enable container_manage_cgroup SELinux boolean by default

[miabbott]

Currently, if users want to run a container with systemd started inside of the container, they need to enable the container_manage_cgroup SELinux boolean on their host.

And because the ergonomics of configuring a persistent SELinux policy change are not great on FCOS, this seems like a use case we would like to enable for users out of the box.

[rhatdan]

For Coreos, this needs to be on by default since it can not be permanently enabled on the system.
Another option would be for users who wanted to enable this feature at boot time, by setting the boolean at boot.

# setsebool container_manage_cgroup 1

This would work now. Note no -P flag, since I believe recompiling and installing the policy might break on a coreos system.

[jamescassell]

Doesn't cgroup v2 avoid the need for this? What are the security implications of setting this?

[rhatdan]

No cgroup V2 does not fix this sadly. I have to get back to the upstream developers to see if anyone has made progress.

This basically means from an SELinux point of view. containers can modify the cgroup file system if they can get to it.

[dustymabe]

I'm +1 as I already needed to do this for one of my servers.. Here's a comment with the unit I used: #368 (comment)

[dustymabe]

This basically means from an SELinux point of view. containers can modify the cgroup file system if they can get to it.

It looks like the security implications are described in a little more detail here: https://bugzilla.redhat.com/show_bug.cgi?id=1806038#c8

In light of that I'm rethinking my earlier +1 here.

[jlebon]

This was discussed in today's community meeting:

16:55:01 <jlebon> #agreed due to the security implications, we would rather
keep container_manage_cgroup off. we should discuss with SELinux folks
on a better path. meanwhile, we should document how to enable it for those
who really want it

[rhatdan]

I am looking into adding a type for running systemd based containers. The question would be whether or not we want to force users to figure out the label, or just add this to the selinux stack.

[dustymabe]

@rhatdan - sent you an email to try to coordinate a time to discuss this.

@jlebon - so the remaining step is to add documentation for now. We'll consider coreos/fedora-coreos-config#291 and then add documentation after that is considered.

[harshblog150]

@rhatdan i checked "container_manage_cgroup" for my container-
gives "getsebool: SELinux is disabled" so i tried run "setsebool -P container_manage_cgroup 1" inside container, it gives Error:
"bash setsebool: command not found."

[rhatdan]

If SELinux is disabled on the host, then this will not effect anything.

[dustymabe]

@harshblog150 Also, I think you need to run those commands directly on the host itself. Here is an example of automating it: #368 (comment)

[dustymabe]

The container_manage_cgroup boolean is no longer needed. Running systemd in a container should work without setting this boolean now. See:

• containers/container-selinux@867a377
• [ci:docs] Update troubleshoot page containers/podman#6199