Question: Custom module to give a container unix socket access

[Freddy500]

Hi. I'm trying to run a Podman container on Debian 13 with SELinux that needs access to the podman socket. By default this access is blocked by SELinux on debian when running in the container_t domain. I would like to create a custom domain for this container to allow it access.

I'm trying to use Udica with the refpolicy templates added here. This results in the cil file below:

(block socket-proxy
    (blockinherit container)
    (allow process process ( capability ( chown dac_override fowner fsetid kill net_bind_service setfcap setgid setpcap setuid sys_chroot ))) 

    (allow process user_tmp_t ( dir ( getattr ioctl lock open read search ))) 
    (allow process user_tmp_t ( file ( getattr ioctl lock open read ))) 
    (allow process user_tmp_t ( fifo_file ( getattr open read lock ioctl ))) 
    (allow process user_tmp_t ( sock_file ( getattr open read ))) 
    (allow process sysfs_t ( file ( open read ))) 
    (allow process urandom_device_t ( chr_file ( open read ))) 
    (allow process sysfs_t ( lnk_file ( read ))) 
    (allow process node_t ( tcp_socket ( node_bind ))) 
    (allow process socket-proxy.process ( udp_socket ( create connect ))) 
    (allow process unreserved_port_t ( tcp_socket ( name_bind ))) 
    (allow process socket-proxy.process ( process ( setrlimit ))) 
    (allow process user_tmp_t ( sock_file ( write ))) 
    (allow process unconfined_t ( unix_stream_socket ( connectto ))) 
    (allow process unconfined_t ( fifo_file ( write ioctl ))) 
    (allow process socket-proxy.process ( tcp_socket ( create getopt setopt bind getattr listen accept read write shutdown )))
)

Running the container with this profile however does not resolve the denial:

type=AVC msg=audit(1754898743.082:141): avc:  denied  { connectto } for  pid=1336 comm="haproxy" path="/run/user/1000/podman/podman.sock" scontext=system_u:system_r:socket-proxy.process:s0:c398,c705 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0

Am I missing a configuration setting? The Debian setup is stock. The module builds and installs without errors but gives a libsemanage.add_user: user sddm not in password file message. I have labels=true set in ~/.config/containers.containers.conf and I'm running the container rootless using the Podman quadlet syntax with SecurityLabelType=socket-proxy.process.

Thank you.

[0xC0ncord]

Which Udica template are you using to create this policy? The denial shows that your haproxy container was blocked from connecting to a socket labeled unconfined_t which is probably one of your user processes.

The module builds and installs without errors but gives a libsemanage.add_user: user sddm not in password file message.

I thought this error was fixed a while ago in refpolicy. Can you please confirm that you're using a recent version?

[Freddy500]

Hi, I manually copied the refpolicy version of the templates from here to the udica install folder. Then I ran the command suggested by udica:

sudo udica -j socket-proxy.json socket-proxy
sudo semodule -i socket-proxy.cil /usr/share/udica/templates/base_container.cil

So it's the base_container template.

It's blocking access to the podman socket at /run/user/1000/podman/podman.sock. Running id -z as the user returns unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 which indeed explains that module. Podman allows activating a docker compatible socket for a user. It can be mounted into a rootless container (Volume=%t/podman/podman.sock:/var/run/docker.sock:ro). From looking at the rules I would guess the generated (allow process unconfined_t ( unix_stream_socket ( connectto ))) rule should allow access to this but it seems to not be working in my setup.

Could you let me know the command to get the version of the running refpolicy? I can't track it down. I'm running the new Debian 13 stable. The tracking page suggests either 2:2.20221101-9 or 2:2.20250213-10 but I would guess the latter one as version 13 was just released from testing to stable and I don't think these pages are always up to date.

[Freddy500]

Some additional information.

