Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Directories /srv/containers and /var/srv/containers have possibility of mismatch fcontext #349

Open
maage opened this issue Jan 18, 2025 · 1 comment
Open

Directories /srv/containers and /var/srv/containers have possibility of mismatch fcontext #349

maage opened this issue Jan 18, 2025 · 1 comment

Comments

@maage
Copy link
Contributor

maage commented Jan 18, 2025
edited
Loading

From manual container_selinux.8

container-selinux/container_selinux.8

Lines 269 to 271 in 7fdbd0e

.B semanage fcontext -a -t container_var_lib_t '/srv/container/content(/.*)?'
.br
.B restorecon -R -v /srv/mycontainer_content

Why this example uses container_var_lib_t as fcontext as

container-selinux/container.fc

Lines 161 to 162 in 7fdbd0e

/srv/containers(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/var/srv/containers(/.*)? gen_context(system_u:object_r:container_file_t,s0)

But

container-selinux/container.te

Line 308 in 7fdbd0e

files_var_filetrans(container_runtime_domain, container_var_lib_t, dir, "containers")

And it is used for /var/cache/containers.

So if container_runtime_domain creates /srv/containers or /var/srv/containers, fcontext will be container_var_lib_t, but after restorecon it will set them to container_file_t and I would assume that is not intentional and would most probably cause disruption. I wonder how this could be made to work right automatically? With restorecond?

I looked at what programs actually seem to use the fcontexts for, and it seems container_var_lib_t is for container subsystem top level directories, locks, state, configuration, and sometimes images. And container_file_t is for container content, or files you can modify from inside of the container. And container_file_ro_t is for container content not meant to be modified from inside of the container.

And should manual be?

-.B semanage fcontext -a -t container_var_lib_t '/srv/container/content(/.*)?'
+.B semanage fcontext -a -t container_file_t '/srv/containers/content(/.*)?'
 .br
-.B restorecon -R -v /srv/mycontainer_content
+.B restorecon -R -v /srv/containers/content

Or at least for me it kind of looks wrong when directory of container_file_t contains any of filles with container_var_lib_t.

And anyways, restorecon path should match semanage fcontext path and not be some random path.
@rhatdan
Copy link
Member

rhatdan commented Jan 22, 2025

@mike-nguyen PTAL

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@maage @rhatdan