system_u:object_r:fusefs_t:s0
Trying to relabel this with chcon does not work (probably expected) getting permission denied.
When mounting the volume into the container with :z exhibits similar behavior:
Error: relabel failed "/gdrive": operation not supported
I then bash into a test CentOS container with the volume mapped in (without the labeling :z) and attempt to touch a file to generate an audit alert:
sudo grep touch /var/log/audit/audit.log
type=AVC msg=audit(1603873529.524:951948): avc: denied { write } for pid=2226162 comm="touch" name="gdrive" dev="dm-0" ino=2359297 scontext=system_u:system_r:container_t:s0:c296,c525 tcontext=system_u:object_r:container_file_t:s0:c332,c605 tclass=dir permissive=0
After finding the event, I attempt to pipe this into audit2allow:
grep touch /var/log/audit/audit.log | audit2allow -R -M gdrive_allow
I then ran into this error:
could not open interface info [/var/lib/sepolgen/interface_info]
At which point I installed sepolgen-ifge - I then re-ran the audit2allow command.
This is where I get some interesting behavior:
compilation failed:find: ‘thinclient_drives’: Permission denied/usr/share/selinux/devel/include/services/container.if:13: Error: duplicate definition of container_runtime_domtrans(). Original definition on 13./usr/share/selinux/devel/include/services/container.if:40: Error: duplicate definition of container_runtime_run(). Original definition on 40./usr/share/selinux/devel/include/services/container.if:60: Error: duplicate definition of container_runtime_exec(). Original definition on 60./usr/share/selinux/devel/include/services/container.if:79: Error: duplicate definition of container_read_state(). Original definition on 79./usr/share/selinux/devel/include/services/container.if:97: Error: duplicate definition of container_search_lib(). Original definition on 97./usr/share/selinux/devel/include/services/container.if:116: Error: duplicate definition of container_exec_lib(). Original definition on 116./usr/share/selinux/devel/include/services/container.if:135: Error: duplicate definition of container_read_lib_files(). Original definition on 135./usr/share/selinux/devel/include/services/container.if:154: Error: duplicate definition of container_read_share_files(). Original definition on 154./usr/share/selinux/devel/include/services/container.if:175: Error: duplicate definition of container_runtime_read_tmpfs_files(). Original definition on 175./usr/share/selinux/devel/include/services/container.if:196: Error: duplicate definition of container_manage_share_files(). Original definition on 196./usr/share/selinux/devel/include/services/container.if:217: Error: duplicate definition of container_manage_share_dirs(). Original definition on 217./usr/share/selinux/devel/include/services/container.if:237: Error: duplicate definition of container_exec_share_files(). Original definition on 237./usr/share/selinux/devel/include/services/container.if:255: Error: duplicate definition of container_manage_config_files(). Original definition on 255./usr/share/selinux/devel/include/services/container.if:274: Error: duplicate definition of container_manage_lib_files(). Original definition on 274./usr/share/selinux/devel/include/services/container.if:294: Error: duplicate definition of container_manage_files(). Original definition on 294./usr/share/selinux/devel/include/services/container.if:313: Error: duplicate definition of container_manage_dirs(). Original definition on 313./usr/share/selinux/devel/include/services/container.if:331: Error: duplicate definition of container_manage_lib_dirs(). Original definition on 331./usr/share/selinux/devel/include/services/container.if:367: Error: duplicate definition of container_lib_filetrans(). Original definition on 367./usr/share/selinux/devel/include/services/container.if:385: Error: duplicate definition of container_read_pid_files(). Original definition on 385./usr/share/selinux/devel/include/services/container.if:404: Error: duplicate definition of container_systemctl(). Original definition on 404./usr/share/selinux/devel/include/services/container.if:429: Error: duplicate definition of container_rw_sem(). Original definition on 429./usr/share/selinux/devel/include/services/container.if:448: Error: duplicate definition of container_append_file(). Original definition on 448./usr/share/selinux/devel/include/services/container.if:466: Error: duplicate definition of container_use_ptys(). Original definition on 466./usr/share/selinux/devel/include/services/container.if:484: Error: duplicate definition of container_filetrans_named_content(). Original definition on 484./usr/share/selinux/devel/include/services/container.if:537: Error: duplicate definition of