I received this bug report this week.| Dan Walsh's Blog
I recently received the following email about using SELinux to prevent users from executing programs.| Dan Walsh's Blog
Sometimes content is created in /run during boot that ends up mislabeled. We sometimes here, every time I boot, this file gets created with the wrong label. | Dan Walsh's Blog
DAC_OVERRIDE is one of the most powerful capabilities, and most app developers don't understand when they are taking advantage of it, or how easy it is to eliminate the need.| Dan Walsh's Blog
Next week at the Red Hat summit, I have a short session to talk about SELinux and Containers. I am constantly reminded in bugzilla about how great the combination is. | Dan Walsh's Blog
I get lots of bugs from people complaining about SELinux blocking access to the Docker socket. For example https://bugzilla.redhat.com/show_bug.cgi?id=1557893| Dan Walsh's Blog
Yesterday I received an email from someone who was attempting to write SELinux policy for a daemon process, "abcd", that he was being required to run on his systems.| Dan Walsh's Blog
The kernel has a feature where it will load certain kernel modules for a process, when certain syscalls are made. For example, loading a kernel module when a process attempts to create a different network socket. | Dan Walsh's Blog
If you followed SELinux policy bugs being reported in bugzilla you might have noticed a spike in messages about random domains being denied DAC_READ_SEARCH.| Dan Walsh's Blog
New features and bugfixes in this release| Dan Walsh's Blog
Buildah is a new tool that we released last week for building containers without requiring a container runtime daemon running. --nodockerneeded| Dan Walsh's Blog
I have written previous blogs discussing using linux capabilities in containers.| Dan Walsh's Blog
BOUNDED TRANSITIONS| Dan Walsh's Blog
I recently revieved an email from someone who made the mistake of volume mounting /root into his container with the :Z option. docker run -ti -v /root:/root:Z fedora sh The container ran fine, and everything was well on his server machine until the next time he tried to ssh into the server. The…| danwalsh.livejournal.com
One of the things people have always had a hard time understanding about SELinux is around different types. In this blog, I am going to discuss Contianer Domains. Recently I had someone questioning me about specifying types to run containers inside of Kubernetes. Basically he wanted to…| danwalsh.livejournal.com
I work on the lowest levels of container runtimes and usually around process security. My team and I work on basically everything needed run containers on the host operating system under Kubernetes . I also work in the OpenShift group at Red Hat. I hear a lot of thoughts on Hybrid Cloud…| danwalsh.livejournal.com
An issue was recently raised on libpod , the github repo for Podman . "container_t isn't allowed to access container_var_lib_t" Container policy is defined in the container-selinux package. By default containers run with the SELinux type " container_t " whether this is a container launched by just…| danwalsh.livejournal.com
I often see bug reports or people showing AVC messages about confined domains not able to deal with unlabeled_t files. type=AVC msg=audit(1530786314.091:639): avc: denied { read } for pid=4698 comm=" modprobe " name=" modules.alias.bin " dev="dm-0" ino=9115100…| danwalsh.livejournal.com
Lately the SELinux team has been trying to remove as many SELinux Domain Types that have DAC_OVERRIDE. man capabilities ... CAP_DAC_OVERRIDE Bypass file read, write, and…| danwalsh.livejournal.com
In my previous blog, I talked about about container types container_t and svirt_lxc_net_t. Today I get an email, asking about the new container_t type replacing svirt_lxc_net_t. On 05/23/2018 11:50 PM, Dustin C. Hatch wrote: I recently upgraded some of my Docker hosts to CentOS 7.5 and started…| danwalsh.livejournal.com
For some reason recently I have been asked via email and twitter about what the difference is between the container_t type and the svirt_lxc_net_t type. Or similarly between container_file_t and svirt_sandbox_file_t . Bottom line, NOTHING. They are aliases of each other. In SELinux…| danwalsh.livejournal.com
Last week, on the Fedora Users list someone was asking a question about getting SElinux to work with a container. The mailer said that he was sharing certs into the container but SELinux as blocking access. Here are the AVC's that were reported. Fri May 11 03:35:19 2018 type=AVC…| danwalsh.livejournal.com
I have been working on SELinux for over 15 years. I switched my primary job to working on containers several years ago, but one of the first things I did with containers was to add SELinux support. Now all of the container projects I work on including CRI-O , Podman , Buildah as well as…| danwalsh.livejournal.com
I have just updated the container-selinux policy to support MLS (Multi Level Security). SELinux and Container technology have a long history together. Some people imagine that containers started just a few years ago with the introduction of Docker, but the technology goes back a lot…| danwalsh.livejournal.com
I received a container bugzilla today for someone who was attempting to assign a container process to the object_r role. Hopefully this blog will help explain how roles work with SELinux. When we describe SELinux we often concentrate on Type Enforcement, which is the most important and most…| danwalsh.livejournal.com