SELinux policy for mounting socket

[matejvasek]

By default podman's Unix socket cannot be dialed from container when mounted to it.
I know this is totally deliberate and for a good reasons. However I think that for rootless container is shouldn't be so bad, right?
There is a tool that needs that: pack.

One workaround I can use is to run podman on TCP socket instead of Unix socket, still I wish I could use Unix socket.
How can I do it? What SELinux policy / labels on socket would make it possible?

[abitrolly]

As long as containers can not mess with each other sockets it should be totally acceptable IMO..

[rhatdan]

Sure just disable SELinux protections for the container and it should work fine.

--security-opt label=disabled.

[matejvasek]

@rhatdan thanks for the reply. It works really well with podman run. However I am using podman as a docker deamon: podman system service. The podman system service sub-command doesn't accept the flag. Could it be added to it?

[rhatdan]

If you want to default the system to selinux disabled, setting
label=false in containers.conf should disable it by default.

man containers.conf

   Indicates whether the container engine uses MAC(SELinux) container separation via labeling. This option is ignored on disabled systems.

[rhatdan]

All callers into the daemon should disable it per container, just like you can with podman.

[rhatdan]

@wrabcak Any ideas on extending udica to allow a leaked socket into a container to communicate.

Basically we need ability to stream_connect_to and read/write socket perms on a confined domain.