Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-123749

Error relocating /lib/ld-musl-x86_64.so.1: RELRO protection failed: No error information

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • container-selinux-2.240.0-3.el9_7
    • None
    • Moderate
    • rhel-container-tools
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • Requested
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      I'm testing podman APIv2 feature for rhel9.7 0day. I hit this issue when running apiv2 tests. After "setenforce 0", this issue will be not seen.

      Please provide the package NVR for which the bug is seen:

      podman-5.6.0-5.el9_7.x86_64
      container-selinux-2.240.0-2.el9_7.noarch

      How reproducible is this bug?

      always

      Steps to reproduce

      PODMAN=/usr/bin/podman PODMAN_SERVICE_PORT=8085 ./test-apiv2 20
============================= test session starts ==============================
podman client -- curl 7.76.1 (x86_64-redhat-linux-gnu) libcurl/7.76.1 OpenSSL/3.5.1 zlib/1.2.11 brotli/1.0.9 libidn2/2.3.0 libpsl/0.21.1 (+libidn2/2.3.0) libssh/0.10.4/openssl/zlib nghttp2/1.43.0
Release-Date: 2021-04-14
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: alt-svc AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets
collected 1 items

# started service, pid 64007
ok 1 [20-containers] GET libpod/containers/json (at start: clean slate) : status=200
ok 2 [20-containers] GET libpod/containers/json (at start: clean slate) : output=[]
ok 3 [20-containers] GET libpod/containers/json (at start: clean slate) : length=0
ok 4 [20-containers] header does not contain application/json ('HTTP/1.1 200 OK^M') ~ .*Content-Type: application/json.*
ok 5 [20-containers] POST containers/foo/attach?logs=true&stream=false [-d {}] : status=200
not ok 6 [20-containers] POST containers/foo/attach?logs=true&stream=false [-d {}] : output
#  expected: hi-there-uTSqTT157iaZrv0
#    actual: YError relocating /lib/ld-musl-x86_64.so.1: RELRO protection failed: No error information
HError relocating /bin/sh: RELRO protection failed: No error information
ok 7 [20-containers] vnd.docker.raw-stream docker v1.40 ('HTTP/1.1 200 OK^M') ~ .*Content-Type: application/vnd\.docker\.raw-stream.*
not ok 8 [20-containers] POST /v1.42/containers/foo/attach?logs=true&stream=false [-d {}] : status
#  expected: 200
#    actual: 500
#  response: {"cause":"no such container","message":"no container with ID ac7e061fe18891aa6d9039a21e0a8333c299c31a0bcd3ba85431d254ecad624d found in database: no such container","response":500}
not ok 9 [20-containers] vnd.docker.multiplexed-stream docker v1.42
#  expected: ~ .*Content-Type: application/vnd\.docker\.multiplexed-stream.*
#    actual: HTTP/1.1 500 Internal Server Error
Api-Version: 1.41
Content-Type: application/json
Libpod-Api-Version: 5.6.0
Server: Libpod/5.6.0 (linux)
X-Reference-Id: 0xc00007a448
Date: Fri, 24 Oct 2025 03:06:42 GMT
Content-Length: 180

not ok 10 [20-containers] POST /v4.6.0/libpod/containers/foo/attach?logs=true&stream=false [-d {}] : status
#  expected: 200
#    actual: 404
#  response: {"cause":"no such container","message":"no container with name or ID \"foo\" found: no such container","response":404}
not ok 11 [20-containers] vnd.docker.raw-stream libpod v4.6.0
#  expected: ~ .*Content-Type: application/vnd\.docker\.raw-stream.*
#    actual: HTTP/1.1 404 Not Found
Api-Version: 1.41
Content-Type: application/json
Libpod-Api-Version: 5.6.0
Server: Libpod/5.6.0 (linux)
X-Reference-Id: 0xc0008980d8
Date: Fri, 24 Oct 2025 03:06:42 GMT
Content-Length: 119

not ok 12 [20-containers] POST /v4.7.0/libpod/containers/foo/attach?logs=true&stream=false [-d {}] : status
#  expected: 200
#    actual: 404
#  response: {"cause":"no such container","message":"no container with name or ID \"foo\" found: no such container","response":404}
not ok 13 [20-containers] vnd.docker.multiplexed-stream libpod v4.7.0
#  expected: ~ .*Content-Type: application/vnd\.docker\.multiplexed-stream.*
#    actual: HTTP/1.1 404 Not Found
Api-Version: 1.41
Content-Type: application/json
Libpod-Api-Version: 5.6.0
Server: Libpod/5.6.0 (linux)
X-Reference-Id: 0xc00007a498
Date: Fri, 24 Oct 2025 03:06:42 GMT
Content-Length: 119