When installing the module I get the following SELinux denials for semodule . Not sure if this could be related to the libsemanage.add_user: user sddm not in password file message but it seems connected to adding the custom module.

type=AVC msg=audit(1754923895.534:1721): avc:  denied  { relabelfrom } for  pid=2074 comm="semodule" name="policy.34" dev="vda3" ino=2365947 scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:semanage_store_t:s0 tclass=file permissive=0
type=AVC msg=audit(1754923895.534:1722): avc:  denied  { relabelfrom } for  pid=2074 comm="semodule" name="file_contexts" dev="vda3" ino=2365948 scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:semanage_store_t:s0 tclass=file permissive=0
type=AVC msg=audit(1754923895.534:1723): avc:  denied  { relabelfrom } for  pid=2074 comm="semodule" name="seusers" dev="vda3" ino=2365949 scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:semanage_store_t:s0 tclass=file permissive=0
type=AVC msg=audit(1754923895.534:1724): avc:  denied  { relabelfrom } for  pid=2074 comm="semodule" name="file_contexts.homedirs" dev="vda3" ino=2365950 scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:semanage_store_t:s0 tclass=file permissive=0
type=AVC msg=audit(1754923895.586:1725): avc:  denied  { relabelfrom } for  pid=2074 comm="semodule" name="file_contexts.bin" dev="vda3" ino=2365951 scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:semanage_store_t:s0 tclass=file permissive=0
type=AVC msg=audit(1754923895.586:1726): avc:  denied  { relabelfrom } for  pid=2074 comm="semodule" name="file_contexts.homedirs.bin" dev="vda3" ino=2365952 scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:semanage_store_t:s0 tclass=file permissive=0

Once the container runs I get these denials as well for docker-entrypoi

type=AVC msg=audit(1754924220.294:1894): avc:  denied  { write } for  pid=3225 comm="docker-entrypoi" path="pipe:[18544]" dev="pipefs" ino=18544 scontext=system_u:system_r:socket-proxy.process:s0:c281,c858 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0
type=AVC msg=audit(1754924220.294:1894): avc:  denied  { write } for  pid=3225 comm="docker-entrypoi" path="pipe:[18543]" dev="pipefs" ino=18543 scontext=system_u:system_r:socket-proxy.process:s0:c281,c858 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0

[0xC0ncord]

I checked this against container-selinux and this access isn't allowed there either but it could be a bug since most of the other unix_stream_socket perms are allowed.

Try adding the access manually to the generated policy:

(allow process unconfined_t (unix_stream_socket (connectto)))

[Freddy500]

Try adding the access manually to the generated policy: (allow process unconfined_t (unix_stream_socket (connectto)))

What do you mean with adding it manually? This line is present in the .cil file that I use to create the custom module. Is there a command to do it manually once the module is installed?

I checked this against container-selinux and this access isn't allowed there either but it could be a bug since most of the other unix_stream_socket perms are allowed.

I think it's a sensible default to not allow it and give access on a per container basis if needed.

Regarding container-selinux, I've run some tests on Fedora 42 with its default SELinux config:

• The haproxy container gets access by default to the podman socket, no errors or denials.
• The minimal wollomatic socket proxy container (just the Go standard library) gets blocked by SELinux.
• The target context of the podman socket is container_runtime_t and not unconfined_t as is the case in Debian: type=AVC msg=audit(1755109234.263:3748): avc: denied { connectto } for pid=22022 comm="socket-proxy" path="/run/user/1000/podman/podman.sock" scontext=system_u:system_r:socket-proxy.process:s0:c2,c82 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
• I can create the custom module with Udica and it works when labeling the container. The specific rule to get to the socket is now: (allow process container_runtime_t ( unix_stream_socket ( connectto )))

Not sure if it's meaningful but on Debian when running audit2why against the denials with the custom module loaded I get:

type=AVC msg=audit(1755111080.174:1560): avc:  denied  { connectto } for  pid=4277 comm="socket-proxy" path="/run/user/1000/podman/podman.sock" scontext=system_u:system_r:socket-proxy.process:s0:c214,c875 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
	Was caused by:

#Constraint rule:

#	mlsconstrain unix_stream_socket { ioctl read write create setattr append bind connect getopt setopt shutdown } ((h1 dom h2 -Fail-)  or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain unix_stream_socket { listen accept } ((h1 dom h2 -Fail-)  or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain unix_stream_socket { connectto } ((h1 dom h2 -Fail-)  or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
#	Possible cause is the source user (system_u) and target user (unconfined_u) are different.
#	Possible cause is the source role (system_r) and target role (unconfined_r) are different.
#	Possible cause is the source level (s0:c214,c875) and target level (s0-s0:c0.c1023) are different.

Things I'm considering:

• Is it a mislabeling issue for the podman socket on Debian?
• Would it make sense to convert the udica generated .cil to a .te, .fc, .if structure to rule out udica itself being incompatible with Debian/Refpolicy? If so, do you have some guidance on how to translate one to the other?

Thank you.

