Docker/Podman Selinux Udica - 无根容器无法从映射的入口点脚本挂载/运行

tag-icon tag-icon selinux container podman
Docker/Podman Selinux Udica - 无根容器无法从映射的入口点脚本挂载/运行

我喜欢使用 steamcmd 作为我的服务器用户的无根 dockercontainer。但 steamcmd 通常应以普通用户身份安装在 /opt/steam/steamcmd/steamcmd.sh 下

我创建了一个自定义 steamcmd.sh,它使用 steamcmd arks 运行 docker/podman 容器,并将调用者用户 ID 传递给环境。

我将默认的入口点脚本替换为自定义入口点脚本,即 /opt/steam/steamcmd/steamcmd.docker.sh (steamuser)

当我以 root 身份运行容器时,一切正常,但是当我使用服务器用户尝试时,我收到“错误:错误统计文件/opt/steam/steamcmd/steamcmd.docker.sh:权限被拒绝:OCI 权限被拒绝”

我的 selinux 在主机上处于宽松状态。所以我检查日志,它给了我以下消息:

Mai 06 02:13:48 host setroubleshoot[81420]: SELinux is preventing steamcmd.replace from read access on the file steamcmd.docker.sh.
                                                      If you believe that steamcmd.replac should be allowed read access on the steamcmd.docker.sh file by default.
                                                      # ausearch -c 'steamcmd.replace' --raw | audit2allow -M my-steamcmdreplace
                                                      # semodule -X 300 -i my-steamcmdreplace.pp

我生成了该文件,它显示以下内容:

module my-steamcmdreplace 1.0;

require {
    type container_t;
    type etc_t;
    class file entrypoint;
}

#============= container_t ==============
allow container_t etc_t:file entrypoint;

第二条 selinux 消息是

Mai 05 01:30:29 host setroubleshoot[3763945]: SELinux is preventing /bin/dash from entrypoint access on the file /usr/bin/steamcmd.replace.
                                                        If you believe that dash should be allowed entrypoint access on the steamcmd.replace file by default.

我添加了模块,但没有任何变化 - 所以我尝试使用 udica 来生成容器策略 - 但它仅适用于正在运行的容器 - 所以我使用了从根运行的容器。

我将规则手动添加到 udica 生成的模块中,其中包含以下内容:

(block steamcmd
    (blockinherit container)
    (allow process process ( capability ( chown dac_override fowner fsetid kill net_bind_service setfcap setgid setpcap setuid sys_chroot ))) 

    (allow process usr_t ( dir ( getattr ioctl lock open read search ))) 
    (allow process usr_t ( file ( getattr ioctl lock open read ))) 
    (allow process usr_t ( sock_file ( getattr open read ))) 
    (allow process usr_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) 
    (allow process usr_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) 
    (allow process usr_t ( sock_file ( append getattr open read write ))) 
    (allow container_t etc_t (file (entrypoint)))
)

从 serveruser 运行该容器的命令是:

podman run --network=host --dns 8.8.8.8 --security-opt label=type:steamcmd.process -t --rm --entrypoint 'steamcmd.replace' --name steamcmd -v /opt/steam/steamcmd/steamcmd.docker.sh:/usr/bin/steamcmd.replace:z -v .:/data docker.io/steamcmd/steamcmd:latest +force_install_dir /data validate

这是什么原因呢?

相关内容