Add filetrans rule for ipc_var_run_t directory named ipc

[rhatdan]

Summary by Sourcery

Enhancements:

• Add SELinux filetrans rule for directories named 'ipc' to assign the ipc_var_run_t security context.

[sourcery-ai]

Reviewer's Guide

This pull request extends the SELinux interface in qm.if by adding a filetrans rule that automatically relabels any directory named "ipc" to the ipc_var_run_t type.

File-Level Changes

Change	Details	Files
Introduce automatic relabeling of "ipc" directories to ipc_var_run_t	Added a filetrans directive targeting directories named “ipc” Mapped those directories to the ipc_var_run_t type Inserted the rule into the qm.if interface Documented the new behavior in an inline comment	qm.if

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey @rhatdan - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[rhatdan]

@dougsland @Yarboa PTAL

[Yarboa]

Sure, testing

[dougsland]

@rhatdan @Yarboa from my side, I still get permission denied

Connecting to: /run/ipc/ipc_server.socket
Connection failed: [Errno 13] Permission denied
Retrying
Connecting to: /run/ipc/ipc_server.socket
Connection failed: [Errno 13] Permission denied
Retrying
Connecting to: /run/ipc/ipc_server.socket
Connection failed: [Errno 13] Permission denied
Retrying
Connecting to: /run/ipc/ipc_server.socket
Connection failed: [Errno 13] Permission denied
Retrying
Connecting to: /run/ipc/ipc_server.socket
Connection failed: [Errno 13] Permission denied
Retrying

[rhatdan]

@dougsland AVC's and did you run restorecon on the qm partition before testing?

[dougsland]

> @dougsland AVC's and did you run restorecon on the qm partition before testing?

@rhatdan I did a fresh install (as I did with the other patch):

rpm -e qm
dnf install qm

Jun 23 11:07:31 fedora audit[69808]: AVC avc:  denied  { write } for  pid=69808 comm="python" name="ipc_server.socket" dev="tmpfs" ino=180 scontext=system_u:system_r:qm_container_ipc_t:s0:c1,c15 tcontext=system_>
Jun 23 11:07:30 fedora audit[69808]: AVC avc:  denied  { write } for  pid=69808 comm="python" name="ipc_server.socket" dev="tmpfs" ino=180 scontext=system_u:system_r:qm_container_ipc_t:s0:c1,c15 tcontext=system_>
Jun 23 11:07:29 fedora audit[69808]: AVC avc:  denied  { write } for  pid=69808 comm="python" name="ipc_server.socket" dev="tmpfs" ino=180 scontext=system_u:system_r:qm_container_ipc_t:s0:c1,c15 tcontext=system_>
Jun 23 11:07:28 fedora audit[69808]: AVC avc:  denied  { write } for  pid=69808 comm="python" name="ipc_server.socket" dev="tmpfs" ino=180 scontext=system_u:system_r:qm_container_ipc_t:s0:c1,c15 tcontext=system_>
Jun 23 11:07:27 fedora audit[69808]: AVC avc:  denied  { write } for  pid=69808 comm="python" name="ipc_server.socket" dev="tmpfs" ino=180 scontext=system_u:system_r:qm_container_ipc_t:s0:c1,c15 tcontext=system_>
Jun 23 11:07:26 fedora audit[69808]: AVC avc:  denied  { write } for  pid=69808 comm="python" name="ipc_server.socket" dev="tmpfs" ino=180 scontext=system_u:system_r:qm_container_ipc_t:s0:c1,c15 tcontext=system_>
Jun 23 11:07:25 fedora audit[69808]: AVC avc:  denied  { write } for  pid=69808 comm="python" name="ipc_server.socket" dev="tmpfs" ino=180 scontext=system_u:system_r:qm_container_ipc_t:s0:c1,c15 tcontext=system_>
Jun 23 11:07:24 fedora audit[69808]: AVC avc:  denied  { write } for  pid=69808 comm="python" name="ipc_server.socket" dev="tmpfs" ino=180 scontext=system_u:system_r:qm_container_ipc_t:s0:c1,c15 tcontext=system_>
Jun 23 11:07:23 fedora audit[69808]: AVC avc:  denied  { write } for  pid=69808 comm="python" name="ipc_server.socket" dev="tmpfs" ino=180 scontext=system_u:system_r:qm_container_ipc_t:s0:c1,c15 tcontext=system_>

module my-python3 1.0;

require {
        type qm_file_t;
        type qm_t;
        type qm_container_t;
        type qm_container_ipc_t;
        class unix_stream_socket shutdown;
        class sock_file write;
}

#============= qm_container_ipc_t ==============
allow qm_container_ipc_t qm_file_t:sock_file write;

#============= qm_container_t ==============
allow qm_container_t qm_t:unix_stream_socket shutdown;

[rhatdan]

ls -lZa /run/ipc

[rhatdan]

This looks like your test program is not running as ipc_t, it is running as qm_t?

[dougsland]

ls -lZa /run/ipc

# podman exec -it qm bash
bash-5.2# ls -lZa /run/ipc
total 0
drwxr-xr-x.  2 root root system_u:object_r:qm_file_t:s0  60 Jun 23 10:49 .
drwxr-xr-x. 26 root root system_u:object_r:qm_file_t:s0 640 Jun 23 10:49 ..
srw-rw-rw-.  1 root root system_u:object_r:qm_file_t:s0   0 Jun 23 10:49 ipc_server.socket

[rhatdan]

This means that the process that created the /run/ipc directory and the ipc_server.socket is running as qm_t, it should be running as ipc_t.