[0xC0ncord]

What do you mean with adding it manually? This line is present in the .cil file that I use to create the custom module.

I assumed it wasn't part of the policy generated by Udica since I didn't see it in the templates. If it's there then nevermind, sorry.

The target context of the podman socket is container_runtime_t and not unconfined_t as is the case in Debian:
[...]
Is it a mislabeling issue for the podman socket on Debian?

Ah. What's happening is on Fedora the container engine/runtime transitions to container_runtime_t (container_engine_t in refpolicy) when run by an unconfined (unconfined_t) user, whereas on refpolicy we keep the container engine running unconfined. This was a deliberate design decision at the time since the containers themselves could be confined while unconfined_t could do whatever it wanted with the container engine itself.

I'm assuming Udica doesn't normally add this access to its custom policies since it's already in the main policy, but this doesn't apply for unconfined since the socket doesn't get labeled.

As a workaround, see if relabeling the podman socket appropriately resolves the issue:

$ chcon -t container_runtime_t /run/user/1000/podman/podman.sock

If this works, then we should just be able to add the corresponding type transition to container_unconfined_role() in refpolicy.

[Freddy500]

As a workaround, see if relabeling the podman socket appropriately resolves the issue: $ chcon -t container_runtime_t /run/user/1000/podman/podman.sock

Both on Fedora and Debian doing ls -Z /run/user/1000/podman/podman.sock gives the same result: unconfined_u:object_r:user_tmp_t:s0. It's the tcontext in the denials for unix_stream_socket ( connectto ) that's different.

Running the above chcon command on Debian unfortunately does not solve the persistent connecto denial to the podman socket, which for some reason remains in the tcontext of unconfined_t. It seems most denials can be fixed with the .cil file but for some reason the ones who's tcontext is unconfined_t keep persisting.

These are the remaining denials after the chcon command:

type=AVC msg=audit(1755121052.976:1826): avc:  denied  { write } for  pid=12068 comm="socket-proxy" path="pipe:[54104]" dev="pipefs" ino=54104 scontext=system_u:system_r:socket-proxy.process:s0:c341,c675 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0
type=AVC msg=audit(1755121052.980:1827): avc:  denied  { connectto } for  pid=12068 comm="socket-proxy" path="/run/user/1000/podman/podman.sock" scontext=system_u:system_r:socket-proxy.process:s0:c341,c675 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0

The Udica generated .cil on Debian after the chcon command:

(block socket-proxy
    (blockinherit container)
    (blockinherit restricted_net_container)
    (allow process unreserved_port_t ( tcp_socket (  name_bind ))) 
    (allow process container_runtime_t ( dir ( getattr ioctl lock open read search ))) 
    (allow process container_runtime_t ( file ( getattr ioctl lock open read ))) 
    (allow process container_runtime_t ( fifo_file ( getattr open read lock ioctl ))) 
    (allow process container_runtime_t ( sock_file ( getattr open read ))) 
    (allow process container_runtime_t ( sock_file ( write ))) 
    (allow process sysfs_t ( file ( open read ))) 
    (allow process node_t ( tcp_socket ( node_bind ))) 
    (allow process socket-proxy.process ( tcp_socket ( create setopt bind listen getattr accept ))) 
    (allow process unconfined_t ( fifo_file ( write ))) 
    (allow process unconfined_t ( unix_stream_socket ( connectto ))) 
)

The one on Debian without the chcon command:

(block socket-proxy
	    (blockinherit container)
	    (blockinherit restricted_net_container)
	    (allow process unreserved_port_t ( tcp_socket (  name_bind ))) 
	    (allow process user_tmp_t ( dir ( getattr ioctl lock open read search ))) 
	    (allow process user_tmp_t ( file ( getattr ioctl lock open read ))) 
	    (allow process user_tmp_t ( fifo_file ( getattr open read lock ioctl ))) 
	    (allow process user_tmp_t ( sock_file ( getattr open read ))) 
        (allow process user_tmp_t ( sock_file ( write )))
	    (allow process sysfs_t ( file ( open read ))) 
	    (allow process node_t ( tcp_socket ( node_bind ))) 
	    (allow process socket-proxy.process ( tcp_socket ( create setopt bind listen getattr accept ))) 
	    (allow process unconfined_t ( fifo_file ( write ))) 
	    (allow process unconfined_t ( unix_stream_socket ( connectto ))) 
)

The one on Fedora that worked:

