so we might get something - after digging in the history, labels and all, it appears that:
- prior to osp-15 (aka stable/queens and earlier - hence running docker) docker daemon didn't have the "--enable-selinux" option
- this lead the files within the container to get a certain label (container_share_t)
- there's a specific SELinux policy allowing svirt_t to actually access container_share_t here[1]
Starting OSP-15 (aka stable/stein), we've moved to podman, and there, we actually enforce SELinux all the way down.
This leads to a content change in the container (and this is NOT due to podman - docker has the same), where the files label changes to container_file_t - hence, this escapes the existing SELinux rule listed in [1].
Apparently, it was decided sometime to just disable SELinux for the nova_libvirt container, creating the CVE.
The revert of this deactivation puts back the need to correct/update the SELinux policy, probably duplicating the line pointed in [1] in order to allow svirt_t to {entrypoing execute} on container_file_t:file.
We're currently running some tests with this policy update, and hopefully we'll be able to come back with a working solution.
Hello,
so we might get something - after digging in the history, labels and all, it appears that:
- prior to osp-15 (aka stable/queens and earlier - hence running docker) docker daemon didn't have the "--enable-selinux" option
- this lead the files within the container to get a certain label (container_share_t)
- there's a specific SELinux policy allowing svirt_t to actually access container_share_t here[1]
Starting OSP-15 (aka stable/stein), we've moved to podman, and there, we actually enforce SELinux all the way down. file_t: file.
This leads to a content change in the container (and this is NOT due to podman - docker has the same), where the files label changes to container_file_t - hence, this escapes the existing SELinux rule listed in [1].
Apparently, it was decided sometime to just disable SELinux for the nova_libvirt container, creating the CVE.
The revert of this deactivation puts back the need to correct/update the SELinux policy, probably duplicating the line pointed in [1] in order to allow svirt_t to {entrypoing execute} on container_
We're currently running some tests with this policy update, and hopefully we'll be able to come back with a working solution.
Cheers,
C.
[1] https:/ /github. com/redhat- openstack/ openstack- selinux/ blob/master/ os-nova. te#L138