Comment # 5 on bug 1186158 from
On second thought I might not agree. I would agree if I expose a root owned
podman.sock to a rootless container. I am not doing that. When I start podman
like so: systemctl --user start podman, and thus I am creating a socket under
/run/user/<uid>/podman/podman.sock. This socket is owned by the unprivileged
user. Also this socket would not gain access to root owned containers. As far
as I understand, rootless and rootfull are separated with podman. Therefore I
would argue that the scope of the security is limited to that of an ordinary
user. Hence it would be okay to expose the podman.sock to containers owned to
that same user.

Inside a rootless container, I would not be able to gain any elevation or
anything otherwise. Inside a rootless container I cannot do more then on the
outside. Therefore SELinux should not block read access. I don't think you ever
write to the docker API and blocking write access would make sense.

Is my reasoning flawed in any way and if so, how?


You are receiving this mail because: