container_user_u issues related to podmansh

[bachradsusi]

• podmansh(1) mentions label=user:container_user_u which is defined in this policy. This repository ships container_u file to assign correct context during login - it should follow seuser_id so the right file should be container_user_u and it's probably not necessary at all unless it's expected that container_user_u would be used for users who log in.

• In order to make container_user_u available for this use case, it's necessary to run semanage user -a -r s0-s0:c0.c1023 -R "container_user_r" container_user_u or use gen_user() macro

• there are few missing rules to make it work with unconfined_t:

(roleallow unconfined_r container_user_r)

(allow container_runtime_t container_user_t ( process ( transition )))
(allow container_runtime_t container_user_t ( process2 ( nnp_transition )))

(allow container_user_t container_file_t ( chr_file ( ioctl read write )))
(allow container_user_t container_file_t ( file ( entrypoint )))
(allow container_user_t container_runtime_t ( fifo_file ( write )))

[rhatdan]

How can I do
(roleallow unconfined_r container_user_r)
Using traditional container.te rules?

[zpytela]

Would a simple allow rule do the job? https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/system/userdomain.if#L43