Allow rpmdb to manage files on mounted container filesystems

[lsm5]

Running rpmdb --rebuilddb --root=<container-mount-path> on a mounted container filesystem fails with the following error when SELinux is enforcing:

 error: can't create transaction lock on .../merged/var/lib/rpm/.rpm.lock (Permission denied)

The AVC denial is:

      avc: denied { search } for comm="rpmdb"
      scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023
      tcontext=system_u:object_r:container_var_lib_t:s0 tclass=dir

The rpmdb_t domain needs access to:

• container_var_lib_t dirs (to traverse /var/lib/containers/storage/)
• container_ro_file_t dirs/files (to traverse overlay directories)
• container_file_t dirs/files (to manage RPM database in the merged fs)

Additionally, rpmdb_t needs the object identity change exemption to satisfy the UBAC constraint when creating files/dirs. Container filesystems are created by the container runtime with user identity system_u, but rpmdb is invoked from an unconfined user session (unconfined_u). Without the exemption, the user identity mismatch causes constraint violations on create operations. The map permission on container_file_t files is also needed for sqlite shared memory mapping during database operations.

Fixes: RHEL-58185

Summary by Sourcery

Allow rpmdb to rebuild and manage RPM databases on mounted container filesystems under SELinux enforcement by granting appropriate SELinux permissions and exemptions to the rpmdb_t domain.

Bug Fixes:

• Resolve SELinux permission denials that prevent rpmdb from creating its transaction lock and managing RPM DB files on container-mounted filesystems.

Enhancements:

• Grant rpmdb_t access to container_var_lib_t, container_ro_file_t, and container_file_t paths so it can traverse container storage and operate on overlay and merged filesystems.
• Add UBAC object identity change exemption and required mmap-related permissions (e.g., map on container_file_t) for rpmdb_t to support sqlite-backed RPM database operations on container filesystems.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Updates SELinux policy to allow the rpmdb_t domain to manage RPM database files on mounted container filesystems and extends the test plan to cover this behavior.

File-Level Changes

Change	Details	Files
Extend SELinux container policy so rpmdb_t can traverse and manage RPM DB content under container storage paths, including UBAC exemptions and mmap support needed by sqlite.	Grant rpmdb_t search/traverse access to container_var_lib_t directories to access /var/lib/containers/storage paths. Allow rpmdb_t to read and manage files and directories labeled container_ro_file_t and container_file_t for overlay and merged container filesystems. Add object identity change (UBAC) constraint exemption for rpmdb_t so it can create and modify files/dirs owned by system_u under container labels when invoked by unconfined users. Permit rpmdb_t to use the map permission on container_file_t (and related) files for sqlite-backed RPM DB shared memory mapping.	container.te
Update functional test metadata to validate rpmdb behavior on mounted container filesystems.	Add or adjust a test plan entry describing rpmdb rebuild operations on mounted container filesystems with SELinux enforcing. Ensure the new SELinux permissions for rpmdb_t over container_* types are covered by the test matrix (e.g., RHEL-specific gating).	plans/main.fmf

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[gemini-code-assist]

Code Review

This pull request introduces SELinux policy updates in container.te to allow rpmdb_t to manage container files and perform memory mapping. It also modifies the test plan in plans/main.fmf to include a package upgrade step during preparation. A review comment suggests explicitly including container_file_t in the gen_require block to ensure policy clarity and maintainability, as it is used directly in an allow rule.

[gemini-code-assist]

The container_file_t type is used directly in the allow rule on line 1188. While it is transitively required by the interfaces called within this block, it is better practice to explicitly include it in the gen_require block for clarity and to ensure the policy remains valid if the interfaces are refactored. This is consistent with how container_file_t is handled as an external type in other parts of this file (e.g., lines 943 and 1101).

	gen_require(`
		type rpmdb_t, container_file_t;
	`)

[packit-as-a-service]

Tests failed. @containers/packit-build please check.

[rhatdan]

This policy change should go into selinux-policy not here.

[lsm5]

This policy change should go into selinux-policy not here.

There seems to be precedent for init_t, systemd_logind_t and iptables_t here. Am I reading those wrong or should those be moved to selinux-policy too.

[rhatdan]

Lets open this up for discussion with fedora/selinux-policy, to see what they want to do.

[lsm5]

Lets open this up for discussion with fedora/selinux-policy, to see what they want to do.

@wrabcak @zpytela ^