SELinux + FUSE + Podman + rclone +gdrive = ??? - selinux - Fedora mailing-lists

28 Oct 2020


      Howdy folks!
Have an interesting concoction of technologies mixed together and have found myself in a pickle.
Currently I have a host that has pods with containers. From the host I am using rclone hooked up to Google Drive (and fuse mounted).
When looking at the directory I have mounted with rclone you see the following SELinux label:
system_u:object_r:fusefs_t:s0
Trying to relabel this with chcon does not work (probably expected) getting permission denied.
When mounting the volume into the container with :z exhibits similar behavior:
Error: relabel failed "/gdrive": operation not supported
I then bash into a test CentOS container with the volume mapped in (without the labeling :z) and attempt to touch a file to generate an audit alert:
sudo grep touch /var/log/audit/audit.log
type=AVC msg=audit(1603873529.524:951948): avc:  denied  { write } for  pid=2226162 comm="touch" name="gdrive" dev="dm-0" ino=2359297 scontext=system_u:system_r:container_t:s0:c296,c525 tcontext=system_u:object_r:container_file_t:s0:c332,c605 tclass=dir permissive=0
After finding the event, I attempt to pipe this into audit2allow:
grep touch /var/log/audit/audit.log | audit2allow -R -M gdrive_allow
I then ran into this error:
could not open interface info [/var/lib/sepolgen/interface_info]
At which point I installed sepolgen-ifge - I then re-ran the audit2allow command.
This is where I get some interesting behavior:
compilation failed:
find: ‘thinclient_drives’: Permission denied
/usr/share/selinux/devel/include/services/container.if:13: Error: duplicate definition of container_runtime_domtrans(). Original definition on 13.
/usr/share/selinux/devel/include/services/container.if:40: Error: duplicate definition of container_runtime_run(). Original definition on 40.
/usr/share/selinux/devel/include/services/container.if:60: Error: duplicate definition of container_runtime_exec(). Original definition on 60.
/usr/share/selinux/devel/include/services/container.if:79: Error: duplicate definition of container_read_state(). Original definition on 79.
/usr/share/selinux/devel/include/services/container.if:97: Error: duplicate definition of container_search_lib(). Original definition on 97.
/usr/share/selinux/devel/include/services/container.if:116: Error: duplicate definition of container_exec_lib(). Original definition on 116.
/usr/share/selinux/devel/include/services/container.if:135: Error: duplicate definition of container_read_lib_files(). Original definition on 135.
/usr/share/selinux/devel/include/services/container.if:154: Error: duplicate definition of container_read_share_files(). Original definition on 154.
/usr/share/selinux/devel/include/services/container.if:175: Error: duplicate definition of container_runtime_read_tmpfs_files(). Original definition on 175.
/usr/share/selinux/devel/include/services/container.if:196: Error: duplicate definition of container_manage_share_files(). Original definition on 196.
/usr/share/selinux/devel/include/services/container.if:217: Error: duplicate definition of container_manage_share_dirs(). Original definition on 217.
/usr/share/selinux/devel/include/services/container.if:237: Error: duplicate definition of container_exec_share_files(). Original definition on 237.
/usr/share/selinux/devel/include/services/container.if:255: Error: duplicate definition of container_manage_config_files(). Original definition on 255.
/usr/share/selinux/devel/include/services/container.if:274: Error: duplicate definition of container_manage_lib_files(). Original definition on 274.
/usr/share/selinux/devel/include/services/container.if:294: Error: duplicate definition of container_manage_files(). Original definition on 294.
/usr/share/selinux/devel/include/services/container.if:313: Error: duplicate definition of container_manage_dirs(). Original definition on 313.
/usr/share/selinux/devel/include/services/container.if:331: Error: duplicate definition of container_manage_lib_dirs(). Original definition on 331.
/usr/share/selinux/devel/include/services/container.if:367: Error: duplicate definition of container_lib_filetrans(). Original definition on 367.
/usr/share/selinux/devel/include/services/container.if:385: Error: duplicate definition of container_read_pid_files(). Original definition on 385.
/usr/share/selinux/devel/include/services/container.if:404: Error: duplicate definition of container_systemctl(). Original definition on 404.
/usr/share/selinux/devel/include/services/container.if:429: Error: duplicate definition of container_rw_sem(). Original definition on 429.
/usr/share/selinux/devel/include/services/container.if:448: Error: duplicate definition of container_append_file(). Original definition on 448.
/usr/share/selinux/devel/include/services/container.if:466: Error: duplicate definition of container_use_ptys(). Original definition on 466.
/usr/share/selinux/devel/include/services/container.if:484: Error: duplicate definition of container_filetrans_named_content(). Original definition on 484.
/usr/share/selinux/devel/include/services/container.if:537: Error: duplicate definition of container_stream_connect(). Original definition on 546.
