Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-26493

SELinux blocking the operation on named pipe

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Major Major
    • 4.15.0
    • 4.13
    • Node / CRI-O
    • Important
    • No
    • False
    • Hide

      None

      Show
      None

      Description of problem:

       SELinux blocking the operation on named pipe   

      Version-Release number of selected component (if applicable):

          4.13

      How reproducible:

          every time

      Steps to Reproduce:

          1.Have a container process create a named pipe and watch it
          2.
          3.
          

      Actual results:

      type=AVC msg=audit(1701720686.381:2648): avc:  denied  { watch } for  pid=2220051 comm="run_supervisord" path="/tmp/dtd/container_log_pipe" dev="tmpfs" ino=5 scontext=system_u:system_r:container_t:s0:c24,c27 tcontext=system_u:object_r:container_file_t:s0:c24,c27 tclass=fifo_file permissive=0".

      Expected results:

          Expect that watch on a named pipe is not denied

      Additional info:

          If customer adds a new rule as below, then it works fine.
      
      require {
              type container_file_t;
              type container_t;
              class fifo_file watch;
      }

              pehunt@redhat.com Peter Hunt
              anand.paladugu Anand Paladugu
              Sunil Choudhary Sunil Choudhary
              Votes:
              0 Vote for this issue
              Watchers:
              17 Start watching this issue

                Created:
                Updated:
                Resolved: