Help Wanted: Podman Rootless Container with custom Entrypoint-Script

[Jonas18175]

Hello,

i like to use steamcmd as dockercontainer rootless for my serveruser. But steamcmd should normally installed with normal user under /opt/steam/steamcmd/steamcmd.sh

I created a custom steamcmd.sh which run a docker/podman container with the steamcmd arks and pass the caller user id to a env.

I replace the default entrypoint-script with a custom one which is /opt/steam/steamcmd/steamcmd.docker.sh (steamuser)

When I run the container as root - all is working, but when I try it with the server user I get a "Error: error stat'ing file /opt/steam/steamcmd/steamcmd.docker.sh: Permission denied: OCI permission denied"

My selinux is on permissive on host. So I check the logs and it give me following message:

Mai 06 02:13:48 host setroubleshoot[81420]: SELinux is preventing steamcmd.replace from read access on the file steamcmd.docker.sh.
                                                      If you believe that steamcmd.replac should be allowed read access on the steamcmd.docker.sh file by default.
                                                      # ausearch -c 'steamcmd.replace' --raw | audit2allow -M my-steamcmdreplace
                                                      # semodule -X 300 -i my-steamcmdreplace.pp

I generated the file and it show me following:

module my-steamcmdreplace 1.0;

require {
	type container_t;
	type etc_t;
	class file entrypoint;
}

#============= container_t ==============
allow container_t etc_t:file entrypoint;

A second selinux message is

Mai 05 01:30:29 host setroubleshoot[3763945]: SELinux is preventing /bin/dash from entrypoint access on the file /usr/bin/steamcmd.replace.
                                                        If you believe that dash should be allowed entrypoint access on the steamcmd.replace file by default.

I added the modules but nothing changes - so I tried with udica to generate container policies - but it works only for a container which is running - so I used a container running from root.

I added the rule manually to the udica generated module which contains following:

(block steamcmd
    (blockinherit container)
    (allow process process ( capability ( chown dac_override fowner fsetid kill net_bind_service setfcap setgid setpcap setuid sys_chroot ))) 

    (allow process usr_t ( dir ( getattr ioctl lock open read search ))) 
    (allow process usr_t ( file ( getattr ioctl lock open read ))) 
    (allow process usr_t ( sock_file ( getattr open read ))) 
    (allow process usr_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) 
    (allow process usr_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) 
    (allow process usr_t ( sock_file ( append getattr open read write ))) 
    (allow container_t etc_t (file (entrypoint)))
)

The command to run that container from serveruser is:

podman run --network=host --dns 8.8.8.8 --security-opt label=type:steamcmd.process -t --rm --entrypoint 'steamcmd.replace' --name steamcmd -v /opt/steam/steamcmd/steamcmd.docker.sh:/usr/bin/steamcmd.replace:z -v .:/data docker.io/steamcmd/steamcmd:latest +force_install_dir /data validate

What is the reason for that?

[rhatdan]

@wrabcak PTAL

This line looks wrong.

(allow container_t etc_t (file (entrypoint)))

I think this should be

(allow process etc_t (file (entrypoint)))

[wrabcak]

Hi All,

Yes, it should be
(allow process etc_t (file (entrypoint)))

As @rhatdan mentioned. However, I still would like to see the SELinux denial for etc_t entrypoint.

Thanks,
Lukas.

[Jonas18175]

Thanks for the fast support. I change that line and I try it - I don't see new audit messages, but it doesn't work. Podman returns always:

Error: error stat'ing file `/opt/steam/steamcmd/steamcmd.docker.sh`: Permission denied: OCI permission denied

[rhatdan]

Shut off dontaudit rules

# semodule -DB

Run your test
Turn back on dontaudit rules

# semodule -B 

You should see that AVC now.

[rhatdan]

I would figure that UID 976 or 1011 is not available inside of the container.

[Jonas18175]

OK. And what is the reason for the permission denied? How can I fix it?

[rhatdan]

ls -l /opt/steam/steamcmd/steamcmd.docker.sh
Most likely the users inside of the container are not allowed to execute this script.

Can you show the ls -l of the command within the container?

[Jonas18175]

It shows the ids from the user outside the container, but I think I must use these ids, because in rootless the user dosen't has permissions to read the file, right? But I can give 'other read access to that file' - but it isn't great.

-rwxrwxr-x. 1 ark ark 1105 20. Dez 03:51 /opt/steam/steamcmd/steamcmd.docker.sh
[root@v89407 ~]# id ark
uid=976(ark) gid=1011(ark) Groups=1011(ark),1000(steam)
[root@v89407 ~]# 

The file should be owned by steam and by steam group, but for test cases it is the ark user.

[Jonas18175]

Anybody that can help me please?