Skip to content

Confined user fixes and bump to v2.247.0 #443

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
haircommander merged 4 commits into from
Mar 13, 2026
+28 −2
Merged

Confined user fixes and bump to v2.247.0 #443

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
94afafe
Allow staff_t and user_t to start podman.socket via systemd
lsm5 Mar 6, 2026
af1e759
Allow user_u users to run podman containers
lsm5 Mar 6, 2026
2a1a435
Restrict xmllint_validation test to upstream CI only
lsm5 Feb 26, 2026
9c8eb84
bump to v2.247.0
lsm5 Feb 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 24 additions & 2 deletions container.te
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
policy_module(container, 2.246.0)
policy_module(container, 2.247.0)

gen_require(`
class passwd rootok;
Expand Down Expand Up @@ -99,6 +99,15 @@ gen_tunable(container_read_public_content, false)
## </desc>
gen_tunable(container_manage_public_content, false)

## <desc>
## <p>
## Allow user_t confined users to run podman containers.
## Disabled by default since user_t is the most restricted
## confined user type.
## </p>
## </desc>
gen_tunable(user_t_run_containers, false)

attribute container_runtime_domain;
container_runtime_domain_template(container_runtime)
typealias container_runtime_t alias docker_t;
Expand Down Expand Up @@ -1336,13 +1345,26 @@ optional_policy(`
allow userdomain self:cap_userns ~{ sys_module };
container_read_state(userdomain)
allow userdomain container_runtime_t:process { noatsecure rlimitinh siginh };
container_runtime_run(user_t, user_r)
role user_r types container_runtime_t;
role user_r types container_user_domain;

staff_role_change_to(system_r)
unprivuser_role_change_to(system_r)

allow staff_t container_runtime_t:process signal_perms;
allow staff_t container_domain:process signal_perms;

# Allow confined user systemd instances to create and manage sockets
# for podman.socket activation (user-level systemd pre-labels the
# socket as container_runtime_t via setsockcreatecon)
allow { staff_t user_t } container_runtime_t:unix_stream_socket { create bind listen getattr setopt };

tunable_policy(`user_t_run_containers',`
container_runtime_domtrans(user_t)
allow user_t container_runtime_t:process signal_perms;
allow user_t container_domain:process signal_perms;
')

allow container_domain userdomain:socket_class_set { accept ioctl read getattr lock write append getopt shutdown setopt };
')

Expand Down
4 changes: 4 additions & 0 deletions plans/main.fmf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,10 @@ prepare:
test: /test/basic_check

/xmllint_validation:
enabled: false
adjust:
- when: initiator == packit
enabled: true
Comment on lines +25 to +28
Copy link

@gemini-code-assist gemini-code-assist bot Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Disabling the xmllint_validation test by default and only enabling it for packit runs might lead to reduced validation coverage in other testing environments. If this test is crucial for maintaining the integrity of XML files, it should ideally run in all relevant contexts. Consider if the test can be made more robust or efficient to run universally, or if there's a specific reason it's problematic outside of packit.

If the test is consistently failing or causing issues, it might be better to address the root cause rather than conditionally disabling it, as this could mask potential problems in other CI pipelines or local development environments.

Copy link
Member Author

@lsm5 lsm5 Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Testing upstream suffices for now. I will need to change some of the propose-downstream Packit job setup if we want to fetch the entire upstream source tree for downstream tests. Ignoring this for now.

discover+:
test: /test/xmllint_validation

Expand Down