Fix denial for rootless docker #388
Conversation
The following occurs during rootless docker 'systemctl --user restart docker.service'.
----
type=PROCTITLE msg=audit(..) : proctitle=/sbin/iptables --wait -t filter -n -L DOCKER-USER
type=PATH msg=audit(..) : item=0 name=/proc/net/ip_tables_names inode=4026532558 dev=00:17 mode=file,440 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(..) : cwd=/home/user3
type=SYSCALL msg=audit(07/14/25 10:50:08.851:653) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55916df27b70 a2=O_RDONLY a3=0x0 items=1 ppid=4831 pid=4979 auid=user3 uid=user3 gid=user3 euid=user3 suid=user3 fsuid=user3 egid=user3 sgid=user3 fsgid=user3 tty=(none) ses=12 comm=iptables exe=/usr/sbin/xtables-nft-multi subj=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(..) : avc: denied { dac_override } for pid=4979 comm=iptables capability=dac_override scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0
----
Fixes: bsc#1246348
Signed-off-by: Robert Frohl <[email protected]>
Reviewer's GuideThis PR extends the container SELinux policy to grant the iptables_t domain the DAC_OVERRIDE capability required by rootless Docker, ensuring the ip_tables kernel module can be loaded without AVC denials. File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Summary of Changes
Hello @rfrohl, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
This pull request addresses a specific SELinux Access Vector Cache (AVC) denial that occurs when attempting to start rootless Docker, particularly when the iptables command is executed. The core issue is iptables being denied the dac_override capability. My proposed solution is to modify the SELinux policy to explicitly permit this capability for iptables within the context of user namespaces, thereby unblocking rootless Docker operations.
Highlights
- SELinux Policy Update: I've added a new SELinux rule to the
container.tepolicy file. This rule specifically grants thedac_overridecapability to processes running under theiptables_tdomain within a user namespace (cap_userns). This change is intended to resolve an AVC denial encountered wheniptablesis invoked by rootless Docker.
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: rfrohl, sourcery-ai[bot] The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Code Review
This pull request fixes an AVC denial for rootless docker by allowing the iptables_t domain the dac_override capability. The change is correct in addressing the denial, but the review suggests adding a comment to track this for a more secure implementation using a tunable boolean in the future. This will improve maintainability and security.
| @@ -465,6 +465,7 @@ optional_policy(` | |||
| container_append_file(iptables_t) | |||
| allow iptables_t container_runtime_domain:fifo_file rw_fifo_file_perms; | |||
| allow iptables_t container_file_type:dir list_dir_perms; | |||
| allow iptables_t self:cap_userns dac_override; | |||
There was a problem hiding this comment.
Granting dac_override is a broad permission that bypasses file permission checks. While this addresses the AVC denial for rootless docker, it's a broad permission to grant unconditionally and could have security implications.
Consider making this conditional via a new SELinux tunable (boolean), e.g. container_rootless_use_iptables. This would allow administrators to opt-in to this behavior only when needed, without reducing the default security for all users.
Add a comment to highlight the issue and track it for future improvement.
# Required for rootless docker. This is a broad permission.
# TODO: Gate this with a tunable boolean for rootless docker scenarios.
allow iptables_t self:cap_userns dac_override;
I am seeing the following AVC with rootless docker and am looking for guidance how a better solution might look:
Have the full auditing results with more details in the commit message.
The AVC occurs during:
and needs as a per-requisite the
ip_tableskernel module loaded to create/proc/net/ip_tables_names:Could see this for a SLES as well as a fedora workstation. Submitting the naive solution to get some feedback how best to solve this.
edit: The team testing this reports no noticeable impact on the functionality tested, so maybe
dontauditinstead?Summary by Sourcery
Update the SELinux container policy to permit iptables operations required for rootless Docker networking by granting the necessary capability and ensuring the ip_tables module can be loaded.
Enhancements: