Don't mount /sys/fs/selinux in rootless mode about toolbox HOT 12 CLOSED

A workaround is sudo mv /usr/lib64/rpm-plugins/selinux.so /usr/lib64/rpm-plugins/selinux.so.old

from toolbox.

Additional, value-add failure:

Traceback (most recent call last):
  File "/usr/sbin/semanage", line 28, in <module>
    import seobject
  File "/usr/lib/python3.7/site-packages/seobject.py", line 34, in <module>
    import sepolicy
  File "/usr/lib/python3.7/site-packages/sepolicy/__init__.py", line 188, in <module>
    raise e
  File "/usr/lib/python3.7/site-packages/sepolicy/__init__.py", line 184, in <module>
    policy_file = get_installed_policy()
  File "/usr/lib/python3.7/site-packages/sepolicy/__init__.py", line 139, in get_installed_policy
    raise ValueError(_("No SELinux Policy installed"))
ValueError: No SELinux Policy installed

  Running scriptlet: tpm2-abrmd-selinux-2.0.0-2.fc29.noarch                                             267/315 
cp: cannot stat '/etc/selinux/targeted/contexts/files/file_contexts': No such file or directory
error: %prein(tpm2-abrmd-selinux-2.0.0-2.fc29.noarch) scriptlet failed, exit status 1

Error in PREIN scriptlet in rpm package tpm2-abrmd-selinux

from toolbox.

does your rpm work if you install selinux-policy-targeted inside the container? you will see a permission denied error when you install that rpm, but imho this can be ignored (seems like the package tries to load the policies which obviously does not work inside the container).

from toolbox.

Thanks for digging that up, @tosmi !

from toolbox.

The toolbox containers are created with --security-opt label=disable, which turns off SELinux labelling. I wonder if removing that can help.

Labelling was turned off because some time ago, it would make container creation (or was it something else? I can't remember) really slow. However, I took that option out to enable labelling, and it didn't seem noticeably slow. Maybe Podman got better at this?

from toolbox.

@debarshiray The issue is /sys/fs/selinux is being mounted into the container. We saw this yesterday.
This is causing SELinux labeling to be turned on IFF, you have selinux-policy installed in an image, and running with --net=host.

podman run IMAGE id -Z
Should tell you SELinux is disabled.
But if you run
podman run --net=host IMAGE id -Z
It tells you the SELinux label.

This means tools inside the container like RPM attempt to do labeling. Which is the wrong thing to do. Whether or not SELinux separation is enabled.

from toolbox.

containers/podman#2613 fixes this problem.

from toolbox.

@mheon we might want to consider a new release of podman for this issue.

from toolbox.

@rhatdan I'd like to wait a week for things to settle a bit more, and for Brent to do more work on healthchecks. Once he lands his healthchecks v3 PR, I think we're good for a 1.2 release

from toolbox.

Thanks for the explanation and the fix, @rhatdan

I realized that I didn't have selinux-policy in my toolboxes, which is why I wasn't able to reproduce this. @hughsie probably managed to pull it in as a side-effect of something else.

from toolbox.

probably managed to pull it in as a side-effect of something else

Indeed I did.

from toolbox.

Ok, great! Thanks everybody. Closing.

from toolbox.