Skip to content

Add container_runtime_nnp_domtrans interface for systemd-managed containers#473

Open
JJanasek wants to merge 1 commit into
containers:mainfrom
JJanasek:nnp_transition
Open

Add container_runtime_nnp_domtrans interface for systemd-managed containers#473
JJanasek wants to merge 1 commit into
containers:mainfrom
JJanasek:nnp_transition

Conversation

@JJanasek

@JJanasek JJanasek commented Jun 25, 2026
edited by sourcery-ai Bot
Loading

Copy link
Copy Markdown

Description

This PR introduces a new interface, container_runtime_nnp_domtrans, to allow caller domains to transition to the container runtime domain under NoNewPrivileges (NNP) and from nosuid mounts.

Why is this needed?

When running Podman containers via systemd (specifically using Podman Quadlets), administrators often use standard systemd security directives like DynamicUser=yes or ProtectSystem=strict. Systemd automatically enables NoNewPrivileges=yes on the service process when these are used.

Because of this, the kernel blocks the SELinux domain transition into container_runtime_t, logging a tclass=process2 denial for nnp_transition (and often nosuid_transition), causing the container to fail at startup.

Currently, there is no interface exposed for caller domains to explicitly allow this transition under NNP.

What this PR does

It adds the container_runtime_nnp_domtrans interface to container.if.

By exposing this interface, we allow other policies (like the base OS policy) to consume it without breaking encapsulation. I plan to submit a follow-up PR to fedora-selinux/selinux-policy that uses this new interface to explicitly allow unconfined_service_t to spawn containers securely under NNP.

Related Issues

https://bugzilla.redhat.com/show_bug.cgi?id=2417297

Summary by Sourcery

Introduce a new SELinux interface to support domain transitions into the container runtime under NoNewPrivileges and nosuid constraints.

New Features:

  • Add the container_runtime_nnp_domtrans SELinux policy interface for systemd-managed container runtimes operating under NoNewPrivileges and nosuid mounts.

Enhancements:

  • Expose the new domain transition interface in container.if to allow external policies to grant secure transitions into container_runtime_t without breaking encapsulation.

@sourcery-ai

sourcery-ai Bot commented Jun 25, 2026
edited
Loading

Copy link
Copy Markdown
Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Adds a new SELinux interface to support domain transitions into the container runtime domain under NoNewPrivileges (NNP) and from nosuid mounts, primarily to enable systemd-managed Podman containers to run securely when NNP is enforced.

File-Level Changes

Change Details Files
Introduce a dedicated SELinux interface to allow NNP/nosuid domain transitions into the container runtime domain.
  • Define the container_runtime_nnp_domtrans interface macro in the container interface file
  • Wire the interface to grant nnp_transition and nosuid_transition permissions needed for process2 domain transitions into container_runtime_t
  • Document the intended usage of the interface for systemd-managed container services (e.g., Podman Quadlets)
 container.if
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

sourcery-ai[bot]
sourcery-ai Bot reviewed Jun 25, 2026
View reviewed changes

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've reviewed your changes and they look great!

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jun 25, 2026
View reviewed changes

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a new interface container_runtime_nnp_domtrans in container.if to allow domain transitions to container_runtime_t under NoNewPrivileges (NNP) or nosuid. The reviewer suggests reusing the existing container_runtime_domtrans interface within the new interface to avoid duplicating the domain transition pattern and ensure all necessary permissions are inherited.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread container.if
Comment on lines +1142 to +1149
interface(`container_runtime_nnp_domtrans',`
gen_require(`
type container_runtime_t, container_runtime_exec_t;
')

domtrans_pattern($1, container_runtime_exec_t, container_runtime_t)
allow $1 container_runtime_t:process2 { nnp_transition nosuid_transition };
') No newline at end of file

@gemini-code-assist gemini-code-assist Bot Jun 25, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Instead of duplicating the domain transition pattern, it is highly recommended to call the existing container_runtime_domtrans interface. This ensures that container_runtime_nnp_domtrans inherits all necessary permissions for executing the container runtime (such as corecmd_search_bin and FIFO file permissions) and simplifies future maintenance.

interface(`container_runtime_nnp_domtrans',`
	gen_require(`
		type container_runtime_t;
	')

	container_runtime_domtrans($1)
	allow $1 container_runtime_t:process2 { nnp_transition nosuid_transition };
')

@rhatdan rhatdan Jun 25, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI is correct we already have a interface for this.

@packit-as-a-service

packit-as-a-service Bot commented Jun 25, 2026

Copy link
Copy Markdown

Tests failed. @containers/packit-build please check.

@JJanasek
policy: add container_runtime_nnp_domtrans interface
fc5898e 
Systemd services using standard hardening directives (such as
DynamicUser, ProtectSystem, or RestrictSUIDSGID) automatically
have NoNewPrivileges (NNP) enabled by systemd.

When these services (e.g., Podman Quadlets) attempt to start
containers, the kernel blocks the SELinux domain transition to
container_runtime_t due to NNP or nosuid mount restrictions,
causing the containers to fail at startup.

This commit introduces the `container_runtime_nnp_domtrans`
interface. It allows caller domains to explicitly bypass NNP
and nosuid restrictions on the process2 class during the
transition to the container runtime. This provides a clean
way for base policies to enable secure, systemd-managed
container workloads.

Signed-off-by: jjanasek <jjanasek@redhat.com>
@rhatdan

rhatdan commented Jun 26, 2026

Copy link
Copy Markdown
Member

@JJanasek I don't think this PR is necessary, do you disagree?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rhatdan rhatdan rhatdan left review comments
@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments
+1 more reviewer
@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments
Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JJanasek @rhatdan