Add support for confined users

[rhatdan]

The original SELinux support in Docker and Podman does not follow the default SELinux rules for how label transitions are supposed to be handled. Containers always switch their user and role to system_u:system_r, rather then maintain the collers user and role. For example
unconfined_u:unconfined_r:container_t:s0:c1,c2

Advanced SELinux administrators want to confine users but still allow them to create containers from their role, but not allow them to launch a privileged container like spc_t.

This means if a user running as
container_user_u:container_user_r:container_user_t:s0

Ran a container they would get

container_user_u:container_user_r:container_t:s0:c1,c2

If they run a privileged container they would run it with:

container_user_u:container_user_r:container_user_t:s0

If they want to force the label they would get an error

podman run --security-opt label=type:spc_t ...

Should fail. Because the container_user_r can not run with the spc_t.

SELinux rules would also prevent the user from forcing system_u user and the sytem_r role.

Does this PR introduce a user-facing change?

Confined SELinux users can not use podman

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rhatdan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [rhatdan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[lsm5]

@cevich AFAICT, container-selinux still gets fetched from the default fedora repos?

We should probably switch to fetching all dependencies from rhcontainerbot/podman-next or make it easy to switch from upstream main (podman-next) to default fedora and back. There's a recent container-selinux change which hasn't been released yet but is merged on main and we should be using it for this PR. @rhatdan can correct me.

[lsm5]

@cevich i guess for now, I could rerun CI job with terminal and manually install the copr repo with latest container-selinux. If all goes well, that's good enough for now. That way your [CI:Next] won't be urgent.

[cevich]

As discussed on chat: Let's add a [CI:NEXT] magic string condition to setup_environment.sh. When found in the PR name, it will enable the podman-next COPR and run a dnf upgrade -y. That way changes can be validated not to break the current CI VM image set as well.

[cevich]

Opened #18545

[TomSweeneyRedHat]

LGTM
once the tests get hip.

[cevich]

Just tagged c20230517t144652z-f38f37d12 which has container-selinux-2:2.213.0-1. Feel free to bring it in along with this PR. Renovate will also open a (separate) image-update PR.

[lsm5]

@cevich does [CI:Next] need to be in the commit message, or does simply editing the title on github make it work too ?

[cevich]

If this PR is using c20230426t140447z-f38f37d12, it already has container-selinux-2:2.213.0-1. in the F38 VMs.

If you want it to update at runtime from podman-next COPR, edit the PR description and add [CI:NEXT] (case-sensitive) anywhere in it. Once that's done, turn the PR into a draft[*], then re-push some change to it.

[*]: Under the "reviewers" section at the top is a link "Still in progress? Convert to draft". Click that.

[rhatdan]

The logs says
container-selinux-2.209.0-1.fc37-noarch
And
container-selinux-2.211.0-1.fc38-noarch

[lsm5]

Podman v4.5.1 fedora gating tests are failing and will continue to fail until this patch is included in a release AFAICT. @rhatdan are we ok to waive gating tests on fedora. See: https://artifacts.dev.testing-farm.io/fcd0eecd-53a9-44a1-aa9b-a492e3a00411/work-tests.ymlcm3acqme/tests-x65lqvzh/test.podman-rootless-cgroupsv2.bats.log for example.

[rhatdan]

Yes I would waive the SELinux issues for now.

[rhatdan]

@cevich Can we create a new VM image to contain the latest container-selinux package?

[lsm5]

@cevich Can we create a new VM image to contain the latest container-selinux package?

I'll change this to draft and use [CI:NEXT]. Let's see how that goes.

[lsm5]

@rhatdan please repush to this PR. Hopefully it will pick the latest. The latest container-selinux build is ready on podman-next so repushing should just work.

[cevich]

Can we create a new VM image to contain the latest container-selinux package?

Newer images: #18612 (I'm guessing that fails CI b/c we need this PR?)

[cevich]

I'll change this to draft and use [CI:NEXT]. Let's see how that goes.

FYI - I'm pretty sure the magic string has to be in the PR title, not the description. I may be wrong though - there are several CI env. vars. on this topic and I can't remember which is which off-hand.

[cevich]

(I hit re-run on Build for fedora-38 CI_DESIRED_DATABASE:boltdb, hopefully was just a CI flake)

[cevich]

FYI: Opened containers/automation_images#282

[cevich]

ERROR: Automation spec. 'debian-12'; actual host 'debian-1313' (contrib/cirrus/setup_environment.sh:67 in main())

Uh-oh, that sounds like a "me" problem...Yeah, you're missing this yaml line:

DEBIAN_NAME: "debian-13"