Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inside a container selinux.Chcon fails although chcon command succeeds in applying a SELinux context #215

Closed
empovit opened this issue Jul 31, 2024 · 5 comments
Closed

Inside a container selinux.Chcon fails although chcon command succeeds in applying a SELinux context #215

empovit opened this issue Jul 31, 2024 · 5 comments

Comments

@empovit
Copy link

empovit commented Jul 31, 2024
edited
Loading

When executed inside a container, the following code

selinux.Chcon("/mps/nvidia.com/gpu/pipe", "container_file_t", true)

fails for me with

lsetxattr /mps/nvidia.com/gpu/pipe: invalid argument

However, this code runs without errors and successfully updates the SELinux type:

import "os/exec"

output, err := chconCmd.CombinedOutput()
if err != nil {
	klog.Errorf("\n%v", string(output))
	return err
}
chconCmd := exec.Command("chcon", "-R", "-t", "container_file_t", "/mps/nvidia.com/gpu/pipe")

The container is running privileged on OpenShift (RHCOS).
@empovit empovit mentioned this issue Jul 31, 2024
Merged
@rhatdan
Copy link
Collaborator

rhatdan commented Jul 31, 2024

I do not know what label is being set, which could cause that error. I opened
#216 to display the error.

I would think this is something to do with SELinux failing to get the correct label when run within a container, but I am not sure.

@empovit
Copy link
Author

empovit commented Aug 14, 2024
edited
Loading

Thank you @rhatdan. I've applied the patch and the error message I'm now getting is

lsetxattr(label=container_file_t) /mps/nvidia.com/gpu/pipe: invalid argument

@rhatdan
Copy link
Collaborator

rhatdan commented Aug 16, 2024

Try
selinux.Chcon("/mps/nvidia.com/gpu/pipe", "system_u:object_r:container_file_t:s0", true)

@empovit empovit mentioned this issue Aug 17, 2024
Merged
@empovit
Copy link
Author

empovit commented Aug 19, 2024

Thanks @rhatdan, it worked!

Why is the discrepancy between the API and command? Should I read the full context first, then modify the type and write the context back? This is what chcon -t does, I assume. Or is it safe to apply the full label right away?

@rhatdan
Copy link
Collaborator

rhatdan commented Aug 19, 2024

An SELinux label is "system_u:object_r:container_file_t:s0" not "container_file_t" When dealing with labels the use of container_file_t as the type, is expanded to the full SELinux label based on the process setting the label.

ps -eZ | grep podman
unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 69276 pts/0 00:00:00 podman

Setting the container_file_t would become

unconfined_u:object_r:container_file_t:s0-s0:c0.c1023

Thus the SELinux User unconfined_u; the SELinux MCS Label: s0-s0:c0,c1023: and the specified type: container_file_t

the Role object_r is because file types do not have roles. so we hard code object_r for all file types.

@rhatdan rhatdan closed this as completed Aug 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rhatdan @empovit