Question Regarding SELinux (mlsconstrain)
Hi, my name is Kloud.
I wasn't sure where to ask questions regarding SELinux. I couldn't find
any live, or on-going community. So I'm taking my last shot at sending
an email directly to Red Hat, to see if I can receive any supports on my
current situation!
I'm currently running a project that utilizes rootless podman
containers, in my RHEL9.2 machine.
I am trying to run the containers on MLS Enforcing mode (or Targeted
with Multi Category Security, Enforcing mode - if MLS doesn't work), but
I keep facing denials such as:
type=AVC msg=audit(XXXX): avc: denied { recv } for pid=31368 comm="curl"
saddr=192.168.99.2 src=54380 daddr=192.168.99.2 dest=9099 netif=lo
scontext=system_u:system_r:
unconfined_service_t:s0 tcontext=system_u:object_r:netlabel_peer_t:s0:c1
tclass=peer permissive=1
(I have setup netlabels to the VM's net interface)
I'm supposed to launch a container w/ MLS level of s0:c1 via curling the
VM's systemd's socket that will eventually trigger the python app to
launch the containers). So I believe that is why I'm receiving s0:c1 as
my tcontext, and s0 as my scontext (coming from Systemd I'm assuming).
If I run audit2allow on this, I get something like:
#!!!! This avc is a constraint violation. You would need to modify the
attributes of either the source or target types to allow this access.
#Constraint rule:
mlsconstrain peer { recv } ((l1 dom l2 Fail) or (t1 !=
mcs_constrained_type Fail) and (t2 != mcs_constrained_type Fail) );
Constraint DENIED
so I can see that s0 cannot dominate s0:c1 right now, and both types ARE
mcs_constrained_type which I do not know how to get rid of.
Are there any references on how to go about solving these mlsconstrain
issues by any chance? I was only able to find that such thing like..
["mlsconstrain" does exist, and the dom, fail, and, or, etcs. mean ~this
...] explanation chart, but not on how to actually go about solving the
issue.
Again, if I'm asking the wrong department, please do let me know where I
can redirect my question. I really appreciate your time and help. Thank
you so much in advance.
--
Best Regards,
Kloud Byun