(block socket-proxy
    (blockinherit container)
    (blockinherit restricted_net_container)
    (allow process unreserved_port_t ( tcp_socket (  name_bind ))) 
    (allow process user_tmp_t ( dir ( getattr ioctl lock open read search ))) 
    (allow process user_tmp_t ( file ( getattr ioctl lock open read ))) 
    (allow process user_tmp_t ( fifo_file ( getattr open read lock ioctl ))) 
    (allow process user_tmp_t ( sock_file ( getattr open read ))) 
    (allow process user_tmp_t ( sock_file ( write ))) 
    (allow process container_runtime_t ( unix_stream_socket ( connectto ))) 
)

[0xC0ncord]

Hmm. The access is definitely there so it might be a constraint problem. Would you be able to share the container json from podman inspect? Feel free to redact any personal information from it.

[Freddy500]

Would you be able to share the container json from podman inspect?

Here's the json using the wollomatic container on Debian:

[
     {
          "Id": "3f9a7b2c8d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5zdfge43dfg",
          "Created": "2025-08-14T13:54:23.728119075+00:00",
          "Path": "/socket-proxy",
          "Args": [
               "/socket-proxy"
          ],
          "State": {
               "OciVersion": "1.2.0",
               "Status": "running",
               "Running": true,
               "Paused": false,
               "Restarting": false,
               "OOMKilled": false,
               "Dead": false,
               "Pid": 8552,
               "ConmonPid": 8550,
               "ExitCode": 0,
               "Error": "",
               "StartedAt": "2025-08-14T13:54:23.829841991+00:00",
               "FinishedAt": "0001-01-01T00:00:00Z",
               "CgroupPath": "/user.slice/user-1000.slice/user@1000.service/app.slice/socket-proxy.service/libpod-payload-43bb657ad8b50835d77d119cc046cabf2b69f32ae8de1b53a7628ca1fa0eb14a",
               "CheckpointedAt": "0001-01-01T00:00:00Z",
               "RestoredAt": "0001-01-01T00:00:00Z"
          },
          "Image": "38141a6a0e6344cd8e397e87860ca7aa331b514f97e4356260bbc25252ef181d",
          "ImageDigest": "sha256:e3cb1a1583a913ceaa92551258dfb016fb7f72e10fd0930977ab3e44985d1467",
          "ImageName": "ghcr.io/wollomatic/socket-proxy:1.8.1",
          "Rootfs": "",
          "Pod": "",
          "ResolvConfPath": "/run/user/1000/containers/overlay-containers/43bb657ad8b50835d77d119cc046cabf2b69f32ae8de1b53a7628ca1fa0eb14a/userdata/resolv.conf",
          "HostnamePath": "/run/user/1000/containers/overlay-containers/43bb657ad8b50835d77d119cc046cabf2b69f32ae8de1b53a7628ca1fa0eb14a/userdata/hostname",
          "HostsPath": "/run/user/1000/containers/overlay-containers/43bb657ad8b50835d77d119cc046cabf2b69f32ae8de1b53a7628ca1fa0eb14a/userdata/hosts",
          "StaticDir": "/home/user-name/.local/share/containers/storage/overlay-containers/43bb657ad8b50835d77d119cc046cabf2b69f32ae8de1b53a7628ca1fa0eb14a/userdata",
          "OCIConfigPath": "/home/user-name/.local/share/containers/storage/overlay-containers/43bb657ad8b50835d77d119cc046cabf2b69f32ae8de1b53a7628ca1fa0eb14a/userdata/config.json",
          "OCIRuntime": "crun",
          "ConmonPidFile": "/run/user/1000/containers/overlay-containers/43bb657ad8b50835d77d119cc046cabf2b69f32ae8de1b53a7628ca1fa0eb14a/userdata/conmon.pid",
          "PidFile": "/run/user/1000/containers/overlay-containers/43bb657ad8b50835d77d119cc046cabf2b69f32ae8de1b53a7628ca1fa0eb14a/userdata/pidfile",
          "Name": "socket-proxy",
          "RestartCount": 0,
          "Driver": "overlay",
          "MountLabel": "system_u:object_r:container_file_t:s0:c522,c887",
          "ProcessLabel": "system_u:system_r:socket-proxy.process:s0:c522,c887",
          "AppArmorProfile": "",
          "EffectiveCaps": null,
          "BoundingCaps": null,
          "ExecIDs": [],
          "GraphDriver": {
               "Name": "overlay",
               "Data": {
                    "LowerDir": "/home/user-name/.local/share/containers/storage/overlay/fee6da98b0487538b9c0c5c6e3ea5f2399210c1ce481228e5867f2e2c7558de3/diff",
                    "MergedDir": "/home/user-name/.local/share/containers/storage/overlay/339b378d85d7375d7a9be0737cd82cd77bfbe788f527b05f41b3789198b6fdcf/merged",
                    "UpperDir": "/home/user-name/.local/share/containers/storage/overlay/339b378d85d7375d7a9be0737cd82cd77bfbe788f527b05f41b3789198b6fdcf/diff",
                    "WorkDir": "/home/user-name/.local/share/containers/storage/overlay/339b378d85d7375d7a9be0737cd82cd77bfbe788f527b05f41b3789198b6fdcf/work"
               }
          },
          "Mounts": [
               {
                    "Type": "bind",
                    "Source": "/run/user/1000/podman/podman.sock",
                    "Destination": "/var/run/docker.sock",
                    "Driver": "",
                    "Mode": "",
                    "Options": [
                         "nosuid",
                         "nodev",
                         "rbind"
                    ],