/usr/share/selinux/devel/include/services/container.if:558: Error: duplicate definition of container_spc_stream_connect(). Original definition on 567.
/usr/share/selinux/devel/include/services/container.if:579: Error: duplicate definition of container_admin(). Original definition on 588.
/usr/share/selinux/devel/include/services/container.if:626: Error: duplicate definition of container_auth_domtrans(). Original definition on 635.
/usr/share/selinux/devel/include/services/container.if:645: Error: duplicate definition of container_auth_exec(). Original definition on 654.
/usr/share/selinux/devel/include/services/container.if:664: Error: duplicate definition of container_auth_stream_connect(). Original definition on 673.
/usr/share/selinux/devel/include/services/container.if:683: Error: duplicate definition of container_runtime_typebounds(). Original definition on 692.
/usr/share/selinux/devel/include/services/container.if:702: Error: duplicate definition of container_runtime_entrypoint(). Original definition on 711.
/usr/share/selinux/devel/include/services/container.if:709: Error: duplicate definition of docker_exec_lib(). Original definition on 718.
/usr/share/selinux/devel/include/services/container.if:713: Error: duplicate definition of docker_read_share_files(). Original definition on 722.
/usr/share/selinux/devel/include/services/container.if:717: Error: duplicate definition of docker_exec_share_files(). Original definition on 726.
/usr/share/selinux/devel/include/services/container.if:721: Error: duplicate definition of docker_manage_lib_files(). Original definition on 730.
/usr/share/selinux/devel/include/services/container.if:726: Error: duplicate definition of docker_manage_lib_dirs(). Original definition on 735.
/usr/share/selinux/devel/include/services/container.if:730: Error: duplicate definition of docker_lib_filetrans(). Original definition on 739.
/usr/share/selinux/devel/include/services/container.if:734: Error: duplicate definition of docker_read_pid_files(). Original definition on 743.
/usr/share/selinux/devel/include/services/container.if:738: Error: duplicate definition of docker_systemctl(). Original definition on 747.
/usr/share/selinux/devel/include/services/container.if:742: Error: duplicate definition of docker_use_ptys(). Original definition on 751.
/usr/share/selinux/devel/include/services/container.if:746: Error: duplicate definition of docker_stream_connect(). Original definition on 755.
/usr/share/selinux/devel/include/services/container.if:750: Error: duplicate definition of docker_spc_stream_connect(). Original definition on 759.
/usr/share/selinux/devel/include/services/container.if:764: Error: duplicate definition of container_spc_read_state(). Original definition on 773.
/usr/share/selinux/devel/include/services/container.if:783: Error: duplicate definition of container_runtime_domain_template(). Original definition on 792.
/usr/share/selinux/devel/include/services/container.if:819: Error: duplicate definition of container_domain_template(). Original definition on 828.
/usr/share/selinux/devel/include/services/container.if:847: Error: duplicate definition of container_spc_rw_pipes(). Original definition on 856.
Compiling targeted gdrive_allow module
gdrive_allow.te:15:ERROR 'syntax error' at token 'mlsconstrain' on line 3339:
# mlsconstrain dir { ioctl read lock search } ((h1 dom h2 -Fail-)  or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain dir { write setattr append unlink link rename add_name remove_name } ((h1 dom h2 -Fail-)  or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [/usr/share/selinux/devel/include/Makefile:157: tmp/gdrive_allow.mod] Error 1
What stands out here is  gdrive_allow.te:15:ERROR 'syntax error' at token 'mlsconstrain' on line 3339
This leads me to believe that audit2allow is not equip to handle this kind of rule - specifically:
policy_module(gdrive_allow, 1.0)
require {
type container_file_t;
type container_t;
class dir write;
}
#============= container_t ==============
#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
# mlsconstrain dir { ioctl read lock search } ((h1 dom h2 -Fail-)  or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain dir { write setattr append unlink link rename add_name remove_name } ((h1 dom h2 -Fail-)  or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain dir { relabelfrom } ((h1 dom h2 -Fail-)  or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain dir { create relabelto } ((h1 dom h2 -Fail-)  or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
# Possible cause is the source level (s0:c296,c525) and target level (s0:c332,c605) are different.
allow container_t container_file_t:dir write;
At the current point in time, I am at a stand still as I cannot relabel the source. Any help would be extremely appreciated - I refuse to turn SELinux off hehe :)
CentOS Linux release 8.2.2004 (Core)
4.18.0-193.19.1.el8_2.x86_64
podman version 1.6.4
container-selinux-2.124.0-1.module_el8.2.0+305+5e198a41.noarch
policycoreutils-devel-2.9-9.el8.x86_64
selinux-policy-devel-3.14.3-41.el8_2.6.noarch
Regards,
Christopher