[dougsland]

This means that the process that created the /run/ipc directory and the ipc_server.socket is running as qm_t, it should be running as ipc_t.

Thanks @rhatdan, I couldn't set ipc_t or ipc_var_run_t in the SecurityLabelType, otherwise the ipc_server app don't start.

Quadlet:

Volume=/run/ipc:/run/ipc:Z
SecurityLabelType=qm_container_ipc_t 

Now instead of qm_t, I have qm_container_file_t:

drwxr-xr-x.  2 root root system_u:object_r:qm_container_file_t:s0:c742,c898  60 Jun 24 12:23 ipc
srw-rw-rw-.  1 root root system_u:object_r:qm_container_file_t:s0:c742,c898   0 Jun 24 12:23 ipc_server.socket

In the socket file:

SELinuxContext=system_u:object_r:ipc_var_run_t:s0

SELinux AVC:

Jun 24 12:46:10 fedora audit[93090]: AVC avc:  denied  { search } for  pid=93090 comm="python" name="ipc" dev="tmpfs" ino=168 scontext=system_u:system_r:qm_container_
ipc_t:s0:c623,c934 tcontext=system_u:object_r:qm_container_file_t:s0:c742,c898 tclass=dir permissive=0

cc @Yarboa

[rhatdan]

Do not relabel /run/ipc from the quadlet, this should be labeled by ipc_t not changed for each container that uses it.

ipc_t should not be running in a container, or if it is, it should be set to level=s0.

[dougsland]

Do not relabel /run/ipc from the quadlet, this should be labeled by ipc_t not changed for each container that uses it.

ipc_t should not be running in a container, or if it is, it should be set to level=s0.

than I get back the default qm_file_t:

# podman exec -it qm bash
bash-5.2# ls -lAZ /run/ipc
total 0
srw-rw-rw-. 1 root root system_u:object_r:qm_file_t:s0 0 Jun 24 16:10 ipc_server.socket

bash-5.2# ls -lAZ /run/ | grep ipc
drwxr-xr-x.  2 root root system_u:object_r:qm_file_t:s0               60 Jun 24 16:10 ipc
-rw-r--r--.  1 root root system_u:object_r:qm_file_t:s0               64 Jun 24 16:10 ipc_client.cid
-rw-r--r--.  1 root root system_u:object_r:qm_file_t:s0               64 Jun 24 16:10 ipc_server.cid

[Unit]
Description=Demo server service container
Requires=ipc_server.socket
After=ipc_server.socket
[Container]
Image=quay.io/yarboa/ipc-demo/ipc_server_f41:latest
Network=none
Volume=/run/ipc:/run/ipc
[Service]
Restart=always
Type=notify
[Install]
WantedBy=multi-user.target

[Unit]
Description=IPC Server Socket
[Socket]
ListenStream=%t/ipc/ipc_server.socket
RuntimeDirectory=ipc
SELinuxContextFromNet=yes

[Install]
WantedBy=sockets.target

[Unit]
Description=Demo client service container
Requires=ipc_server.socket
After=ipc_server.socket
[Container]
Image=quay.io/yarboa/ipc-demo/ipc_client_f41:latest
Network=none
Volume=/run/ipc:/run/ipc
[Service]
Restart=always
[Install]
WantedBy=multi-user.target

[Yarboa]

Do not relabel /run/ipc from the quadlet, this should be labeled by ipc_t not changed for each container that uses it.

ipc_t should not be running in a container, or if it is, it should be set to level=s0.

@rhatdan sorry, I am blocked here, also
That was the only way /run/ipc label has changed, it was always qm_t, removing relabel

see this sample

sh-5.1# systemctl start ipc_server.socket
sh-5.1# ls -lZAd /run/ipc
drwxr-xr-x. 2 root root system_u:object_r:qm_file_t:s0 60 Jun 24 19:48 /run/ipc
sh-5.1# 
sh-5.1# systemctl start ipc_server       
sh-5.1# ls -lZAd /run/ipc
drwxr-xr-x. 2 root root system_u:object_r:qm_file_t:s0 60 Jun 24 19:48 /run/ipc

I do not see where and why ipc_t is labeled

If /run/ipc is labeled qm_file_t, the socket will be qm_file_t too, isnt it?

so the only option is playing with those ? inside the ipc_server?

podman run --name systemd-ipc_server --replace --rm --cgroups=split --network none --sdnotify=conmon  --security-opt label=type:qm_container_ipc_t -d -v /run/ipc:/run/ipc quay.io/yarboa/ipc-demo/ipc_server_f41:latest

this command is passing but labeling is qm_t
can you please suggest how the command line should work?

[aesteve-rh]

Were these changes finally tested successfully? It would be nice to document the procedure or have a demonstration.

[Yarboa]

This PR will assist in HOST-QM IPC, for IPC within QM new ticket opened #852

[rhatdan]

@Yarboa @dougsland are we all set now?

[dougsland]

@Yarboa @dougsland are we all set now?

@rhatdan added: #853