Fail early when "socket activation" provides a Unix socket and SELINUX is active and there is no --security-opt label=disable
eriksjolund opened this issue · 4 comments
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind feature
Description
Before Podman starts a container with socket activation, Podman should check if there is any Unix socket among the socket-activated sockets. If that is the case and SELINUX is active and there is no --security-opt label=disable, Podman should fail before starting the container. The reason is that the container will not be able to use that socket (and probably fail).
See also the comment.
The application might work if also TCP sockets are provided, but I guess it's better to just fail as soon as there is at least one Unix socket. That would be a simpler user interface.
In principle this feature would be a backwards incompatible change, but I think few people would be impacted. Socket activation via Podman is a rather new feature and I haven't seen any examples or blog posts about it. (That's why I wrote this example: https://github.com/eriksjolund/mariadb-podman-socket-activation/).
Output of podman version
:
Client: Podman Engine
Version: 4.0.0-rc4
API Version: 4.0.0-rc4
Go Version: go1.16.13
Built: Fri Feb 4 16:25:35 2022
OS/Arch: linux/amd64
Output of podman info --debug
:
host:
arch: amd64
buildahVersion: 1.24.0
cgroupControllers:
- cpu
- io
- memory
- pids
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-2.1.0-2.fc35.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.1.0, commit: '
cpus: 8
distribution:
distribution: fedora
variant: workstation
version: "35"
eventLogger: journald
hostname: laptop
idMappings:
gidmap:
- container_id: 0
host_id: 1035
size: 1
- container_id: 1
host_id: 2638224
size: 65536
uidmap:
- container_id: 0
host_id: 1035
size: 1
- container_id: 1
host_id: 2703760
size: 65536
kernel: 5.16.5-200.fc35.x86_64
linkmode: dynamic
logDriver: journald
memFree: 6060683264
memTotal: 33452257280
networkBackend: netavark
ociRuntime:
name: crun
package: crun-1.4.2-1.fc35.x86_64
path: /usr/bin/crun
version: |-
crun version 1.4.2
commit: f6fbc8f840df1a414f31a60953ae514fa497c748
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
os: linux
remoteSocket:
path: /run/user/1035/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: true
serviceIsRemote: false
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-1.1.12-2.fc35.x86_64
version: |-
slirp4netns version 1.1.12
commit: 7a104a101aa3278a2152351a082a6df71f57c9a3
libslirp: 4.6.1
SLIRP_CONFIG_VERSION_MAX: 3
libseccomp: 2.5.3
swapFree: 9021083648
swapTotal: 9124700160
uptime: 130h 30m 27.75s (Approximately 5.42 days)
plugins:
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
volume:
- local
registries:
search:
- registry.fedoraproject.org
- registry.access.redhat.com
- docker.io
- quay.io
store:
configFile: /home/test40/.config/containers/storage.conf
containerStore:
number: 0
paused: 0
running: 0
stopped: 0
graphDriverName: overlay
graphOptions: {}
graphRoot: /home/test40/.local/share/containers/storage
graphStatus:
Backing Filesystem: xfs
Native Overlay Diff: "true"
Supports d_type: "true"
Using metacopy: "false"
imageCopyTmpDir: /var/tmp
imageStore:
number: 14
runRoot: /run/user/1035/containers
volumePath: /home/test40/.local/share/containers/storage/volumes
version:
APIVersion: 4.0.0-rc4
Built: 1643988335
BuiltTime: Fri Feb 4 16:25:35 2022
GitCommit: ""
GoVersion: go1.16.13
OsArch: linux/amd64
Version: 4.0.0-rc4
Package info (e.g. output of rpm -q podman
or apt list podman
):
podman-4.0.0-0.5.rc4.fc35.x86_64
What AVC are you seeing. We might want to allow this.
If this is just an inherited socket owned by systemd, it can be allowed.
Could you setenforce 0
and then use the service. Then attach all of the AVCs.
I booted up a Fedora CoreOS next stream VM and ran
rpm-ostree install --apply-live --allow-inactive mariadb
rpm-ostree install --apply-live --allow-inactive audit
systemctl start auditd.service
Then I followed roughly
https://github.com/eriksjolund/mariadb-podman-socket-activation/
(there are a few small bugs I need to fix there)
[esjolund@tutorial mariadb-podman-socket-activation]$ systemctl --user start mariadb-unix@instance7.socket
[esjolund@tutorial mariadb-podman-socket-activation]$ mariadb --socket ~/mariadb-socket.instance7 -u example-user -p
Enter password:
ERROR 2013 (HY000): Lost connection to MySQL server at 'handshake: reading initial communication packet', system error: 104
Then I ran
sudo setenforce 0
and performed a new test
[esjolund@tutorial ~]$ systemctl --user start mariadb-unix@instance20.socket
[esjolund@tutorial ~]$ mariadb --socket ~/mariadb-socket.instance20 -u example-user -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 10.6.5-MariaDB-1:10.6.5+maria~focal mariadb.org binary distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> \q
Bye
As root I ran ausearch -ts recent
.
The last entries were
----
time->Thu Feb 10 21:17:20 2022
type=AVC msg=audit(1644527840.502:242): avc: denied { getattr } for pid=3413 comm="mariadbd" path="/var/home/esjolund/mariadb-socket.instance20" scontext=system_u:system_r:container_t:s0:c35,c675 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
----
time->Thu Feb 10 21:17:20 2022
type=AVC msg=audit(1644527840.503:243): avc: denied { getopt } for pid=3413 comm="mariadbd" path="/var/home/esjolund/mariadb-socket.instance20" scontext=system_u:system_r:container_t:s0:c35,c675 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
----
time->Thu Feb 10 21:17:20 2022
type=AVC msg=audit(1644527840.509:244): avc: denied { accept } for pid=3413 comm="mariadbd" path="/var/home/esjolund/mariadb-socket.instance20" scontext=system_u:system_r:container_t:s0:c35,c675 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
----
time->Thu Feb 10 21:17:20 2022
type=AVC msg=audit(1644527840.509:245): avc: denied { setopt } for pid=3413 comm="mariadbd" path="/var/home/esjolund/mariadb-socket.instance20" scontext=system_u:system_r:container_t:s0:c35,c675 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
Fixed in v2.178.0