_t:s0"
        fmt.Println(label)
        con := strings.SplitN(label, ":", 4)
        fmt.Println(con[3])
}

[rhatdan]

We probably should handle this in opencontainers/selinux, but the benefit of SELinux and Containers falls quite a bit without MCS/MLS Container Separation. We rely on the forth field to keep containers separate. Is there a targeted policy available for gentoo that supports the MCS/MLS Field?

[rhatdan]

Patch to allow you to use selinux on non MCS machines #25

[kenya888]

@rhatdan Oh thank you for quick reply and advice.

Is there a targeted policy available for gentoo that supports the MCS/MLS Field?

Currently no, probably. I've confirmed the fourth field is present at mls settings and disappear at targeted settings. Though I can do it myself manually, I don't think it is a good idea. I'd like to communicate with Gentoo SELinux project team about this topic with the benefit of container separation with the MLS/MCS field in targeted mode.

At last thank you again for quick action to fix it!!

[rhatdan]

Could you apply the patches to your podman to see if it actually fixes your issue?

[kenya888]

Works fine. Thanks!!

[rhatdan]

This issue is fixed.