Description of problem:
SELinux blocking the operation on named pipe
Version-Release number of selected component (if applicable):
4.13
How reproducible:
every time
Steps to Reproduce:
1.Have a container process create a named pipe and watch it 2. 3.
Actual results:
type=AVC msg=audit(1701720686.381:2648): avc: denied { watch } for pid=2220051 comm="run_supervisord" path="/tmp/dtd/container_log_pipe" dev="tmpfs" ino=5 scontext=system_u:system_r:container_t:s0:c24,c27 tcontext=system_u:object_r:container_file_t:s0:c24,c27 tclass=fifo_file permissive=0".
Expected results:
Expect that watch on a named pipe is not denied
Additional info:
If customer adds a new rule as below, then it works fine. require { type container_file_t; type container_t; class fifo_file watch; }
- is cloned by
-
OCPBUGS-29431 [4.14] SELinux blocking the operation on named pipe
- Closed
- links to
-
RHSA-2023:7198 OpenShift Container Platform 4.15 security update