docker.sock mislabeling

[mielas]

After upgrading the container-selinux package on RHEL/OL9 from version 2.229.0 to 2.232.1, the SELinux context of /var/run/docker.sock changes from container_var_run_t to var_run_t. The change in behavior appears to be caused by the following modification in the file context policy:

- /var/run/docker\.sock    -s  gen_context(system_u:object_r:container_var_run_t,s0)
+ /run/docker\.sock        -s  gen_context(system_u:object_r:container_var_run_t,s0)

Although there is a path equivalency rule (/run = /var/run), this change does not work as intended. It looks like SELinux expects file context rules to use /var/run and not /run path. As a result, matchpathcon reports:

matchpathcon /var/run/docker.sock /run/docker.sock

/run/docker.sock          system_u:object_r:var_run_t:s0
/var/run/docker.sock      system_u:object_r:var_run_t:s0

At the same time, adding a rule:

/var/run/docker2\.sock                             socket             system_u:object_r:container_var_run_t:s0 

makes matchpathcon choosing the SELinux context properly:

matchpathcon /var/run/docker2.sock /run/docker2.sock

/var/run/docker2.sock	system_u:object_r:container_var_run_t:s0
/run/docker2.sock	system_u:object_r:container_var_run_t:s0

[rhatdan]

@zpytela PTAL

[zpytela]

In Fedora 40+, all /var/run-based file context entries in selinux-policy were moved to /run. For existing entries from other modules there is a script which creates a local module. It is also planned to do so also in RHEL/Centos 10.1, not earlier versions.

In container-selinux.fc, all entries are /run-based, but there is a section which renames them all back to /var/run for older releases. I don't know how the variables are expanded in RHEL-like OS, this may need to be enhanced:

# RHEL < 10 and Fedora < 40 use file context entries in /var/run
%if %{defined rhel} && 0%{?rhel} < 10 || %{defined fedora} && 0%{?fedora} < 40
%define legacy_var_run 1
%endif

like

%if %{defined rhel} && 0%{?rhel} < 10 ||  %{defined centos} && 0%{?centos} < 10 || %{defined fedora} && 0%{?fedora} < 40

and anyway update it when selinux-policy is rebased in 10.1.

[zpytela]

Just checked in Centos Stream 10: both %{rhel} and %centos} are defined in rpm, so no change is required for Centos now. Perhaps other distros may need a similar change.