Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Major
Fix Version/s: 4.19.0
Affects Version/s: 4.13, 4.12, 4.14, 4.15, 4.16, 4.17, 4.18, 4.19
Component/s: Node / CRI-O
Labels:
- triaged

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Moderate
Regression:
None

Target Backport Versions:

4.15, 4.16, 4.17, 4.18
Target Version:

4.19.0, 4.19
Release Blocker:
Rejected
Sprint:
OCP Node Sprint 266 (Green), OCP Node Sprint 267 (Green), OCP Node Sprint 268 (Green), OCP Node Sprint 270 (Green), OCP Node Sprint 271 (Green)
sprint_count:
5

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Release Note Status:
Done
Release Note Type:
Bug Fix
Release Note Text:

Hide
* Previously, containers using the `container_logreader_t` SELinux domain to watch container logs on the host at /var/log could not access the logs. This was because the logs in `var/log/containers` were symbolic links. With this fix, containers can watch logs as expected. (link:https://issues.redhat.com/browse/OCPBUGS-48555[~~OCPBUGS-48555~~])

Show
* Previously, containers using the `container_logreader_t` SELinux domain to watch container logs on the host at /var/log could not access the logs. This was because the logs in `var/log/containers` were symbolic links. With this fix, containers can watch logs as expected. (link: https://issues.redhat.com/browse/OCPBUGS-48555 [ OCPBUGS-48555 ])

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

    A container using the SELinux domain of container_logreader_t to watch container logs on the host at /var/log cannot access the logs from /var/log/containers since those logs are a symbolic link to /var/log/pods.  All other log files in /var/log are accessible just not ones that are symlinks.

Version-Release number of selected component (if applicable):

How reproducible:

    100%

Steps to Reproduce:

    1. Create symlinks in /var/log
    2. Use container_logreader_t
    3. Attempt follow symlinks to watch attributes on files

Actual results:

    Permission denied

Expected results:

    No permission issues

Additional info:

is cloned by

OCPBUGS-54342 [4.18] SELinux container_logreader_t cannot watch /var/log symlinks

Closed

relates to

RHEL-85433 SELinux container_logreader_t cannot watch /var/log symlinks - [RHEL 9.7]

Release Pending

RHEL-85434 SELinux container_logreader_t cannot watch /var/log symlinks - [RHEL 9.6] 0day

Closed

RHEL-85435 SELinux container_logreader_t cannot watch /var/log symlinks - [RHEL 10.0] 0day

Closed

links to

RHEA-2024:11038 OpenShift Container Platform 4.19.z bug fix update

Assignee:: Peter Hunt

Reporter:: Hidematsu Sueki (Inactive)

Need Info From:: None

Contributors:: None

QA Contact:: Aditi Sahay

Doc Contact:: None

Contributing Groups:: IBM Employee

Votes:: 0 Vote for this issue

Watchers:: 16 Start watching this issue

Created:: 2025/01/17 1:20 PM

Updated:: 2025/07/17 1:10 PM

Resolved:: 2025/06/17 4:52 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates