gpt4 book ai didi

linux - Podman (libpod) 在使用 SELinux 上下文挂载 shm 时无法运行

转载 作者:行者123 更新时间:2023-12-05 07:17:05 28 4
gpt4 key购买 nike

我目前正在 Gentoo Linux 上试用 Podman :

# grep -i selinux /usr/src/linux-4.19.82-gentoo/.config
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_DEFAULT_SECURITY_SELINUX=y
CONFIG_DEFAULT_SECURITY="selinux"
# getenforce
Permissive

不幸的是,它在尝试使用 SELinux 上下文挂载 shm 时失败了。我用 VFS 和 fuse-overlayfs 试过了:

$ podman --log-level=debug run -it --rm localhost/ubuntu:latest /bin/bash
...
DEBU[0000] ExitCode msg: "failed to mount shm tmpfs \"/home/david/.local/share/containers/storage/overlay-containers/a05754757bafec92198c27b6ba954c40ac6a0ee99f29927f216bddb6c6ad4d07/userdata/shm\": invalid argument"
ERRO[0000] failed to mount shm tmpfs "/home/david/.local/share/containers/storage/overlay-containers/a05754757bafec92198c27b6ba954c40ac6a0ee99f29927f216bddb6c6ad4d07/userdata/shm": invalid argument

我为 Podman 打了补丁以进行调试:

gentoo ~/libpod-1.6.3 # git diff | tee /etc/portage/patches/app-emulation/libpod/00.patch 
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index 471648b..a2c001a 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -43,6 +43,11 @@ import (
func (c *Container) mountSHM(shmOptions string) error {
if err := unix.Mount("shm", c.config.ShmDir, "tmpfs", unix.MS_NOEXEC|unix.MS_NOSUID|unix.MS_NODEV,
label.FormatMountLabel(shmOptions, c.config.MountLabel)); err != nil {
+ logrus.Debugf("AAAAA %s", c.config.ShmDir)
+ logrus.Debugf("BBBBB %s", unix.MS_NOEXEC|unix.MS_NOSUID|unix.MS_NODEV)
+ logrus.Debugf("CCCCC %s", shmOptions)
+ logrus.Debugf("DDDDD %s", c.config.MountLabel)
+ logrus.Debugf("EEEEE %s", label.FormatMountLabel(shmOptions, c.config.MountLabel))
return errors.Wrapf(err, "failed to mount shm tmpfs %q", c.config.ShmDir)
}
return nil

然后,得到了这个输出:

$ podman --log-level=debug run -it --rm localhost/ubuntu:latest /bin/bash
...
DEBU[0000] AAAAA /home/david/.local/share/containers/storage/overlay-containers/a05754757bafec92198c27b6ba954c40ac6a0ee99f29927f216bddb6c6ad4d07/userdata/shm
DEBU[0000] BBBBB %!s(int=14)
DEBU[0000] CCCCC mode=1777,size=65536000
DEBU[0000] DDDDD system_u:object_r:svirt_lxc_file_t
DEBU[0000] EEEEE mode=1777,size=65536000,context="system_u:object_r:svirt_lxc_file_t"
...

在没有上下文选项的情况下安装 shm 有效:

# mount -t tmpfs -o mode=1777,size=65536000 shm /mnt/
# mount | grep shm
shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,seclabel)
shm on /mnt type tmpfs (rw,relatime,seclabel,size=64000k)

但是,它因上下文选项而失败:

# mount -t tmpfs -o mode=1777,size=65536000,context="system_u:object_r:svirt_lxc_file_t" shm /mnt/
mount: /mnt: wrong fs type, bad option, bad superblock on shm, missing codepage or helper program, or other error.

