Rootless Podman in rootless podman without disabling SELinux?

[robertguetzkow]

I'm interested in running podman in podman (PINP) for CI. The use case is that the pipeline itself runs inside a podman container and developers may wish to start containers as part of the pipeline, e.g. for testing their containerized application. I would like to make this setup reasonably secure, but according to the article "How to use Podman inside of a container" disabling SELinux is a prerequisite for rootless podman in rootless podman. Ideally, I would not want to expose the host or other containers to unnecessary risks, may this be accidental or intentional attempts to circumvent the container isolation. Since the article is from 2021, I thought I'd ask whether there have been changes in the meantime.

• Is it possible to be more selective than disabling SELinux altogether?
• If this is not possible, what would be the recommendation besides using additional security layers like gVisor around podman ?

Thank you for developing this nice software!

[robertguetzkow]

Some initial tests seem to work fine without any changes to SELinux. I'd be curious when this is actually required.

[rhatdan]

Depending on what the container within a container is doing, it could break SELinux rules.

[robertguetzkow]

Given that the solution should be general purpose there could be use cases where this is necessary and I'm currently not aware of. Are there any resources that you can recommend where I can read up on situations where deliberately deactivating SELinux would be required?

[rhatdan]

What AVCs are you seeing?

sudo ausearch -m avc

[robertguetzkow]

I'll check, but I haven't encountered any unexplained permission errors yet. Seems to be working fine at the moment, I'm just trying to be proactive. If I would know under what circumstances I might run into trouble then I can prepare for that beforehand.