                    "RW": false,
                    "Propagation": "rprivate"
               }
          ],
          "Dependencies": [],
          "NetworkSettings": {
               "EndpointID": "",
               "Gateway": "",
               "IPAddress": "",
               "IPPrefixLen": 0,
               "IPv6Gateway": "",
               "GlobalIPv6Address": "",
               "GlobalIPv6PrefixLen": 0,
               "MacAddress": "",
               "Bridge": "",
               "SandboxID": "",
               "HairpinMode": false,
               "LinkLocalIPv6Address": "",
               "LinkLocalIPv6PrefixLen": 0,
               "Ports": {
                    "2375/tcp": null
               },
               "SandboxKey": "/run/user/1000/netns/netns-b8459404-b439-7c18-4cda-787169f3a279",
               "Networks": {
                    "socket-proxy": {
                         "EndpointID": "",
                         "Gateway": "10.89.1.1",
                         "IPAddress": "10.89.1.13",
                         "IPPrefixLen": 24,
                         "IPv6Gateway": "",
                         "GlobalIPv6Address": "",
                         "GlobalIPv6PrefixLen": 0,
                         "MacAddress": "82:b3:72:91:07:35",
                         "NetworkID": "977bb99325bdbd4338453467567567d43f3d77f365196a0a81d7ec89597f23674",
                         "DriverOpts": null,
                         "IPAMConfig": null,
                         "Links": null,
                         "Aliases": [
                              "43bb657ad8b5"
                         ]
                    }
               }
          },
          "Namespace": "",
          "IsInfra": false,
          "IsService": false,
          "KubeExitCodePropagation": "invalid",
          "lockNumber": 0,
          "Config": {
               "Hostname": "43bb657ad8b5",
               "Domainname": "",
               "User": "65534:0",
               "AttachStdin": false,
               "AttachStdout": false,
               "AttachStderr": false,
               "Tty": false,
               "OpenStdin": false,
               "StdinOnce": false,
               "Env": [
                    "SP_ALLOW_GET=/v1\\..{1,2}/(version|containers/.*|events.*)",
                    "SP_LISTENIP=0.0.0.0",
                    "SP_LOGLEVEL=info",
                    "SP_ALLOWFROM=socket-requiring-container",
                    "container=podman",
                    "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                    "HOME=/",
                    "HOSTNAME=43bb657ad8b5"
               ],
               "Cmd": null,
               "Image": "ghcr.io/wollomatic/socket-proxy:1.8.1",
               "Volumes": null,
               "WorkingDir": "/",
               "Entrypoint": [
                    "/socket-proxy"
               ],
               "OnBuild": null,
               "Labels": {
                    "PODMAN_SYSTEMD_UNIT": "socket-proxy.service",
                    "org.opencontainers.image.description": "A lightweight and secure unix socket proxy",
                    "org.opencontainers.image.licenses": "MIT",
                    "org.opencontainers.image.source": "https://github.com/wollomatic/socket-proxy"
               },
               "Annotations": {
                    "io.container.manager": "libpod",
                    "io.podman.annotations.autoremove": "TRUE",
                    "io.podman.annotations.cid-file": "/run/user/1000/socket-proxy.cid",
                    "io.podman.annotations.label": "type:socket-proxy.process",
                    "org.opencontainers.image.stopSignal": "15",
                    "org.systemd.property.KillSignal": "15",
                    "org.systemd.property.TimeoutStopUSec": "uint64 10000000"
               },
               "StopSignal": "SIGTERM",
               "HealthcheckOnFailureAction": "none",
               "HealthLogDestination": "local",
               "HealthcheckMaxLogCount": 5,
               "HealthcheckMaxLogSize": 500,
               "CreateCommand": [
                    "/usr/bin/podman",
                    "run",
                    "--name",
                    "socket-proxy",
                    "--cidfile=/run/user/1000/socket-proxy.cid",
                    "--replace",
                    "--rm",
                    "--cgroups=split",
                    "--network",
                    "socket-proxy",
                    "--sdnotify=conmon",
                    "-d",
                    "--security-opt=no-new-privileges",
                    "--security-opt",
                    "label=type:socket-proxy.process",
                    "--cap-drop",
                    "all",
                    "--read-only",
                    "--user",
                    "65534:0",
                    "-v",
                    "/run/user/1000/podman/podman.sock:/var/run/docker.sock:ro",
                    "--env",
                    "SP_ALLOWFROM=socket-requiring-container",
