-
Bug
-
Resolution: Unresolved
-
Minor
-
None
-
4.20.z
-
None
-
None
-
False
-
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
Attempting to run a container within a Pod in OCP 4.20.3 is encountering selinux denials that did not occur in 4.20.2
type=PROCTITLE msg=audit(1763571004.780:1997): proctitle=2F7573722F62696E2F7061737461002D2D636F6E6669672D6E6574002D7400383038302D383038303A38302D3830002D2D646E732D666F7277617264003136392E3235342E312E31002D75006E6F6E65002D54006E6F6E65002D55006E6F6E65002D2D6E6F2D6D61702D6777002D2D7175696574002D2D6E65746E73002F746D
type=SYSCALL msg=audit(1763571004.780:1997): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5654d901ecc5 a2=80802 a3=0 items=0 ppid=348087 pid=348093 auid=4294967295 uid=4218029032 gid=4218029032 euid=4218029032 suid=4218029032 fsuid=4218029032 egid=4218029032 sgid=4218029032 fsgid=4218029032 tty=pts0 ses=4294967295 comm="pasta.avx2" exe="/usr/bin/pasta.avx2" subj=system_u:system_r:container_engine_t:s0:c10,c30 key=(null)
type=AVC msg=audit(1763571004.780:1997): avc: denied { read write } for pid=348093 comm="pasta.avx2" name="tun" dev="devtmpfs" ino=171 scontext=system_u:system_r:container_engine_t:s0:c10,c30 tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file permissive=0
Version-Release number of selected component (if applicable):
4.20.3
How reproducible:
Always
Steps to Reproduce:
Follow the steps in https://github.com/cgruver/ocp-4-20-user-namespaces up to the podman run. Observe the error.
Actual results:
Expected results:
Additional info:
