Fix SELinux process labeling and label sockets correctly #648

There was support for SELinux process labels in CRIU but because it was never tested or verified CRIU only supported the 'unconfined_t' process label. This was basically no SELinux support. For successful container checkpoint and restore on a SELinux enabled host it is necessary that the restored container has the same process context as before checkpointing. This commit only removes the check if the label is 'unconfined_t' and now stores any process label to be restored. For 'normal' processes started from the command-line which are usually running in the 'unconfined_t' this just works. For the container use case this needs additional policies. The latest container-selinux package on Fedora has the necessary policy to allow CRIU (running as 'container_runtime_t' when used from Podman) to transition the restored process to 'container_t'. Restoring a process running under systemd's control (which means 'unconfined_service_t' without additional policies) will fail because CRIU will be not allowed to change the context of the restored process. For each additional CRIU use case on SELinux enabled systems, besides container processes and command-line/shell processes, additional SELinux policies are required to allow CRIU to do a 'dyntransition' (change the Signed-off-by: Adrian Reber <areber@redhat.com>

If running on a system with SELinux enabled the socket for the communication between parasite daemon and the main CRIU process needs to be correctly labeled. Initially this was motivated by Podman's use case: The container is usually running as something like '...:...:container_t:...:....' and CRIU started from runc and Podman will run as '...:...:container_runtime_t:...:...'. As the parasite will be running with the same context as the container process: 'container_t'. Allowing a container process to connect via socket to the outside of the container ('container_runtime_t') is not desired and therefore CRIU needs to label the socket with the context of the container: 'container_t'. So this first gets the context of the root container process and tells SELinux to label the next created socket with the same label as the root container process. For this to work it is necessary to have the correct SELinux policies installed. For Fedora based systems this is part of the container-selinux package. This assumes that all processes CRIU wants to dump are labeled with the same SELinux context. If some of the child processes have different labels this will not work and needs additional SELinux policies. But the whole SELinux socket labeling relies on the correct SELinux being available. Signed-off-by: Adrian Reber <areber@redhat.com>

This tests if CRIU can restore a process with the same policy as during checkpointing. The test selinux00 is started and if SELinux is available the test process moves itself to another process context. To make this possible either a new SELinux policy needs to be available containing: fedora-selinux/selinux-policy@2d537ca Or for a short time SELinux is switched to permissive mode. The correct SELinux setup is done by zdtm/static/selinux00.checkskip and zdtm/static/selinux00.hook and after the test the previous SELinux policy state is restored. After the test case is restored the test case checks if it still has the same SELinux process context as before. If not the test cases fails. Signed-off-by: Adrian Reber <areber@redhat.com>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix SELinux process labeling and label sockets correctly #648

Fix SELinux process labeling and label sockets correctly #648

Commits on Mar 23, 2019