Set SELinux runtime context on unix socket

[mschiff]

Required information

• Distribution: Gentoo with SELinux enabled

Issue description

I am currently helping to create a proper SELinux policy module for incus in Gentoo

Currently, the default location for the control socket path is /var/lib/incus/unix.socket. This is maybe not the perfect location and putting it in /run/incus instead would be a better location. Normally not a big deal. But with SELinux this becomes an issue: Files being created inherit their context from the parent directory.
In case of incus /var/lib/incus has container_var_lib_t and /run/incus has container_runtime_t. And the socket needs container_runtime_t as well so the incus client can successfully connect to incusd.

I know I could set INCUS_SOCKET system-wide to kind of fix that, but as having sockets somewhere in /run/ seems to be the better option anyway I thought it might be worth creating an issue for that.

More options I can think of:

• making the path configurable at build time in incus
• adding a config option for incusd adding functionalitiy so that it will set the socket context by itself on creation, which would make it independent from the parent dir

What do you think?

[stgraber]

We already have our client logic automatically connect to /run/incus/unix.socket if present, however we're not likely to move the socket fully to that path for another year or so as we want to make sure that everything that consumes our client code is updated prior to making any such change (some of those are even still using the LXD Go client to talk to Incus).

So for now, your only real option is indeed to use INCUS_SOCKET as that's supported even by older clients.

We can certainly put logic to try to set the context on the socket to be container_runtime_t but that won't work in most cases as per our packaging guideline, Incus should be socket-activated, meaning that the init system is what created the socket, not Incus.

[stgraber]

What's the right command to set container_runtime_t as the label on the socket?

[mschiff]

What's the right command to set container_runtime_t as the label on the socket?

Hi Stéphane, if you mean for testing or so you would use:

chcon system_u:object_r:container_runtime_t:s0 /run/incus/unix.socket

Thanks for your quick answer and good work!

[mschiff]

We already have our client logic automatically connect to /run/incus/unix.socket if present

Are you sure? From what I have read in the code this is true for /var/lib/unix.socket

I just tested it: The incus client says:

"Error: The incus daemon doesn't appear to be started (socket path: /var/lib/incus/unix.socket)"

if only incusd had INCUS_SOCKET="/run/incus/unix.socket set at startup.

[stgraber]

https://github.com/lxc/incus/blob/main/client/connection.go#L183

[mschiff]

https://github.com/lxc/incus/blob/main/client/connection.go#L183

Hm. Ok, I will give it another try then. I only could get it to work with a globally set INCUS_SOCKET. Without that incus list gave me the error quoted before. Thanks!

Edit: I got it. This is new in 6.1 and I am running 6.0.0, so this is why I could not reproduce it using the socket in /run by iteself

[stgraber]

Edit: I got it. This is new in 6.1 and I am running 6.0.0, so this is why I could not reproduce it using the socket in /run by iteself

That'd indeed explain it ;)
We'll most likely push that one to 6.0.1 though so it'll eventually make it everywhere.