                    "--env",
                    "SP_ALLOW_GET=/v1\\..{1,2}/(version|containers/.*|events.*)",
                    "--env",
                    "SP_LISTENIP=0.0.0.0",
                    "--env",
                    "SP_LOGLEVEL=info",
                    "ghcr.io/wollomatic/socket-proxy:1.8.1"
               ],
               "Umask": "0022",
               "Timeout": 0,
               "StopTimeout": 10,
               "Passwd": true,
               "sdNotifyMode": "conmon",
               "sdNotifySocket": "/run/user/1000/systemd/notify",
               "ExposedPorts": {
                    "2375/tcp": {}
               }
          },
          "HostConfig": {
               "Binds": [
                    "/run/user/1000/podman/podman.sock:/var/run/docker.sock:ro,rprivate,nosuid,nodev,rbind"
               ],
               "CgroupManager": "systemd",
               "CgroupMode": "private",
               "ContainerIDFile": "/run/user/1000/socket-proxy.cid",
               "LogConfig": {
                    "Type": "journald",
                    "Config": null,
                    "Path": "",
                    "Tag": "",
                    "Size": "0B"
               },
               "NetworkMode": "bridge",
               "PortBindings": {},
               "RestartPolicy": {
                    "Name": "no",
                    "MaximumRetryCount": 0
               },
               "AutoRemove": true,
               "AutoRemoveImage": false,
               "Annotations": {
                    "io.container.manager": "libpod",
                    "io.podman.annotations.autoremove": "TRUE",
                    "io.podman.annotations.cid-file": "/run/user/1000/socket-proxy.cid",
                    "io.podman.annotations.label": "type:socket-proxy.process",
                    "org.opencontainers.image.stopSignal": "15",
                    "org.systemd.property.KillSignal": "15",
                    "org.systemd.property.TimeoutStopUSec": "uint64 10000000"
               },
               "VolumeDriver": "",
               "VolumesFrom": null,
               "CapAdd": [],
               "CapDrop": [
                    "CAP_CHOWN",
                    "CAP_DAC_OVERRIDE",
                    "CAP_FOWNER",
                    "CAP_FSETID",
                    "CAP_KILL",
                    "CAP_NET_BIND_SERVICE",
                    "CAP_SETFCAP",
                    "CAP_SETGID",
                    "CAP_SETPCAP",
                    "CAP_SETUID",
                    "CAP_SYS_CHROOT"
               ],
               "Dns": [],
               "DnsOptions": [],
               "DnsSearch": [],
               "ExtraHosts": [],
               "HostsFile": "",
               "GroupAdd": [],
               "IpcMode": "shareable",
               "Cgroup": "",
               "Cgroups": "default",
               "Links": null,
               "OomScoreAdj": 0,
               "PidMode": "private",
               "Privileged": false,
               "PublishAllPorts": false,
               "ReadonlyRootfs": true,
               "SecurityOpt": [
                    "no-new-privileges",
                    "label=type:socket-proxy.process"
               ],
               "Tmpfs": {},
               "UTSMode": "private",
               "UsernsMode": "",
               "ShmSize": 65536000,
               "Runtime": "oci",
               "ConsoleSize": [
                    0,
                    0
               ],
               "Isolation": "",
               "CpuShares": 0,
               "Memory": 0,
               "NanoCpus": 0,
               "CgroupParent": "",
               "BlkioWeight": 0,
               "BlkioWeightDevice": null,
               "BlkioDeviceReadBps": null,
               "BlkioDeviceWriteBps": null,
               "BlkioDeviceReadIOps": null,
               "BlkioDeviceWriteIOps": null,
               "CpuPeriod": 0,
               "CpuQuota": 0,
               "CpuRealtimePeriod": 0,
               "CpuRealtimeRuntime": 0,
               "CpusetCpus": "",
               "CpusetMems": "",
               "Devices": [],
               "DiskQuota": 0,
               "KernelMemory": 0,
               "MemoryReservation": 0,
               "MemorySwap": 0,
               "MemorySwappiness": 0,
               "OomKillDisable": false,
               "PidsLimit": 2048,
               "Ulimits": [
                    {
                         "Name": "RLIMIT_NOFILE",
                         "Soft": 524288,
                         "Hard": 524288
                    },
                    {
                         "Name": "RLIMIT_NPROC",
                         "Soft": 7477,
                         "Hard": 7477
                    }
               ],
               "CpuCount": 0,
               "CpuPercent": 0,
               "IOMaximumIOps": 0,
               "IOMaximumBandwidth": 0,
               "CgroupConf": null
          },
          "UseImageHosts": false,
          "UseImageHostname": false
     }
]

