Andrea Veri's Blog - Planet GNOME

between

#!/bin/bash
# Description: SELinux MCS Diagnostic (crun vs krun)

if [ "$(getenforce)" != "Enforcing" ]; then
 echo "WARNING: SELinux is not in Enforcing mode. This test requires Enforcing mode."
 exit 1
fi

TEST_BASE="/tmp/gitlab-runner-mcs-test"
CRUN_DIR="$TEST_BASE/crun-builds"
KRUN_DIR="$TEST_BASE/krun-builds"

# Cleanup from previous runs
rm -rf "$TEST_BASE"
mkdir -p "$CRUN_DIR" "$KRUN_DIR"

echo "======================================================="
echo " TEST 1: Standard Container Isolation (crun)"
echo "======================================================="

# 1. CREATE Helper
podman create --name crun-helper -v "$CRUN_DIR:/builds:Z" fedora bash -c "
 echo '[crun] -> Helper Process Context (Inside):'
 cat /proc/self/attr/current
 echo 'crun-data' > /builds/artifact.txt
 echo '[crun] -> File Label INSIDE Helper:'
 ls -Z /builds/artifact.txt
" > /dev/null

echo "[crun] Starting Helper Container (applying :Z relabel)..."
HELPER_HOST_LABEL_CRUN=$(podman inspect -f '{{.ProcessLabel}}' crun-helper)
echo "[crun] -> HOST METADATA: Podman assigned process label: $HELPER_HOST_LABEL_CRUN"
podman start -a crun-helper

echo ""
echo "[crun] -> File Label ON HOST (Notice the specific MCS category):"
ls -Z "$CRUN_DIR/artifact.txt"

# 2. CREATE Build Container (The Victim)
podman create --name crun-build -v "$CRUN_DIR:/builds" fedora bash -c "
 echo ' [Build-Internal] Process Context:'
 cat /proc/self/attr/current 2>/dev/null
 echo ' [Build-Internal] Executing ls -laZ /builds :'
 ls -laZ /builds 2>&1 | sed 's/^/ /'
 echo ' [Build-Internal] Executing cat /builds/artifact.txt :'
 cat /builds/artifact.txt 2>&1 | sed 's/^/ /'
" > /dev/null

echo ""
echo "[crun] Starting Build Container to inspect shared volume..."
BUILD_HOST_LABEL_CRUN=$(podman inspect -f '{{.ProcessLabel}}' crun-build)
echo "[crun] -> HOST METADATA: Podman assigned process label: $BUILD_HOST_LABEL_CRUN"
podman start -a crun-build

podman rm -f crun-helper crun-build > /dev/null

echo ""
echo "======================================================="
echo " TEST 2: MicroVM Isolation (libkrun / virtio-fs) FIXED"
echo "======================================================="

# --- Write the execution scripts to the host to avoid parsing errors ---
cat << 'EOF' > "$TEST_BASE/krun_helper.sh"
#!/bin/bash
echo '[krun] -> Helper Process Context (Inside VM):'
cat /proc/self/attr/current 2>/dev/null || echo ' (SELinux disabled/unavailable in guest kernel)'
echo 'krun-data' > /builds/artifact.txt
echo '[krun] -> File Label INSIDE Helper VM (Blindspot):'
ls -laZ /builds/artifact.txt 2>&1 | sed 's/^/ /'
EOF

cat << 'EOF' > "$TEST_BASE/krun_build.sh"
#!/bin/bash
echo ' [Build-Internal] Process Context (Inside VM):'
cat /proc/self/attr/current 2>/dev/null || echo ' (SELinux disabled/unavailable in guest kernel)'
echo ' [Build-Internal] Executing ls -laZ /builds :'
ls -laZ /builds 2>&1 | sed 's/^/ /'
echo ' [Build-Internal] Executing cat /builds/artifact.txt :'
cat /builds/artifact.txt 2>&1 | sed 's/^/ /'
EOF

chmod +x "$TEST_BASE/krun_helper.sh" "$TEST_BASE/krun_build.sh"
# ---------------------------------------------------------------------

# 1. CREATE Helper MicroVM
podman create --name krun-helper --runtime krun --memory=1024m \
 -v "$KRUN_DIR:/builds:Z" \
 -v "$TEST_BASE/krun_helper.sh:/script.sh:ro,Z" \
 fedora /script.sh > /dev/null

echo "[krun] Starting Helper MicroVM (applying :Z relabel)..."
HELPER_HOST_LABEL_KRUN=$(podman inspect -f '{{.ProcessLabel}}' krun-helper)
echo "[krun] -> HOST METADATA: Podman assigned process label: $HELPER_HOST_LABEL_KRUN"
podman start -a krun-helper

echo ""
echo "[krun] -> File Label ON HOST (Podman applied the helper's MCS category via :Z):"
ls -Z "$KRUN_DIR/artifact.txt"

# 2. CREATE Build MicroVM (The Victim)
podman create --name krun-build --runtime krun --memory=1024m \
 -v "$KRUN_DIR:/builds" \
 -v "$TEST_BASE/krun_build.sh:/script.sh:ro,Z" \
 fedora /script.sh > /dev/null

echo ""
echo "[krun] Starting Build MicroVM to inspect shared volume..."
BUILD_HOST_LABEL_KRUN=$(podman inspect -f '{{.ProcessLabel}}' krun-build)
echo "[krun] -> HOST METADATA: Podman assigned process label: $BUILD_HOST_LABEL_KRUN"
echo " *** THE virtiofsd DAEMON ON THE HOST IS TRAPPED IN THIS CONTEXT ***"
podman start -a krun-build

# Cleanup
podman rm -f krun-helper krun-build > /dev/null

echo ""
echo "======================================================="
echo " Test Complete."

Subject	Object	Access?	Why
`s0:c100,c200`	`s0:c100,c200`	Yes	Exact match
`s0:c100,c200`	`s0:c100`	Yes	Subject’s categories are a superset
`s0:c100,c200`	`s0:c100,c300`	No	Subject lacks `c300`
`s0:c0.c1023`	`s0:c100,c200`	Yes	Full range dominates everything
`s0`	`s0:c100,c200`	No	No categories can’t dominate any
`s0`	`s0`	Yes	Both have no categories

Andrea Veri's Blog - Planet GNOME

SELinux MCS challenges with GitLab Runners

Table of Contents

Introduction

The MCS problem

The test script

GitLab’s official suggestion and why it falls short

How GNOME currently handles this

Exploring libkrun

Firecracker and the custom executor path

What comes next

CVE-2026-31431

GNOME GitLab Git traffic caching

Table of Contents

Introduction

The problem

Architecture overview

The VCL layer

The POST-to-GET conversion

Protecting private repositories

The Lua layer

Debugging the rollout

How we got here

Iteration 1: Separate CDN service with Lua-driven caching

Iteration 2: Edge caching with CI runner participation

Conclusions

2024 GNOME Infrastructure Annual Review

Table of Contents

1. Introduction

2. Achievements

2.1. Major achievements

2.2. Minor achievements

2.3 Minor annoyances/bugs that were also fixed in 2024

2.3. Our brand new and renewed partnerships

Expressing my gratitude

GNOME Infrastructure migration to AWS

1. Some historical background

Recent challenges

Migration to AWS

2022 GNOME Infrastructure Annual Review

1. Introduction

2. Achievements

2.1. Major achievements

2.2. Minor achievements

2.3. Our brand new and renewed partnerships

3. Highlights

3.1. Openshift 4: architecture

3.2. Openshift 4: virtualization networking

3.3. Openshift 4: image builds

3.4. Openshift 4: cluster backups

3.5. GitLab on Openshift 4: setup

3.6. GitLab on Openshift 4: early days

3.7. GitLab on Openshift 4: logging

Future plans

Expressing my gratitude

GNOME Infrastructure updates

New Data Center

RHEL 8 and Ansible

Openshift

Special thanks

The GNOME Infrastructure is moving to Openshift

Architecture

SSL Termination

App migrations

Back from GUADEC 2018

GNOME Foundation hirings

cgit to GitLab

Future plans

Misc

Adding reCAPTCHA v2 support to Mailman

A childhood’s dream

Three years and counting

The GNOME Infrastructure Apprentice Program

Kerberos over HTTP: getting a TGT on a firewalled network

The GNOME Infrastructure’s FreeIPA move behind the scenes

The GNOME case

What were we looking for as a replacement for the current setup?

The Migration process – RFC2307 vs RFC2307bis

The Migration process – Extending the directory server with custom schemas

The Migration process – Own SSL certificates for HTTPD