From 94afafe7c4b4ffb4e2b6851b41114a7eb4a6e5b1 Mon Sep 17 00:00:00 2001 From: Lokesh Mandvekar Date: Fri, 6 Mar 2026 21:34:09 +0530 Subject: [PATCH 1/4] Allow staff_t and user_t to start podman.socket via systemd When confined users run "systemctl --user start podman.socket", their user-level systemd instance needs to create a unix stream socket pre-labeled as container_runtime_t (via setsockcreatecon). No policy rule existed to permit this, causing an AVC denial on the socket create syscall. Grant staff_t and user_t the necessary unix_stream_socket permissions on container_runtime_t so that systemd socket activation of podman works for both confined user types. Fixes the following AVCs: staff_t: ``` type=PROCTITLE msg=audit(1764134806.202:243): proctitle="(systemd)" type=SYSCALL msg=audit(1764134806.202:243): arch=c000003e syscall=41 success=no exit=-13 a0=1 a1=80801 a2=0 a3=0 items=0 ppid=1 pid=943 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="systemd" exe="/usr/lib/systemd/systemd" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1764134806.202:243): avc: denied { create } for pid=943 comm="systemd" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:container_runtime_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 ``` user_t: ``` type=PROCTITLE msg=audit(1772104645.324:301): proctitle="(systemd)" type=SYSCALL msg=audit(1772104645.324:301): arch=c000003e syscall=41 success=no exit=-13 a0=1 a1=80801 a2=0 a3=0 items=0 ppid=1 pid=1649 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=11 comm="systemd" exe="/usr/lib/systemd/systemd" subj=user_u:user_r:user_t:s0 key=(null) type=AVC msg=audit(1772104645.324:301): avc: denied { create } for pid=1649 comm="systemd" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:container_runtime_t:s0 tclass=unix_stream_socket permissive=0 ``` Fixes: RHEL-132875, RHEL-135340 Signed-off-by: Lokesh Mandvekar --- container.te | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/container.te b/container.te index c87613e..19ccb68 100644 --- a/container.te +++ b/container.te @@ -1343,6 +1343,12 @@ optional_policy(` allow staff_t container_runtime_t:process signal_perms; allow staff_t container_domain:process signal_perms; + + # Allow confined user systemd instances to create and manage sockets + # for podman.socket activation (user-level systemd pre-labels the + # socket as container_runtime_t via setsockcreatecon) + allow { staff_t user_t } container_runtime_t:unix_stream_socket { create bind listen getattr setopt }; + allow container_domain userdomain:socket_class_set { accept ioctl read getattr lock write append getopt shutdown setopt }; ') From af1e7593b4872096c2a9c663b2e10c045bf29e14 Mon Sep 17 00:00:00 2001 From: Lokesh Mandvekar Date: Fri, 6 Mar 2026 21:32:00 +0530 Subject: [PATCH 2/4] Allow user_u users to run podman containers Add unprivuser_role_change_to(system_r) so user_r can transition to system_r for container processes. Replace container_runtime_run(user_t, user_r) with its RBAC components (role statements) kept unconditional and move container_runtime_domtrans(user_t) plus signal_perms into a new tunable_policy block gated by user_t_run_containers (default: off). RBAC rules cannot be placed inside tunable_policy blocks, so the role statements and unprivuser_role_change_to(system_r) remain unconditional. The domain transition from user_t to container_runtime_t is only permitted when the boolean is enabled. Fixes the following error and AVC: ``` $ id -Z user_u:user_r:user_t:s0 $ podman run --rm -it ubi9 exec /bin/bash: permission denied type=PROCTITLE msg=audit(1772104167.258:882): proctitle=2F7573722F62696E2F72756E6300696E6974 type=SYSCALL msg=audit(1772104167.258:882): arch=c000003e syscall=59 success=no exit=-13 a0=c0002d1ae0 a1=c00002d5e0 a2=c0002153b0 a3=0 items=0 ppid=7581 pid=7593 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=16 comm="runc:[2:INIT]" exe="/runc" subj=user_u:user_r:container_runtime_t:s0 key=(null) type=AVC msg=audit(1772104167.258:882): avc: denied { transition } for pid=7593 comm="runc:[2:INIT]" path="/usr/bin/bash" dev="overlay" ino=411042085 scontext=user_u:user_r:container_runtime_t:s0 tcontext=system_u:system_r:container_t:s0:c273,c965 tclass=process permissive=0 ``` Fixes: RHEL-135342 Signed-off-by: Lokesh Mandvekar --- container.te | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/container.te b/container.te index 19ccb68..a59d5b3 100644 --- a/container.te +++ b/container.te @@ -99,6 +99,15 @@ gen_tunable(container_read_public_content, false) ## gen_tunable(container_manage_public_content, false) +## +##

+## Allow user_t confined users to run podman containers. +## Disabled by default since user_t is the most restricted +## confined user type. +##

+## +gen_tunable(user_t_run_containers, false) + attribute container_runtime_domain; container_runtime_domain_template(container_runtime) typealias container_runtime_t alias docker_t; @@ -1336,10 +1345,11 @@ optional_policy(` allow userdomain self:cap_userns ~{ sys_module }; container_read_state(userdomain) allow userdomain container_runtime_t:process { noatsecure rlimitinh siginh }; - container_runtime_run(user_t, user_r) + role user_r types container_runtime_t; role user_r types container_user_domain; staff_role_change_to(system_r) + unprivuser_role_change_to(system_r) allow staff_t container_runtime_t:process signal_perms; allow staff_t container_domain:process signal_perms; @@ -1349,6 +1359,12 @@ optional_policy(` # socket as container_runtime_t via setsockcreatecon) allow { staff_t user_t } container_runtime_t:unix_stream_socket { create bind listen getattr setopt }; + tunable_policy(`user_t_run_containers',` + container_runtime_domtrans(user_t) + allow user_t container_runtime_t:process signal_perms; + allow user_t container_domain:process signal_perms; + ') + allow container_domain userdomain:socket_class_set { accept ioctl read getattr lock write append getopt shutdown setopt }; ') From 2a1a4356a53598b453b12013e7b50ad6d6616bc6 Mon Sep 17 00:00:00 2001 From: Lokesh Mandvekar Date: Thu, 26 Feb 2026 17:51:01 +0530 Subject: [PATCH 3/4] Restrict xmllint_validation test to upstream CI only The xmllint test requires container-selinux source cloned which is currently only done in upstream CI environments. Disable it by default and enable it only when the initiator is packit. Signed-off-by: Lokesh Mandvekar --- plans/main.fmf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/plans/main.fmf b/plans/main.fmf index cbe5249..0e24941 100644 --- a/plans/main.fmf +++ b/plans/main.fmf @@ -22,6 +22,10 @@ prepare: test: /test/basic_check /xmllint_validation: + enabled: false + adjust: + - when: initiator == packit + enabled: true discover+: test: /test/xmllint_validation From 9c8eb842947758b056e5c0b712fd95ac467d6f7d Mon Sep 17 00:00:00 2001 From: Lokesh Mandvekar Date: Thu, 26 Feb 2026 17:58:21 +0530 Subject: [PATCH 4/4] bump to v2.247.0 Signed-off-by: Lokesh Mandvekar --- container.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/container.te b/container.te index a59d5b3..741f6fc 100644 --- a/container.te +++ b/container.te @@ -1,4 +1,4 @@ -policy_module(container, 2.246.0) +policy_module(container, 2.247.0) gen_require(` class passwd rootok;