而且,在没有 SELinux 的情况下运行 Podman 也可以。

机器上的一些信息:

vagrant@gentoo ~ $ eix -I libpod
[I] app-emulation/libpod
Available versions: (~)1.6.3^t {apparmor btrfs ostree +rootless selinux}
Installed versions: 1.6.3^t(07:51:44 AM 11/18/2019)(rootless selinux -apparmor -btrfs -ostree)
Homepage: https://github.com/containers/libpod/
Description: Library and podman tool for running OCI-based containers in Pods

vagrant@gentoo ~ $ eix -I install-xattr
[I] sys-apps/install-xattr
Available versions: 0.5 (~)0.7 (~)0.8 **9999*l
Installed versions: 0.8(06:07:20 PM 11/17/2019)
Homepage: https://dev.gentoo.org/~blueness/install-xattr/
Description: Wrapper to coreutil's install to preserve Filesystem Extended Attributes

vagrant@gentoo ~ $ emerge --info
Portage 2.3.76 (python 3.6.9-final-0, default/linux/amd64/17.1/no-multilib/hardened/selinux, gcc-9.2.0, glibc-2.29-r2, 4.19.82-gentoo x86_64)
=================================================================
System uname: Linux-4.19.82-gentoo-x86_64-Intel_Core_Processor_-Skylake,_IBRS-with-gentoo-2.6
KiB Mem: 2036312 total, 1846924 free
KiB Swap: 4000764 total, 4000764 free
Timestamp of repository gentoo: Sun, 17 Nov 2019 17:00:01 +0000
Head commit of repository gentoo: 6c3900366099220296f7765bd1f0668d980d0d29
sh bash 4.4_p23-r1
ld GNU ld (Gentoo 2.32 p2) 2.32.0
app-shells/bash: 4.4_p23-r1::gentoo
dev-lang/perl: 5.28.2-r1::gentoo
dev-lang/python: 2.7.16::gentoo, 3.6.9::gentoo
dev-util/cmake: 3.14.6::gentoo
sys-apps/baselayout: 2.6-r1::gentoo
sys-apps/openrc: 0.41.2::gentoo
sys-apps/sandbox: 2.13::gentoo
sys-devel/autoconf: 2.69-r4::gentoo
sys-devel/automake: 1.16.1-r1::gentoo
sys-devel/binutils: 2.32-r1::gentoo
sys-devel/gcc: 9.2.0-r2::gentoo
sys-devel/gcc-config: 2.1::gentoo
sys-devel/libtool: 2.4.6-r3::gentoo
sys-devel/make: 4.2.1-r4::gentoo
sys-kernel/linux-headers: 4.19::gentoo (virtual/os-headers)
sys-libs/glibc: 2.29-r2::gentoo
Repositories:

gentoo
location: /usr/portage
sync-type: rsync
sync-uri: rsync://rsync.gentoo.org/gentoo-portage
priority: -1000
sync-rsync-verify-jobs: 1
sync-rsync-verify-max-age: 24
sync-rsync-verify-metamanifest: yes
sync-rsync-extra-opts:

localrepo
location: /var/db/repos/localrepo
masters: gentoo

ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="@FREE"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-mtune=generic -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-mtune=generic -O2 -pipe"
DISTDIR="/distfiles"
ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch preserve-libs protect-owned sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j3"
PKGDIR="/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="acl alsa amd64 bzip2 crypt cxx hardened iconv ipv6 libtirpc ncurses nls nptl open_perms openmp openssl pam pcre peer_perms pie readline seccomp selinux split-usr ssl ssp ubac unicode usb xattr xtpax zlib" ABI_X86="64" ADA_TARGET="gnat_2018" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="emu efi-32 efi-64 pc" INPUT_DEVICES="libinput keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" NETBEANS_MODULES="apisupport cnd groovy gsf harness ide identity j2ee java mobility nb php profiler soa visualweb webcommon websvccommon xml" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-2" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_6" PYTHON_TARGETS="python3_6 python2_7" RUBY_TARGETS="ruby24 ruby25" USERLAND="GNU" VIDEO_CARDS="amdgpu fbdev intel nouveau radeon radeonsi vesa dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset: CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

最佳答案

这里的答案较晚,正如 duexsco 所指出的,缺少 svirt_lxc_file_t 强制类型,可以通过 Gentoo 上出现的 sec-policy/selinux-virt 安装。

为什么来自 sec-policy/selinux-base 的接口(interface) (/usr/share/selinux/strict/include/services/virt.if) 使用强制类型来自 sec-policy/selinux-virt 也是一个相当有趣的问题。

关于linux - Podman (libpod) 在使用 SELinux 上下文挂载 shm 时无法运行,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/58910356/

28 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com