© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
demo site
(Get the code!)
Hello,
so we might get something - after digging in the history, labels and all, it appears that:
- prior to osp-15 (aka stable/queens and earlier - hence running docker) docker daemon didn't have the "--enable-selinux" option
- this lead the files within the container to get a certain label (container_share_t)
- there's a specific SELinux policy allowing svirt_t to actually access container_share_t here[1]
Starting OSP-15 (aka stable/stein), we've moved to podman, and there, we actually enforce SELinux all the way down.
This leads to a content change in the container (and this is NOT due to podman - docker has the same), where the files label changes to container_file_t - hence, this escapes the existing SELinux rule listed in [1].
Apparently, it was decided sometime to just disable SELinux for the nova_libvirt container, creating the CVE.
The revert of this deactivation puts back the need to correct/update the SELinux policy, probably duplicating the line pointed in [1] in order to allow svirt_t to {entrypoing execute} on container_
We're currently running some tests with this policy update, and hopefully we'll be able to come back with a working solution.
Cheers,
C.
[1] https:/