container_stream_connect(). Original definition on 546./usr/share/selinux/devel/include/services/container.if:558: Error: duplicate definition of container_spc_stream_connect(). Original definition on 567./usr/share/selinux/devel/include/services/container.if:579: Error: duplicate definition of container_admin(). Original definition on 588./usr/share/selinux/devel/include/services/container.if:626: Error: duplicate definition of container_auth_domtrans(). Original definition on 635./usr/share/selinux/devel/include/services/container.if:645: Error: duplicate definition of container_auth_exec(). Original definition on 654./usr/share/selinux/devel/include/services/container.if:664: Error: duplicate definition of container_auth_stream_connect(). Original definition on 673./usr/share/selinux/devel/include/services/container.if:683: Error: duplicate definition of container_runtime_typebounds(). Original definition on 692./usr/share/selinux/devel/include/services/container.if:702: Error: duplicate definition of container_runtime_entrypoint(). Original definition on 711./usr/share/selinux/devel/include/services/container.if:709: Error: duplicate definition of docker_exec_lib(). Original definition on 718./usr/share/selinux/devel/include/services/container.if:713: Error: duplicate definition of docker_read_share_files(). Original definition on 722./usr/share/selinux/devel/include/services/container.if:717: Error: duplicate definition of docker_exec_share_files(). Original definition on 726./usr/share/selinux/devel/include/services/container.if:721: Error: duplicate definition of docker_manage_lib_files(). Original definition on 730./usr/share/selinux/devel/include/services/container.if:726: Error: duplicate definition of docker_manage_lib_dirs(). Original definition on 735./usr/share/selinux/devel/include/services/container.if:730: Error: duplicate definition of docker_lib_filetrans(). Original definition on 739./usr/share/selinux/devel/include/services/container.if:734: Error: duplicate definition of docker_read_pid_files(). Original definition on 743./usr/share/selinux/devel/include/services/container.if:738: Error: duplicate definition of docker_systemctl(). Original definition on 747./usr/share/selinux/devel/include/services/container.if:742: Error: duplicate definition of docker_use_ptys(). Original definition on 751./usr/share/selinux/devel/include/services/container.if:746: Error: duplicate definition of docker_stream_connect(). Original definition on 755./usr/share/selinux/devel/include/services/container.if:750: Error: duplicate definition of docker_spc_stream_connect(). Original definition on 759./usr/share/selinux/devel/include/services/container.if:764: Error: duplicate definition of container_spc_read_state(). Original definition on 773./usr/share/selinux/devel/include/services/container.if:783: Error: duplicate definition of container_runtime_domain_template(). Original definition on 792./usr/share/selinux/devel/include/services/container.if:819: Error: duplicate definition of container_domain_template(). Original definition on 828./usr/share/selinux/devel/include/services/container.if:847: Error: duplicate definition of container_spc_rw_pipes(). Original definition on 856.Compiling targeted gdrive_allow modulegdrive_allow.te:15:ERROR 'syntax error' at token 'mlsconstrain' on line 3339:# mlsconstrain dir { ioctl read lock search } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIEDmlsconstrain dir { write setattr append unlink link rename add_name remove_name } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED/usr/bin/checkmodule: error(s) encountered while parsing configurationmake: *** [/usr/share/selinux/devel/include/Makefile:157: tmp/gdrive_allow.mod] Error 1
policy_module(gdrive_allow, 1.0)
require {
type container_file_t;
type container_t;
class dir write;
}
#============= container_t ==============
#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
# mlsconstrain dir { ioctl read lock search } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain dir { write setattr append unlink link rename add_name remove_name } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain dir { relabelfrom } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain dir { create relabelto } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
# Possible cause is the source level (s0:c296,c525) and target level (s0:c332,c605) are different.
allow container_t container_file_t:dir write;
CentOS Linux release 8.2.2004 (Core)
4.18.0-193.19.1.el8_2.x86_64
podman version 1.6.4
container-selinux-2.124.0-1.module_el8.2.0+305+5e198a41.noarch
policycoreutils-devel-2.9-9.el8.x86_64
selinux-policy-devel-3.14.3-41.el8_2.6.noarch
Regards,
Christopher