Skip to content

Draft: fix SELinux issues with mounts

arkadiyrequested to merge
arkadiy/onionprobe:arkadiy/fix-selinux into main

This fixes selinux policies for host filesystem mounts. I set them to the best of my understanding of which are (:z) and are not (:Z) shared between containers. I am still seeing some chatter in audit logs that seems to do with the network, possibly due to the alertmanager gossip, will look into that further:

type=ANOM_PROMISCUOUS msg=audit(1742313237.021:8596): dev=veth3 prom=0 old_prom=256 auid=1000 uid=1000 gid=1000 ses=3AUID="arkadiy" UID="arkadiy" GID="arkadiy"
type=ANOM_PROMISCUOUS msg=audit(1742313237.079:8597): dev=veth3 prom=256 old_prom=0 auid=1000 uid=1000 gid=1000 ses=3AUID="arkadiy" UID="arkadiy" GID="arkadiy"
type=NETFILTER_CFG msg=audit(1742313237.084:8598): table=netavark:1771 family=1 entries=10 op=nft_register_chain pid=150621 subj=unconfined_u:unconfined_r:iptables_t:s0 comm="nft"
type=ANOM_PROMISCUOUS msg=audit(1742313237.432:8599): dev=veth3 prom=0 old_prom=256 auid=1000 uid=1000 gid=1000 ses=3AUID="arkadiy" UID="arkadiy" GID="arkadiy"
type=ANOM_PROMISCUOUS msg=audit(1742313237.487:8600): dev=veth3 prom=256 old_prom=0 auid=1000 uid=1000 gid=1000 ses=3AUID="arkadiy" UID="arkadiy" GID="arkadiy"
type=NETFILTER_CFG msg=audit(1742313237.492:8601): table=netavark:1772 family=1 entries=10 op=nft_register_chain pid=150658 subj=unconfined_u:unconfined_r:iptables_t:s0 comm="nft"
type=ANOM_PROMISCUOUS msg=audit(1742313237.841:8602): dev=veth3 prom=0 old_prom=256 auid=1000 uid=1000 gid=1000 ses=3AUID="arkadiy" UID="arkadiy" GID="arkadiy"
type=ANOM_PROMISCUOUS msg=audit(1742313237.890:8603): dev=veth3 prom=256 old_prom=0 auid=1000 uid=1000 gid=1000 ses=3AUID="arkadiy" UID="arkadiy" GID="arkadiy"
type=NETFILTER_CFG msg=audit(1742313237.896:8604): table=netavark:1773 family=1 entries=10 op=nft_register_chain pid=150700 subj=unconfined_u:unconfined_r:iptables_t:s0 comm="nft"
type=ANOM_PROMISCUOUS msg=audit(1742313238.254:8605): dev=veth3 prom=0 old_prom=256 auid=1000 uid=1000 gid=1000 ses=3AUID="arkadiy" UID="arkadiy" GID="arkadiy"
type=ANOM_PROMISCUOUS msg=audit(1742313238.305:8606): dev=veth3 prom=256 old_prom=0 auid=1000 uid=1000 gid=1000 ses=3AUID="arkadiy" UID="arkadiy" GID="arkadiy"
type=NETFILTER_CFG msg=audit(1742313238.310:8607): table=netavark:1774 family=1 entries=10 op=nft_register_chain pid=150743 subj=unconfined_u:unconfined_r:iptables_t:s0 comm="nft"
type=ANOM_PROMISCUOUS msg=audit(1742313238.655:8608): dev=veth3 prom=0 old_prom=256 auid=1000 uid=1000 gid=1000 ses=3AUID="arkadiy" UID="arkadiy" GID="arkadiy"
type=ANOM_PROMISCUOUS msg=audit(1742313238.707:8609): dev=veth3 prom=256 old_prom=0 auid=1000 uid=1000 gid=1000 ses=3AUID="arkadiy" UID="arkadiy" GID="arkadiy"
type=NETFILTER_CFG msg=audit(1742313238.713:8610): table=netavark:1775 family=1 entries=10 op=nft_register_chain pid=150782 subj=unconfined_u:unconfined_r:iptables_t:s0 comm="nft"

Merge request reports