[0xC0ncord]

Revisiting this, for some reason I haven't been able to get udica to output a CIL module with anything more than this:

(block socket-proxy
    (blockinherit container)
    (blockinherit restricted_net_container)
    (allow process unreserved_port_t ( tcp_socket (  name_bind ))) 
    (allow process container_runtime_t ( dir ( getattr ioctl lock open read search ))) 
    (allow process container_runtime_t ( file ( getattr ioctl lock open read ))) 
    (allow process container_runtime_t ( fifo_file ( getattr open read lock ioctl ))) 
    (allow process container_runtime_t ( sock_file ( getattr open read ))) 
)

I was trying to recreate the setup by re-using the creation command from the container JSON, but maybe something is missing.

@Freddy500 Are you able to share the quadlet file you used to create the container?

[Freddy500]

Thank you for getting back to me. I had abandoned this. It would be great if we could get it working on Debian.

I used the --append-rules option with Udica to add more permissions for reported blocks from the running container instead of just the generated json. I found those steps in this issue:

1. podman inspect socket-proxy > socket-proxy.json
2. Create initial module: udica -j socket-proxy.json socket-proxy
3. Install module: semodule -i socket-proxy.cil /usr/share/udica/templates/{base_container.cil,net_container.cil}
4. Add custom SELinux label to the container's Quadlet: SecurityLabelType=socket-proxy.process
5. Reload systemd: systemctl --user daemon-reload
6. Set SELinux to permissive: setenforce 0
7. Restart the container: systemctl --user restart socket-proxy
8. Dump the avc denial message into a file: ausearch -m AVC,USER_AVC -ts recent > avcfile
9. Generate new custom policy with the denial messages incorporated: udica -j socket-proxy.json --append-rules avcfile socket-proxy

Then install the updated module and repeat, if needed, until you caught all denials. I believe the permissions worked except the ones with a tcontext of unconfined_t. Tested on Debian 13 with Podman + SElinux. Another quadlet (I think an Alpine PostgreSQL db) would also not work. I don't have the details anymore but I believe it ended up as well with persistent unconfined_t denials.

I think this is the Quadlet I used. This was run rootless.

[Unit]
Description=Socket proxy
After=podman.socket
Requires=podman.socket

[Container]
ContainerName=socket-proxy
Image=ghcr.io/wollomatic/socket-proxy:1.9.0
NoNewPrivileges=true
ReadOnly=true
Network=socket-proxy.network

Volume=%t/podman/podman.sock:/var/run/docker.sock:ro

Environment=SP_LOGLEVEL=info
Environment=SP_LISTENIP=0.0.0.0
Environment=SP_ALLOWFROM=traefik
Environment=SP_ALLOW_GET='/v1\\..{1,2}/(version|containers/.*|events.*)'

SecurityLabelType=socket-proxy.process

[Service]
Restart=on-failure
TimeoutStartSec=300
 
[Install]
WantedBy=default.target

I can help with testing if I manage to set up a test server again.