Comments (11)
pebenito
commented on June 2, 2024
1
That works, but still completely breaks privileged containers instead of only breaking the privileged operations.
That's true, but unfortunately doesn't address @patsys' desire to have a completely custom type in place of
spc_t.
@patsys would you clarify your needs? is your need to have a completely custom type, not even using the container_template()?
It is certainly possible though to go through the privileges
spc_thas and put as much of them as (realistically) possible behind tunables. I don't mind volunteering towards that effort.
I don't think this is necessary, at least at this time.
from refpolicy.
0xC0ncord
commented on June 2, 2024
While this is a relatively simple change to implement I'm not sure this would be within the scope of refpolicy as opposed to a custom policy. I think if this were added, I would make the relevant rules tunable and make this tunable enabled by default. Disabling this tunable would effectively break all privileged containers though until you implement your own transition rules.
This got me curious though, as I would imagine it should be possible to deploy a workload like this:
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-selinux
labels:
environment: test
spec:
selector:
matchLabels:
environment: test
template:
metadata:
labels:
environment: test
spec:
containers:
- name: busybox
image: busybox
command:
- /bin/sleep
args:
- infinity
securityContext:
privileged: true
seLinuxOptions:
type: container_tNote the presence of privileged: true and the manually specified SELinux type. Unfortunately this still creates a container running as spc_t in my testing (at least with CRI-O 1.26.0) which is unfortunate.
from refpolicy.
patsys
commented on June 2, 2024
Thanks for the quick answer.
Make this tunable enabled by default, is what I want.
When it is set from the distro policy, it is not simple to overwrite for me.
By cri-o it should work with 1.27.0+, but I have not get it running in the moment.
Edit:
On my setup with cri-o 1.29.0 I have get also a spc_t
from refpolicy.
0xC0ncord
commented on June 2, 2024
@pebenito What do you think? While I think this is technically out of scope for refpolicy, I'm of the opinion that more flexibility is always nice as long as it doesn't break existing stuff.
from refpolicy.
pebenito
commented on June 2, 2024
We can't totally remove the domain by tunables (type decls can't be tunable). How about a tunable that would remove all of the privilege from spc_t, making it a regular unpriv container, the same as container_t?
from refpolicy.
0xC0ncord
commented on June 2, 2024
We can't totally remove the domain by tunables (type decls can't be tunable). How about a tunable that would remove all of the privilege from
spc_t, making it a regular unpriv container, the same ascontainer_t?
Wouldn't a tunable that removes the type_transition to spc_t work?
from refpolicy.
pebenito
commented on June 2, 2024
We can't totally remove the domain by tunables (type decls can't be tunable). How about a tunable that would remove all of the privilege from
spc_t, making it a regular unpriv container, the same ascontainer_t?Wouldn't a tunable that removes the
type_transitiontospc_twork?
That works, but still completely breaks privileged containers instead of only breaking the privileged operations.
from refpolicy.
0xC0ncord
commented on June 2, 2024
That works, but still completely breaks privileged containers instead of only breaking the privileged operations.
That's true, but unfortunately doesn't address @patsys' desire to have a completely custom type in place of spc_t.
It is certainly possible though to go through the privileges spc_t has and put as much of them as (realistically) possible behind tunables. I don't mind volunteering towards that effort.
from refpolicy.
patsys
commented on June 2, 2024
Hello,
thanks for the response.
In the moment I have in my Kubernetes only 1 case where need a privileged containers for Longhorn, for all other container it was possible to remove privilege and set a custom type.
Remove the not needed previlege is for me a good step, to get custom labels would be better, but not so good possible.
from refpolicy.
github-actions
commented on June 2, 2024
This issue has not had any recent activity. It will be closed in 7 days if it makes no further progress.
from refpolicy.
github-actions
commented on June 2, 2024
Closing stale PR.
from refpolicy.
Related Issues (20)
- Problem when building policy HOT 3
- libsepol.validate_user_datum: Invalid user datum HOT 4
- How to write modules for systemd user services? HOT 7
- libsepol.sepol_string_to_security_class: unrecognized class user_namespace HOT 4
- chrome->nacl_helper: user_namespace HOT 2
- 2 questions HOT 1
- Need help with transitions HOT 1
- Container issues in enforcing mode on Debian 12 HOT 13
- How to transfer the current process or its thread to another context? HOT 4
- Possible missing rule for ssh -> java HOT 2
- Debian 12.1 statd and mountd fail to start with fixed ports HOT 13
- Question: sudo HOT 5
- [Q] Permission cmd in class io_uring not defined in policy. HOT 3
- /root directory has no label specified HOT 4
- systemd v255 executor helper
- Information Disclosure vulnerability related to SSL Private Keys and CSR used by the HTTP daemon HOT 2
- Configuration warnings HOT 2
- Style guide link HOT 1
- use refpolicy in bare metal,login failed with out any avc log HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from refpolicy.