Skip to content

Commit 2d6edfa

Browse files
cgwalterscgwalters
committed
docs: Talk more about runtime properties, especially SELinux
Since SELinux is special let's elaborate on it more here. Signed-off-by: Colin Walters <[email protected]>
1 parent b254f86 commit 2d6edfa

File tree

1 file changed

+63
-0
lines changed

1 file changed

+63
-0
lines changed

docs/src/building/bootc-runtime.md

Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -61,3 +61,66 @@ Relevant links:
6161
- [CentOS Automotive SIG unattended updates](https://sigs.centos.org/automotive/building/unattended_updates/#watchdog-in-qemu)
6262
(note that as of right now, greenboot does not yet integrate with bootc)
6363
- <https://systemd.io/AUTOMATIC_BOOT_ASSESSMENT/>
64+
65+
66+
## Kernel
67+
68+
When run as a container, the Linux kernel binary in
69+
`/usr/lib/modules/$kver/vmlinuz` is ignored. It
70+
is only used when a bootc container is deployed
71+
to a physical or virtual machine.
72+
73+
## Security properties
74+
75+
When run as a container, the container runtime will by default apply
76+
various Linux kernel features such as namespacing to isolate
77+
the container processes from other system processes.
78+
79+
None of these isolation properties apply when a bootc
80+
system is deployed.
81+
82+
## SELinux
83+
84+
Container runtimes such as `podman` and `docker` commonly
85+
apply a "coarse" SELinux policy to running containers.
86+
See [container-selinux](https://github.com/containers/container-selinux/blob/main/container_selinux.8).
87+
It is very important to understand that non-bootc base
88+
images do not (usually) have any embedded `security.selinux` metadata
89+
at all; all labels on the toplevel container image
90+
are *dynamically* generated per container invocation,
91+
and there are no individually distinct e.g. `etc_t` and
92+
`usr_t` types.
93+
94+
In contrast, with the current OSTree backend for bootc,
95+
when the base image is built, label metadata is included
96+
in special metadata files in `/sysroot/ostree` that correspond
97+
to components of the base image.
98+
99+
When a bootc container is deployed, the system
100+
will use these default SELinux labels.
101+
Further non-OSTree layers will be dynamically labeled
102+
using the base policy.
103+
104+
Hence, at the current time it will *not* work to override
105+
the labels for files in derived layers by using e.g.
106+
107+
```
108+
RUN semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
109+
```
110+
111+
(This command will write to `/etc/selinux/policy/$policy/`)
112+
113+
It will *never* work to do e.g.:
114+
115+
```
116+
RUN chcon -t foo_t /usr/bin/foo
117+
```
118+
119+
Because the container runtime state will deny the attempt to
120+
"physically" set the `security.selinux` extended attribute.
121+
In contrast per above, future support for custom labeling
122+
will by default be done by customizing the policy file_contexts.
123+
124+
References:
125+
126+
- <https://github.com/ostreedev/ostree-rs-ext/issues/510>

0 commit comments

Comments
 (0)