not ok 14 [20-containers] POST containers/foo/attach?logs=true&stream=false [-d {}] : status
#  expected: 101
#    actual: 404
#  response: {"cause":"no such container","message":"no container with name or ID \"foo\" found: no such container","response":404}
not ok 15 [20-containers] hijacked connection header: Content-type: application/vnd.docker.raw-stream
#  expected: ~ .*Content-Type: application/vnd\.docker\.raw-stream.*
#    actual: HTTP/1.1 404 Not Found
Api-Version: 1.41
Content-Type: application/json
Libpod-Api-Version: 5.6.0
Server: Libpod/5.6.0 (linux)
X-Reference-Id: 0xc00007a4b0
Date: Fri, 24 Oct 2025 03:06:42 GMT
Content-Length: 119

not ok 16 [20-containers] hijacked connection header: Upgrade: tcp
#  expected: ~ .*Upgrade: tcp.*
#    actual: HTTP/1.1 404 Not Found
Api-Version: 1.41
Content-Type: application/json
Libpod-Api-Version: 5.6.0
Server: Libpod/5.6.0 (linux)
X-Reference-Id: 0xc00007a4b0
Date: Fri, 24 Oct 2025 03:06:42 GMT
Content-Length: 119

not ok 17 [20-containers] POST containers/foo/kill [-d {}] : status
#  expected: 204
#    actual: 404
not ok 18 [20-containers] POST containers/foo/kill [-d {}]: 204 status returns no output
#  expected: ''
#    actual: {"cause":"no such container","message":"no container with name or ID \"foo\" found: no such container","response":404}
Fatal error in /root/rpmbuild/SOURCES/containers-podman-c5a3735/test/apiv2/20-containers.at:53
Log:
  >$ /usr/bin/podman pull quay.io/libpod/testimage:20241011
  >Trying to pull quay.io/libpod/testimage:20241011...
  >Getting image source signatures
  >Copying blob sha256:33b517cffde0ecb1f424f107b005cdfd614c467b9de2ad334970f800b77a4e70
  >Copying blob sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
  >Copying config sha256:b82e560ed57b77a897379e160371adcf1b000ca885e69c62cbec674777a83850
  >Writing manifest to image destination
  >b82e560ed57b77a897379e160371adcf1b000ca885e69c62cbec674777a83850
  >$ /usr/bin/podman tag quay.io/libpod/testimage:20241011 localhost/test/testformultitag:tag
  >$ /usr/bin/podman rm -a -f
  >$ /usr/bin/podman run --rm -d --replace --name foo quay.io/libpod/testimage:20241011 sh -c echo hi-there-uTSqTT157iaZrv0;sleep 42
  >ac7e061fe18891aa6d9039a21e0a8333c299c31a0bcd3ba85431d254ecad624d
  >$ /usr/bin/podman run --replace --name=foo -v /tmp:/tmp quay.io/libpod/testimage:20241011 true
  >Error relocating /lib/ld-musl-x86_64.so.1: RELRO protection failed: No error information
  >Error relocating /bin/true: RELRO protection failed: No error information
Bailing.
# stopped service, pid 64007
test-apiv2: curl failure (7) on http://localhost:8085/v1.41/containers/foo/kill - cannot continue. args=-d {}

      Expected results

      The test cases should pass.

      Actual results

      The AVCs:

      ausearch -m avc
----
time->Thu Oct 23 23:04:42 2025
type=PROCTITLE msg=audit(1761275082.858:1647): proctitle=2F62696E2F7368002D63003E66696C6531
type=SYSCALL msg=audit(1761275082.858:1647): arch=c000003e syscall=10 success=no exit=-13 a0=7fa3a959a000 a1=1000 a2=1 a3=7fa3a951d761 items=0 ppid=61007 pid=61016 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="sh" exe="/bin/busybox" subj=system_u:system_r:container_t:s0:c646,c953 key=(null)
type=AVC msg=audit(1761275082.858:1647): avc:  denied  { read } for  pid=61016 comm="sh" path="/lib/ld-musl-x86_64.so.1" dev="dm-0" ino=1046125 scontext=system_u:system_r:container_t:s0:c646,c953 tcontext=unconfined_u:object_r:container_var_run_t:s0 tclass=file permissive=0
----
time->Thu Oct 23 23:04:42 2025
type=PROCTITLE msg=audit(1761275082.859:1648): proctitle=2F62696E2F7368002D63003E66696C6531
type=SYSCALL msg=audit(1761275082.859:1648): arch=c000003e syscall=10 success=no exit=-13 a0=5619f75c3000 a1=4000 a2=1 a3=5619f74fe380 items=0 ppid=61007 pid=61016 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="sh" exe="/bin/busybox" subj=system_u:system_r:container_t:s0:c646,c953 key=(null)
type=AVC msg=audit(1761275082.859:1648): avc:  denied  { read } for  pid=61016 comm="sh" path="/bin/busybox" dev="dm-0" ino=50878073 scontext=system_u:system_r:container_t:s0:c646,c953 tcontext=unconfined_u:object_r:container_var_run_t:s0 tclass=file permissive=0
----

       

              lmandvek Lokesh Mandvekar
              weshen Edward Shen
              Container Runtime Eng Bot Container Runtime Eng Bot
              Container Runtime Bugs Bot Container Runtime Bugs Bot
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: