Unable to install container-selinux on a MCS system

[ewee33]

I am attempting to install podman on a system whose SELinux policy is set to MCS. However, it appears that the container-selinux package will only install onto systems that are running a targeted policy. Is there any way to install this package on an MCS system? If not, this seems like a major limitation of this package and podman by extension.

Additional information:
This is a RHEL8 system running a custom SELinux policy. It does not have the selinux-policy-targeted package installed. Rather, it has a custom selinux-policy-mcs package. The SELINUXTYPE is set to mcs in /etc/selinux/config.

dnf install container-selinux does not work as container-selinux requires selinux-policy-targeted as a dependency. To get around this, I have downloaded the container-selinux RPM and used rpmrebuild to modify its .spec file to remove the dependency on selinux-policy-targeted. This modified RPM seems to install successfully, but the SELinux policy does not actually get installed. It appears there is logic in the RPM to not perform the semodule installation if SELINUXTYPE is not set to targeted, so no SELinux modules get installed on the system.

Ideally, I would like to be able to install this package via dnf so that I can stay up-to-date with updates.

Any help is appreciated, thanks!

[rhatdan]

Do you mean MLS? I have never heard of an mcs policy. I don't think you can install container-selinux onto an MLS system, because a lot of the interfaces that container-selinux uses will not be present. Also container-selinux does not follow the rules of an MLS system.

[ewee33]

Yes, I understand the mcs policy is not exactly standard. It is a custom policy.

I am surprised to hear that container-selinux cannot be installed onto an MLS system. Does that not contradict this blog post?

[rhatdan]

I guess I would say that it needs more options/types then might be in a standard MLS policy.

If you have a custom policy, what error are you seeing?

[rhatdan]

If this is just an RPM issue then it should be easy to fix.

[ewee33]

Installing the RPM (after removing the dependency on selinux-policy-targeted) does put the container.pp.bz2 file at /usr/share/selinux/packages. I have attempted to install this module directly with semodule -i container.pp.bz2, as well as semodule -n -s mcs -X 200 -i container.pp.bz2. However, both attempts result in the same error:

Failed to resolve typealiasactual statement at /var/lib/selinux/mcs/tmp/modules/400/container/cil:6
semodule:  Failed!

After extracting the cil file, I see that this is the faulty statement:

(typealiasactual docker_share_t container_ro_file_t)

I believe it does not recognize the container_ro_file_t type, which is strange as I would expect this module to define that type.

[rhatdan]

It is created in virt.te (Long story)