Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-3103

Rootless Podman on RHEL8 as user_u returns exec /bin/bash: permission denied

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Obsolete
    • Icon: Normal Normal
    • None
    • rhel-8.6.0
    • podman
    • None
    • Important
    • rhel-container-tools
    • 3
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • If docs needed, set a value
    • None
    • 57,005

      Description of problem:

      The Defense Information Systems Agency released a new Security Technical Implementation Guide for RHEL8 for Q4 2022. This version, V1R8, introduces a new requirement: all administrators must be mapped to the "sysadm_u", "staff_u", or an appropriately tailored confined role as defined by the organization.

      As such, implementing this requirement prevents users from being able to create containers from container images.

      Version-Release number of selected component (if applicable):

      RHEL8.6
      4.18.0-372.26.1.el8_6.x86_64

      Podman: podman-4.1.1-2.module+el8.6.0+15917+093ca6f8.x86_64

      How reproducible:

      Works with every container I try to import and run.

      Steps to Reproduce:
      1. Map all applicable admins to the staff_u role: semanage login -a -s staff_u <username>
      2. Set the default SELinux context to user_u: semanage login -m -s user_u -r s0 _default_
      3. Perform a SELinux relabel
      4. Reboot
      5. On a system with an active internet connection, pull an image and save it to a tarball: sudo docker save -o ~/Downloads/ubi9.tar registry.access.redhat.com/ubi9/ubi:latest
      6. Transfer tarball to the airgapped RHEL8 system
      7. As a regular user, load the tarball: podman load < ./ubi9.tar
      8. Test to see if container works: podman run -it registry.access.redhat.com/ubi9/ubi:latest /bin/bash

      Actual results:

      Encounter permission denied error

      [rparker70_user@rhel8swtest ~]$ podman run -it registry.access.redhat.com/ubi9/ubi:latest /bin/bash
      exec /bin/bash: permission denied

      Expected results:

      The user should be able to run a podman container.

      Additional info:

      The only additional SELinux error I could find is below:

      --------------------------------------------------------------------------------

      SELinux is preventing /usr/bin/podman from using the rlimitinh access on a process.

              • Plugin catchall (100. confidence) suggests **************************

      If you believe that podman should be allowed rlimitinh access on processes labeled container_runtime_t by default.
      Then you should report this as a bug.
      You can generate a local policy module to allow this access.
      Do
      allow this access for now by executing:

      1. ausearch -c 'podman' --raw | audit2allow -M my-podman
      2. semodule -X 300 -i my-podman.pp

      Additional Information:
      Source Context user_u:user_r:user_t:s0
      Target Context user_u:user_r:container_runtime_t:s0
      Target Objects /usr/bin/podman [ process ]
      Source podman
      Source Path /usr/bin/podman
      Port <Unknown>
      Host rhel8swtest.scd.secret
      Source RPM Packages podman-4.1.1-2.module+el8.6.0+15917+093ca6f8.x86_6
      4
      Target RPM Packages podman-4.1.1-2.module+el8.6.0+15917+093ca6f8.x86_6
      4
      SELinux Policy RPM selinux-policy-targeted-3.14.3-95.el8_6.4.noarch
      Local Policy RPM selinux-policy-targeted-3.14.3-95.el8_6.4.noarch
      Selinux Enabled True
      Policy Type targeted
      Enforcing Mode Enforcing
      Host Name rhel8swtest.scd.secret
      Platform Linux rhel8swtest.scd.secret
      4.18.0-372.26.1.el8_6.x86_64 #1 SMP Sat Aug 27
      02:44:20 EDT 2022 x86_64 x86_64
      Alert Count 2
      First Seen 2022-11-14 09:21:17 EST
      Last Seen 2022-11-14 09:22:40 EST
      Local ID 8c48533a-4295-4cb3-9398-d3b9220bff0d

      Raw Audit Messages
      type=AVC msg=audit(1668435760.293:5993): avc: denied

      { rlimitinh }

      for pid=381745 comm="podman" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:container_runtime_t:s0 tclass=process permissive=0

      type=AVC msg=audit(1668435760.293:5993): avc: denied

      { siginh }

      for pid=381745 comm="podman" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:container_runtime_t:s0 tclass=process permissive=0

      type=SYSCALL msg=audit(1668435760.293:5993): arch=x86_64 syscall=execve success=yes exit=0 a0=5594eda5a240 a1=5594ed8e1a70 a2=5594eda59960 a3=8 items=2 ppid=377132 pid=381745 auid=1570801184 uid=1570801184 gid=1570800513 euid=1570801184 suid=1570801184 fsuid=1570801184 egid=1570800513 sgid=1570800513 fsgid=1570800513 tty=pts1 ses=4 comm=podman exe=/usr/bin/podman subj=user_u:user_r:container_runtime_t:s0 key=(null)ARCH=x86_64 SYSCALL=execve AUID=rparker70_user UID=rparker70_user GID=646F6D61696E207573657273 EUID=rparker70_user SUID=rparker70_user FSUID=rparker70_user EGID=646F6D61696E207573657273 SGID=646F6D61696E207573657273 FSGID=646F6D61696E207573657273

      type=CWD msg=audit(1668435760.293:5993): cwd=/home/rparker70_user

      type=PATH msg=audit(1668435760.293:5993): item=0 name=/usr/bin/podman inode=18514223 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID=root OGID=root

      Hash: podman,user_t,container_runtime_t,process,rlimitinh

              lmandvek Lokesh Mandvekar
              rparker70 Ryan Parker
              Container QE Container QE Container QE Container QE
              Votes:
              0 Vote for this issue
              Watchers:
              14 Start watching this issue

                Created:
                Updated:
                Resolved: