Newly introduced container policies are conflicting with base policies

Question

Newly introduced container policies are conflicting with base policies

Closed this issue a year ago · 3 comments

While compiling selinux-policy-38.5 I faced some issues.

neverallow check failed at /usr/src/photon/BUILDROOT/selinux-policy-38.5-1.ph5.x86_64/var/lib/selinux/default/tmp/modules/100/base/cil:10434
  (neverallow base_typeattr_18 scsi_generic_device_t (chr_file (write append)))
    <root>
    allow at /usr/src/photon/BUILDROOT/selinux-policy-38.5-1.ph5.x86_64/var/lib/selinux/default/tmp/modules/100/container/cil:2647
      (allow container_device_t device_node (chr_file (ioctl read write getattr lock append open)))
    <root>
    allow at /usr/src/photon/BUILDROOT/selinux-policy-38.5-1.ph5.x86_64/var/lib/selinux/default/tmp/modules/100/container/cil:2691
      (allow container_device_plugin_t device_node (chr_file (ioctl read write getattr lock append open)))
    <root>
    allow at /usr/src/photon/BUILDROOT/selinux-policy-38.5-1.ph5.x86_64/var/lib/selinux/default/tmp/modules/100/container/cil:2748
      (allow container_device_plugin_init_t device_node (chr_file (ioctl read write getattr lock append open)))

neverallow check failed at /usr/src/photon/BUILDROOT/selinux-policy-38.5-1.ph5.x86_64/var/lib/selinux/default/tmp/modules/100/base/cil:10432
  (neverallow base_typeattr_17 scsi_generic_device_t (chr_file (read)))
    <root>
    allow at /usr/src/photon/BUILDROOT/selinux-policy-38.5-1.ph5.x86_64/var/lib/selinux/default/tmp/modules/100/container/cil:2647
      (allow container_device_t device_node (chr_file (ioctl read write getattr lock append open)))
    <root>
    allow at /usr/src/photon/BUILDROOT/selinux-policy-38.5-1.ph5.x86_64/var/lib/selinux/default/tmp/modules/100/container/cil:2691
      (allow container_device_plugin_t device_node (chr_file (ioctl read write getattr lock append open)))
    <root>
    allow at /usr/src/photon/BUILDROOT/selinux-policy-38.5-1.ph5.x86_64/var/lib/selinux/default/tmp/modules/100/container/cil:2748
      (allow container_device_plugin_init_t device_node (chr_file (ioctl read write getattr lock append open)))

neverallow check failed at /usr/src/photon/BUILDROOT/selinux-policy-38.5-1.ph5.x86_64/var/lib/selinux/default/tmp/modules/100/base/cil:10430
  (neverallow base_typeattr_16 fixed_disk_device_t (chr_file (write append)))
    <root>
    allow at /usr/src/photon/BUILDROOT/selinux-policy-38.5-1.ph5.x86_64/var/lib/selinux/default/tmp/modules/100/container/cil:2647
      (allow container_device_t device_node (chr_file (ioctl read write getattr lock append open)))
    <root>
    allow at /usr/src/photon/BUILDROOT/selinux-policy-38.5-1.ph5.x86_64/var/lib/selinux/default/tmp/modules/100/container/cil:2691
      (allow container_device_plugin_t device_node (chr_file (ioctl read write getattr lock append open)))
    <root>
    allow at /usr/src/photon/BUILDROOT/selinux-policy-38.5-1.ph5.x86_64/var/lib/selinux/default/tmp/modules/100/container/cil:2748
      (allow container_device_plugin_init_t device_node (chr_file (ioctl read write getattr lock append open)))

neverallow check failed at /usr/src/photon/BUILDROOT/selinux-policy-38.5-1.ph5.x86_64/var/lib/selinux/default/tmp/modules/100/base/cil:10428
  (neverallow base_typeattr_15 fixed_disk_device_t (chr_file (read)))
    <root>
    allow at /usr/src/photon/BUILDROOT/selinux-policy-38.5-1.ph5.x86_64/var/lib/selinux/default/tmp/modules/100/container/cil:2647
      (allow container_device_t device_node (chr_file (ioctl read write getattr lock append open)))
    <root>
    allow at /usr/src/photon/BUILDROOT/selinux-policy-38.5-1.ph5.x86_64/var/lib/selinux/default/tmp/modules/100/container/cil:2691
      (allow container_device_plugin_t device_node (chr_file (ioctl read write getattr lock append open)))
    <root>
    allow at /usr/src/photon/BUILDROOT/selinux-policy-38.5-1.ph5.x86_64/var/lib/selinux/default/tmp/modules/100/container/cil:2748
      (allow container_device_plugin_init_t device_node (chr_file (ioctl read write getattr lock append open)))

neverallow check failed at /usr/src/photon/BUILDROOT/selinux-policy-38.5-1.ph5.x86_64/var/lib/selinux/default/tmp/modules/100/base/cil:4910
  (neverallow base_typeattr_2 memory_device_t (chr_file (write append)))
    <root>
    allow at /usr/src/photon/BUILDROOT/selinux-policy-38.5-1.ph5.x86_64/var/lib/selinux/default/tmp/modules/100/container/cil:2647
      (allow container_device_t device_node (chr_file (ioctl read write getattr lock append open)))
    <root>
    allow at /usr/src/photon/BUILDROOT/selinux-policy-38.5-1.ph5.x86_64/var/lib/selinux/default/tmp/modules/100/container/cil:2691
      (allow container_device_plugin_t device_node (chr_file (ioctl read write getattr lock append open)))
    <root>
    allow at /usr/src/photon/BUILDROOT/selinux-policy-38.5-1.ph5.x86_64/var/lib/selinux/default/tmp/modules/100/container/cil:2748
      (allow container_device_plugin_init_t device_node (chr_file (ioctl read write getattr lock append open)))

neverallow check failed at /usr/src/photon/BUILDROOT/selinux-policy-38.5-1.ph5.x86_64/var/lib/selinux/default/tmp/modules/100/base/cil:4908
  (neverallow base_typeattr_1 memory_device_t (chr_file (read)))
    <root>
    allow at /usr/src/photon/BUILDROOT/selinux-policy-38.5-1.ph5.x86_64/var/lib/selinux/default/tmp/modules/100/container/cil:2647
      (allow container_device_t device_node (chr_file (ioctl read write getattr lock append open)))
    <root>
    allow at /usr/src/photon/BUILDROOT/selinux-policy-38.5-1.ph5.x86_64/var/lib/selinux/default/tmp/modules/100/container/cil:2691
      (allow container_device_plugin_t device_node (chr_file (ioctl read write getattr lock append open)))
    <root>
    allow at /usr/src/photon/BUILDROOT/selinux-policy-38.5-1.ph5.x86_64/var/lib/selinux/default/tmp/modules/100/container/cil:2748
      (allow container_device_plugin_init_t device_node (chr_file (ioctl read write getattr lock append open)))

Failed to generate binary
/usr/sbin/semodule:  Failed!
make: *** [Rules.modular:58: load] Error 1

This is triggered from:
https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/kernel/storage.te#L23
https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/kernel/storage.te#L39
https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/kernel/devices.te#L228

For now I commented out these kernel policies in base to get the build going.

This is probably the commit from which this issue started popping up.
cf704e4

Here is our spec from Photon OS.
https://github.com/vmware/photon/blob/dev/SPECS/selinux-policy/selinux-policy.spec#L91

I also opened an issue here to get help on one other issue from which I was completely blocked.
fedora-selinux/selinux-policy#1573

Hope this helps.

Answer 1 · 2023-01-31T12:22:57.000Z

@zpytela @wrabcak How should we handle this?

Answer 2 · 2023-02-08T10:25:42.000Z

We already discuss in the selinux-policy issue.

Answer 3 · 2023-03-07T12:50:54.000Z

Can we close this?