Szwendacz/Securing-Linux-Containers
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

finish selinux

Browse source
This commit is contained in:
Maciej Lebiest 2025-01-03 12:35:18 +01:00 committed by Maciej Lebiest
parent 3b197e3840
commit 9bed897310
1 changed files with 64 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

64
README.md
View file

@ -25,7 +25,7 @@
- [7. Network](#7-network)
- [Desktop tools](#desktop-tools)
- [Kubernetes](#kubernetes)
- [8. Images](#8-images)
- [8. OCI Images](#8-oci-images)
- [8.1 Building](#81-building)
- [8.2 Scanning](#82-scanning)
- [9. Selinux](#9-selinux)
@ -573,3 +573,65 @@ system_u:system_r:container_t:s0:c202,c993
system_u:system_r:container_t:s0:c259,c971
```
If two or more containers have matching categories (sorted categories on the same
position match or are not set), then such containers can access the same
shared volumes.
For example (podman uses :Z flag on volume to propagate selinux context on
all files inside):
First starting container with 2 categories:
```bash
podman run --rm -it -v ./test:/test:Z --security-opt label=level:s0:c222,c11 fedora-minimal
bash-5.2# ls -Z /test/
system_u:object_r:container_file_t:s0:c11,c222 test2
system_u:object_r:container_file_t:s0:c11,c222 test2.txt
system_u:object_r:container_file_t:s0:c11,c222 test3.txt
```
Then second container with a subset of categories in selinux level will change
the labels, but still both containers have full access to the volume:
```bash
podman run --rm -it -v ./test:/test:Z --security-opt label=level:s0:c11 fedora-minimal
bash-5.2# ls -Z /test/
system_u:object_r:container_file_t:s0:c11 test2
system_u:object_r:container_file_t:s0:c11 test2.txt
system_u:object_r:container_file_t:s0:c11 test3.txt
```
Changing the level in second container to something like
`label=level:s0:c11,c33` will prevent access for the first container.
For shared volumes container engines like Podman or Docker have flag `:z`,
which in contrast to `:Z` does not apply any categories, just plain level `s0`:
```bash
podman run --rm -it -v ./test:/test:z fedora-minimal ls -Z /test
system_u:object_r:container_file_t:s0 test2
system_u:object_r:container_file_t:s0 test2.txt
system_u:object_r:container_file_t:s0 test3.txt
```
This allows any container with any categories potentially access this volume.
And this is place for improvement - if the files inside of a volume are
main protected resource, it would be safer to label it with categories.
If there are multiple containers that need access to the volume, they
just need to have matching categories. This somewhat reduces isolation
between those containers in terms of other filesystems and other resources
protected by selinux, but that usually will be not much of a problem,
considering they use shared volume.
In kubernetes specifying labels happens for whole pod, which can have
multiple containers:
```yaml
apiVersion: v1
kind: Pod
spec:
securityContext:
seLinuxOptions:
level: "s0:c12,c45"
(....)
```