如何让 SELinux 允许 runc 转换到 container_t?

tag-icon tag-icon fedora selinux
如何让 SELinux 允许 runc 转换到 container_t?

我正在参考这一页在 Fedora 36 上遵循以下简单说明:

docker pull aflplusplus/aflplusplus:
docker run -ti -v /location/of/your/target:/src aflplusplus/aflplusplus

但是,我收到以下 SELinux 错误:

SELinux is preventing runc:[2:INIT] from using the transition access on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that runc:[2:INIT] should be allowed transition access on processes labeled container_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'runc:[2:INIT]' --raw | audit2allow -M my-runc2INIT
# semodule -X 300 -i my-runc2INIT.pp

Additional Information:
Source Context                system_u:system_r:unconfined_service_t:s0
Target Context                system_u:system_r:container_t:s0:c149,c848
Target Objects                /usr/bin/bash [ process ]
Source                        runc:[2:INIT]
Source Path                   runc:[2:INIT]
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           bash-5.2.15-1.fc36.x86_64
SELinux Policy RPM            selinux-policy-targeted-36.17-1.fc36.noarch
Local Policy RPM              selinux-policy-targeted-36.17-1.fc36.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 6.1.13-100.fc36.x86_64
                              #1 SMP PREEMPT_DYNAMIC Wed Feb 22 18:13:06 UTC
                              2023 x86_64 x86_64
Alert Count                   1
First Seen                    2023-07-23 01:36:16 PDT
Last Seen                     2023-07-23 01:36:16 PDT
Local ID                      c389e11d-1f68-4433-b24e-27b54adbb8a9

Raw Audit Messages
type=AVC msg=audit(1690101376.101:6745): avc:  denied  { transition } for  pid=2847426 comm="runc:[2:INIT]" path="/usr/bin/bash" dev="overlay" ino=2172597 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:container_t:s0:c149,c848 tclass=process permissive=0


Hash: runc:[2:INIT],unconfined_service_t,container_t,process,transition

我如何允许此操作?我已经尝试过以下方法:

sudo semanage fcontext -a -t container_t "/usr/bin/runc"
sudo semanage fcontext -a -t container_t "/usr/bin/bash"

我还尝试了错误消息中的临时修复,但失败了:

Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1245
Failed to resolve AST
semodule:  Failed!

Semanage 命令也失败并给出:

ValueError: Type container_t is invalid, must be a file or device type

我已经运行了输出的命令rpm -qa|grep selinux|sort

container-selinux-2.199.0-1.fc36.noarch
flatpak-selinux-1.12.7-5.fc36.noarch
libselinux-3.3-4.fc36.x86_64
libselinux-devel-3.3-4.fc36.x86_64
libselinux-utils-3.3-4.fc36.x86_64
python3-libselinux-3.3-4.fc36.x86_64
rpm-plugin-selinux-4.17.1-3.fc36.x86_64
selinux-policy-36.17-1.fc36.noarch
selinux-policy-targeted-36.17-1.fc36.noarch
snapd-selinux-2.57.6-2.fc36.noarch
tpm2-abrmd-selinux-2.3.1-5.fc36.noarch

答案1

系统已经告诉您如何允许从unconfined_service_t到 的转换container_t。请参阅您引用的消息的这一部分:

Do allow this access for now by executing:
# ausearch -c 'runc:[2:INIT]' --raw | audit2allow -M my-runc2INIT
# semodule -X 300 -i my-runc2INIT.pp

开头的#表示命令应以 root 身份执行。它不是命令的一部分;它只是代表 root 命令提示符。如果您只是将整行复制并粘贴为命令,shell 将解释#为注释符号,并且不会执行任何操作。

第一个命令ausearch -c 'runc:[2:INIT]' --raw | audit2allow -M my-runc2INIT在审核日志中查找确切的事件并将其提供给audit2allow,这将创建一个my-runc2INITSELinux 规则模块(一个my-runc2INIT.pp文件)。

第二条命令将安装规则模块,使其生效。

如果您希望稍后删除自定义规则,semodule -r my-runc2INIT应该这样做。

相关内容