Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-48555

SELinux container_logreader_t cannot watch /var/log symlinks

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • 4.19.0
    • 4.13, 4.12, 4.14, 4.15, 4.16, 4.17, 4.18, 4.19
    • Node / CRI-O
    • Moderate
    • None
    • OCP Node Sprint 266 (Green), OCP Node Sprint 267 (Green), OCP Node Sprint 268 (Green)
    • 3
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Fix a bug where containers with the SELinux label container_logreader_t couldn't access /var/log/containers
    • Bug Fix
    • In Progress

      Description of problem:

          A container using the SELinux domain of container_logreader_t to watch container logs on the host at /var/log cannot access the logs from /var/log/containers since those logs are a symbolic link to /var/log/pods.  All other log files in /var/log are accessible just not ones that are symlinks.

      Version-Release number of selected component (if applicable):

      How reproducible:

          100%

      Steps to Reproduce:

          1. Create symlinks in /var/log
    2. Use container_logreader_t
    3. Attempt follow symlinks to watch attributes on files    

      Actual results:

          Permission denied

      Expected results:

          No permission issues

      Additional info:

       

              pehunt@redhat.com Peter Hunt
              hsueki Hidematsu Sueki
              Cameron Meadors Cameron Meadors
              IBM Employee
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: