Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Major
Fix Version/s: 4.14.z
Affects Version/s: 4.13
Component/s: Node / CRI-O
Labels:
- triaged

Severity:
Important
Regression:
No
Blocked:
False
Blocked Reason:

Hide

None

Show
None
RH Private Keywords:
Target Version:

4.14.z
Target Backport Versions:

4.13.z, 4.14.z

SFDC Cases Counter:
SFDC Cases Links:

PX Impact Score:
PX Priority Data:

Description of problem:

 SELinux blocking the operation on named pipe

Version-Release number of selected component (if applicable):

    4.13

How reproducible:

    every time

Steps to Reproduce:

    1.Have a container process create a named pipe and watch it
    2.
    3.

Actual results:

type=AVC msg=audit(1701720686.381:2648): avc:  denied  { watch } for  pid=2220051 comm="run_supervisord" path="/tmp/dtd/container_log_pipe" dev="tmpfs" ino=5 scontext=system_u:system_r:container_t:s0:c24,c27 tcontext=system_u:object_r:container_file_t:s0:c24,c27 tclass=fifo_file permissive=0".

Expected results:

    Expect that watch on a named pipe is not denied

Additional info:

    If customer adds a new rule as below, then it works fine.

require {
        type container_file_t;
        type container_t;
        class fifo_file watch;
}

clones

OCPBUGS-26493 SELinux blocking the operation on named pipe

Closed

is cloned by

OCPBUGS-29670 [4.13] SELinux blocking the operation on named pipe

Closed

links to

RHBA-2024:0837 OpenShift Container Platform 4.14.z bug fix update

Assignee:: Peter Hunt

Reporter:: Anand Paladugu

QA Contact:: Min Li

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2024/02/13 5:53 PM

Updated:: 2024/02/20 3:27 PM

Resolved:: 2024/02/20 3:27 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates