From 0a181a334275610aac088c52b173f5490e971e19 Mon Sep 17 00:00:00 2001 From: Alex Pyrgiotis Date: Fri, 26 Jul 2024 16:27:40 +0300 Subject: [PATCH] container: Set `container_engine_t` SELinux label Set the `container_engine_t` SELinux on the **outer** Podman container, so that gVisor does not break on systems where SELinux is enforcing. This label is provided for container engines running within a container, which fits our `runsc` within `crun` situation. We have considered using the more permissive `label=disable` option, to disable SELinux labels altogether, but we want to take advantage of as many SELinux protections as we can, even for the **outer** container. Cherry-picked from e1e63d14f8d7d1b6b14b56a86232eef9555ac9d6 Fixes #880 --- dangerzone/isolation_provider/container.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/dangerzone/isolation_provider/container.py b/dangerzone/isolation_provider/container.py index 4085039..82fd8e1 100644 --- a/dangerzone/isolation_provider/container.py +++ b/dangerzone/isolation_provider/container.py @@ -103,6 +103,9 @@ class Container(IsolationProvider): running gVisor. * Do not allow access to the network stack. * Run the container as the unprivileged `dangerzone` user. + * Set the `container_engine_t` SELinux label, which allows gVisor to work on + SELinux-enforcing systems + (see https://github.com/freedomofpress/dangerzone/issues/880). For Podman specifically, where applicable, we also add the following: * Do not log the container's output. @@ -138,6 +141,7 @@ class Container(IsolationProvider): security_args += ["--cap-drop", "all"] security_args += ["--cap-add", "SYS_CHROOT"] + security_args += ["--security-opt", "label=type:container_engine_t"] security_args += ["--network=none"] security_args += ["-u", "dangerzone"]