Understanding SELinux Roles
I received a container bugzilla today for someone who was attempting to assign a container process to the object_r role. Hopefully this blog will help explain how roles work with SELinux.When we...
View ArticleBe careful relabeling volumes with Container run times. Sometimes things can...
I recently revieved an email from someone who made the mistake of volume mounting /root into his container with the :Z option. docker run -ti -v /root:/root:Z fedora shThe container ran fine, and...
View ArticleSELinux and --no-new-privs and the setpriv command.
BOUNDED TRANSITIONSSELinux transitions are in some ways similar to a setuid executable in that when a transition happens the new process has different security properties then the calling process....
View ArticleWhat capabilities do I really need in my container?
I have written previous blogs discussing using linux capabilities in containers.Secure Your Containers with this One Weird TrickContainer Tidbits: Adding Capabilities to a ContainerRecently I gave a...
View ArticleQuick Blog on Buildah.
Buildah is a new tool that we released last week for building containers without requiring a container runtime daemon running. --nodockerneededHere is a blog that talks about some of its...
View ArticleNew version of buildah 0.2 released to Fedora.
New features and bugfixes in this releaseUpdated Commandsbuildah run Add support for -- ending options parsing Add a way to disable PTY allocation Handle run without an explicit command...
View ArticleWhy all the DAC_READ_SEARCH AVC messages?
If you followed SELinux policy bugs being reported in bugzilla you might have noticed a spike in messages about random domains being denied DAC_READ_SEARCH.Lets quickly look at what the DAC_READ_SEARCH...
View ArticleSELinux blocks loading kernel modules
The kernel has a feature where it will load certain kernel modules for a process, when certain syscalls are made. For example, loading a kernel module when a process attempts to create a different...
View ArticleAttributes make writing SELinux policy easier
Yesterday I received an email from someone who was attempting to write SELinux policy for a daemon process, "abcd", that he was being required to run on his systems."... Here's the problem: the ******...
View ArticleContainers and MLS
I have just updated the container-selinux policy to support MLS (Multi Level Security). SELinux and Container technology have a long history together. Some people imagine that containers started just...
View ArticleTeaching an old dog new tricks
I have been working on SELinux for over 15 years. I switched my primary job to working on containers several years ago, but one of the first things I did with containers was to add SELinux support....
View ArticleSELinux should and does BLOCK access to Docker socket
I get lots of bugs from people complaining about SELinux blocking access to the Docker socket. For example https://bugzilla.redhat.com/show_bug.cgi?id=1557893The aggravating thing is, this is exactly...
View ArticleSELinux and Containers
Next week at the Red Hat summit, I have a short session to talk about SELinux and Containers. I am constantly reminded in bugzilla about how great the combination is. It truly is like Peanut Butter...
View ArticleShare Certs Data into a container.
Last week, on the Fedora Users list someone was asking a question about getting SElinux to work with a container. The mailer said that he was sharing certs into the container but SELinux as blocking...
View Articlecontainer_t versus svirt_lxc_net_t
For some reason recently I have been asked via email and twitter about what the difference is between the container_t type and the svirt_lxc_net_t type. Or similarly between container_file_t and...
View ArticleCustomizing container types
In my previous blog, I talked about about container types container_t and svirt_lxc_net_t. Today I get an email, asking about the new container_t type replacing svirt_lxc_net_t.On 05/23/2018 11:50 PM,...
View ArticleSELinux team works to remove DAC_OVERRIDE Permissions.
DAC_OVERRIDE is one of the most powerful capabilities, and most app developers don't understand when they are taking advantage of it, or how easy it is to eliminate the need.What is DAC_OVERRIDE?man...
View ArticleCool SELinux hack provide by systemd
Sometimes content is created in /run during boot that ends up mislabeled. We sometimes here, every time I boot, this file gets created with the wrong label. This can happen if initramfs is creating...
View ArticleFun with DAC_OVERRIDE and SELinux
Lately the SELinux team has been trying to remove as many SELinux Domain Types that have DAC_OVERRIDE.man capabilities... CAP_DAC_OVERRIDE Bypass file read, write, and execute...
View Articleunlabeled_t type
I often see bug reports or people showing AVC messages about confined domains not able to deal with unlabeled_t files.type=AVC msg=audit(1530786314.091:639): avc: denied { read } for pid=4698...
View ArticleSELinux prevent users from executing programs, for security? Who cares.
I recently received the following email about using SELinux to prevent users from executing programs. I just started to learn SELinux and this is nice utility if you want confine any user who interact...
View ArticleSELinux blocks podman container from talking to libvirt
I received this bug report this week."I see this when I try to use vagrant from a container using podman on Fedora 29 Beta.Podman version: 0.8.4Command to run container:sudo podman run -it --rm -v...
View ArticleContainer Labeling
An issue was recently raised on libpod, the github repo for Podman."container_t isn't allowed to access container_var_lib_t"Container policy is defined in the container-selinux package. By default...
View ArticleMusings on Hybrid Cloud
I work on the lowest levels of container runtimes and usually around process security. My team and I work on basically everything needed run containers on the host operating system under Kubernetes....
View ArticleContainer Domains (Types)
One of the things people have always had a hard time understanding about SELinux is around different types. In this blog, I am going to discuss Contianer Domains.Recently I had someone questioning me...
View Article