Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: rhel-10.2
Component/s: container-selinux
Labels:
- rhel-container-tools

Regression:
None
Severity:
Important

AssignedTeam:
rhel-container-tools

Story Points:
3
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None
Target Backport Versions:

rhel-9.6

Preliminary Testing:
None
Test Coverage:
None

ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:
Architecture:

x86_64

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Description of problem:

    Running sshd inside a container which is running with hostUsers: false and the container_engine_t selinux type.  Connections will fail because sshd is not allowed to write to the audit log.

Version-Release number of selected component (if applicable):

How reproducible:

    Always

Steps to Reproduce:

https://github.com/cgruver/devspaces-sshd-sandbox/blob/main/reproducer.md

Actual results:

Expected results:

Additional info:

    The issue is resolved by adding the following to container_engine_t

require {
	type container_engine_t;
	class netlink_audit_socket nlmsg_relay;
}

#============= container_engine_t ==============
allow container_engine_t self:netlink_audit_socket nlmsg_relay;

clones

OCPBUGS-64730 Seliinux type container_engine_t is missing permissions to allow write to audit log

POST

Assignee:: Lokesh Mandvekar

Reporter:: Charro Gruver

Developer:: Container Runtime Eng Bot

QA Contact:: Container Runtime Bugs Bot

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2025/11/17 9:33 PM

Updated:: 2025/11/18 4:26 PM

Stale Date:: 2026/11/16

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates