Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-48555

SELinux container_logreader_t cannot watch /var/log symlinks

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Major Major
    • 4.19.0
    • 4.13, 4.12, 4.14, 4.15, 4.16, 4.17, 4.18, 4.19
    • Node / CRI-O
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Moderate
    • None
    • Rejected
    • OCP Node Sprint 266 (Green), OCP Node Sprint 267 (Green), OCP Node Sprint 268 (Green), OCP Node Sprint 270 (Green), OCP Node Sprint 271 (Green)
    • 5
    • Done
    • Bug Fix
    • Hide
      * Previously, containers using the `container_logreader_t` SELinux domain to watch container logs on the host at /var/log could not access the logs. This was because the logs in `var/log/containers` were symbolic links. With this fix, containers can watch logs as expected. (link:https://issues.redhat.com/browse/OCPBUGS-48555[OCPBUGS-48555])
      Show
      * Previously, containers using the `container_logreader_t` SELinux domain to watch container logs on the host at /var/log could not access the logs. This was because the logs in `var/log/containers` were symbolic links. With this fix, containers can watch logs as expected. (link: https://issues.redhat.com/browse/OCPBUGS-48555 [ OCPBUGS-48555 ])
    • None
    • None
    • None
    • None

      Description of problem:

          A container using the SELinux domain of container_logreader_t to watch container logs on the host at /var/log cannot access the logs from /var/log/containers since those logs are a symbolic link to /var/log/pods.  All other log files in /var/log are accessible just not ones that are symlinks.

      Version-Release number of selected component (if applicable):

          

      How reproducible:

          100%

      Steps to Reproduce:

          1. Create symlinks in /var/log
          2. Use container_logreader_t
          3. Attempt follow symlinks to watch attributes on files     

      Actual results:

          Permission denied

      Expected results:

          No permission issues

      Additional info:

       

              pehunt@redhat.com Peter Hunt
              hsueki Hidematsu Sueki (Inactive)
              None
              None
              Aditi Sahay Aditi Sahay
              None
              IBM Employee
              Votes:
              0 Vote for this issue
              Watchers:
              16 Start watching this issue

                Created:
                Updated:
                Resolved: