Starting lxd triggers SELinux error: "avc: denied { nosuid_transition }"

[ganto]

When starting the lxd service on a Fedora 27 with SELinux enabled, the following AVC is triggered:

type=AVC msg=audit(1527521822.187:967): avc:  denied  { nosuid_transition } for  pid=21577 comm="lxd" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:system_r:spc_t:s0 tclass=process2 permissive=1

However, the service is still successfully started and no loss of functionality could be experienced so far.

[ganto]

It seems the issue is caused by /var being mounted with the nosuid option on my system:

• SELinux Transitions do not happen on mountpoints mounted with nosuid
• Applications do not transition on a nosuid-mounted partition

Removing the nosuid option makes the AVC go away.

[ganto]

Now I was reading Teaching an old dog new tricks what seems to be a nice fix for this issue without the requirement to give up the nosuid mount option:

nosuid_transition

While I was looking at the nnp_transition rules, I noticed that there was also a nosuid_transition permission. nosuid allows people to mount a file system with nosuid flag, this tells the kernel that even if a setuid application exists on this file system, the kernel should ignore it and not allow a process to gain privilege via the file. You always want untrusted file systems like usb sticks to be mounted with this flag. Well SELinux systems similarly ignore transition rules on labels based on a nosuid file system. Similar to nnp_transition, this blocks a process from transition from a privileged domain to a less privileged domain. But the nosuid_transtion flag allows us to tell the kernel to allow transitions from one domain to another even if the file system is marked nosuid.

allow container_runtime_t confined_t:process2 nosuid_transition;
allow unconfined_t container_t:process2 nosuid_transition;

This means that even if a user used podman to execute a file on a nosuid file system it would be allowed to transition from the unconfined_t to container_t.

It looks to me as this should be available in container-selinux since version 2.57 (containers/container-selinux@2377c73). Still I'm seeing this error with container-selinux-2.60-1.git97f8dfc.fc27.noarch.

Must be an uncovered label combination in case of LXD... @Conan-Kudo any hint on this?