Details
-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-8.6.0
-
Watchers
-
Major
-
sst_container_tools
-
False
-
-
Unspecified
-
If docs needed, set a value
-
x86_64
Description
Description of problem:
The Defense Information Systems Agency released a new Security Technical Implementation Guide for RHEL8 for Q4 2022. This version, V1R8, introduces a new requirement: all administrators must be mapped to the "sysadm_u", "staff_u", or an appropriately tailored confined role as defined by the organization.
As such, implementing this requirement prevents users from being able to create containers from container images.
Version-Release number of selected component (if applicable):
RHEL8.6
4.18.0-372.26.1.el8_6.x86_64
Podman: podman-4.1.1-2.module+el8.6.0+15917+093ca6f8.x86_64
How reproducible:
Works with every container I try to import and run.
Steps to Reproduce:
1. Map all applicable admins to the staff_u role: semanage login -a -s staff_u <username>
2. Set the default SELinux context to user_u: semanage login -m -s user_u -r s0 _default_
3. Perform a SELinux relabel
4. Reboot
5. On a system with an active internet connection, pull an image and save it to a tarball: sudo docker save -o ~/Downloads/ubi9.tar registry.access.redhat.com/ubi9/ubi:latest
6. Transfer tarball to the airgapped RHEL8 system
7. As a regular user, load the tarball: podman load < ./ubi9.tar
8. Test to see if container works: podman run -it registry.access.redhat.com/ubi9/ubi:latest /bin/bash
Actual results:
Encounter permission denied error
[rparker70_user@rhel8swtest ~]$ podman run -it registry.access.redhat.com/ubi9/ubi:latest /bin/bash
exec /bin/bash: permission denied
Expected results:
The user should be able to run a podman container.
Additional info:
The only additional SELinux error I could find is below:
--------------------------------------------------------------------------------
SELinux is preventing /usr/bin/podman from using the rlimitinh access on a process.
-
-
-
-
- Plugin catchall (100. confidence) suggests **************************
-
-
-
If you believe that podman should be allowed rlimitinh access on processes labeled container_runtime_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
- ausearch -c 'podman' --raw | audit2allow -M my-podman
- semodule -X 300 -i my-podman.pp
Additional Information:
Source Context user_u:user_r:user_t:s0
Target Context user_u:user_r:container_runtime_t:s0
Target Objects /usr/bin/podman [ process ]
Source podman
Source Path /usr/bin/podman
Port <Unknown>
Host rhel8swtest.scd.secret
Source RPM Packages podman-4.1.1-2.module+el8.6.0+15917+093ca6f8.x86_6
4
Target RPM Packages podman-4.1.1-2.module+el8.6.0+15917+093ca6f8.x86_6
4
SELinux Policy RPM selinux-policy-targeted-3.14.3-95.el8_6.4.noarch
Local Policy RPM selinux-policy-targeted-3.14.3-95.el8_6.4.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name rhel8swtest.scd.secret
Platform Linux rhel8swtest.scd.secret
4.18.0-372.26.1.el8_6.x86_64 #1 SMP Sat Aug 27
02:44:20 EDT 2022 x86_64 x86_64
Alert Count 2
First Seen 2022-11-14 09:21:17 EST
Last Seen 2022-11-14 09:22:40 EST
Local ID 8c48533a-4295-4cb3-9398-d3b9220bff0d
Raw Audit Messages
type=AVC msg=audit(1668435760.293:5993): avc: denied
for pid=381745 comm="podman" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:container_runtime_t:s0 tclass=process permissive=0
type=AVC msg=audit(1668435760.293:5993): avc: denied
{ siginh }for pid=381745 comm="podman" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:container_runtime_t:s0 tclass=process permissive=0
type=SYSCALL msg=audit(1668435760.293:5993): arch=x86_64 syscall=execve success=yes exit=0 a0=5594eda5a240 a1=5594ed8e1a70 a2=5594eda59960 a3=8 items=2 ppid=377132 pid=381745 auid=1570801184 uid=1570801184 gid=1570800513 euid=1570801184 suid=1570801184 fsuid=1570801184 egid=1570800513 sgid=1570800513 fsgid=1570800513 tty=pts1 ses=4 comm=podman exe=/usr/bin/podman subj=user_u:user_r:container_runtime_t:s0 key=(null)ARCH=x86_64 SYSCALL=execve AUID=rparker70_user UID=rparker70_user GID=646F6D61696E207573657273 EUID=rparker70_user SUID=rparker70_user FSUID=rparker70_user EGID=646F6D61696E207573657273 SGID=646F6D61696E207573657273 FSGID=646F6D61696E207573657273
type=CWD msg=audit(1668435760.293:5993): cwd=/home/rparker70_user
type=PATH msg=audit(1668435760.293:5993): item=0 name=/usr/bin/podman inode=18514223 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID=root OGID=root
Hash: podman,user_t,container_runtime_t,process,rlimitinh
Attachments
Issue Links
- external trackers
