Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-3107

podman.socket does not start with the new selinux-policy

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Cannot Reproduce
    • Icon: Normal Normal
    • None
    • None
    • container-selinux
    • None
    • Moderate
    • rhel-sst-container-tools
    • 3
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • If docs needed, set a value
    • None

      Description of problem:

      Cockpit's tests fail on CentOS-9-Stream with the tag repo enabled (koji)

      https://kojihub.stream.centos.org/kojifiles/repos/c9s-build/latest/x86_64

      Version-Release number of selected component (if applicable):

      [root@centos-9-stream-127-0-0-2-2201 ~]# rpm -q podman aardvark-dns netavark selinux-policy
      podman-4.3.1-3.el9.x86_64
      aardvark-dns-1.3.0-1.el9.x86_64
      netavark-1.3.0-1.el9.x86_64
      selinux-policy-38.1.2-1.el9.noarch

      How reproducible:

      Always

      Steps to Reproduce:

      Either launch cockpit with cockpit-podman installed or use curl

      curl -X GET -s -g --no-buffer --unix-socket /run/podman/podman.sock 'http://localhost/v1.12/libpod/info'

      That should activate podman.socket and podman.service should fail.

      Actual results:

      [ 48.648949] audit: type=1400 audit(1669978902.909:4): avc: denied

      { read } for pid=3767 comm="podman" name="journal" dev="tmpfs" ino=61 scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=dir permissive=0
      [ 48.782451] audit: type=1400 audit(1669978903.043:5): avc: denied { quotamod } for pid=3767 comm="podman" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0
      [ 48.790435] audit: type=1400 audit(1669978903.051:6): avc: denied { create } for pid=3767 comm="podman" name="netavark.lock" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
      [ 48.792099] audit: type=1400 audit(1669978903.053:7): avc: denied { write } for pid=3767 comm="podman" name="netavark.lock" dev="vda1" ino=8463665 scontext=system_u:system_r:container_runtime_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0
      [ 48.831018] audit: type=1400 audit(1669978903.091:8): avc: denied { read }

      for pid=3778 comm="podman" name="journal" dev="tmpfs" ino=61 scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=dir permissive=0
      [ 48.881706] audit: type=1400 audit(1669978903.142:9): avc: denied

      { quotamod } for pid=3778 comm="podman" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0
      [ 48.886245] audit: type=1400 audit(1669978903.147:10): avc: denied { write } for pid=3778 comm="podman" name="netavark.lock" dev="vda1" ino=8463665 scontext=system_u:system_r:container_runtime_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0
      [ 48.947136] audit: type=1400 audit(1669978903.207:11): avc: denied { read } for pid=3786 comm="podman" name="journal" dev="tmpfs" ino=61 scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=dir permissive=0
      [ 49.049747] audit: type=1400 audit(1669978903.310:12): avc: denied { quotamod }

      for pid=3786 comm="podman" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0
      [ 49.052811] audit: type=1400 audit(1669978903.313:13): avc: denied

      { write }

      for pid=3786 comm="podman" name="netavark.lock" dev="vda1" ino=8463665 scontext=system_u:system_r:container_runtime_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0

      Expected results:

      No violations

      Additional info:

      Dec 02 06:11:23 centos-9-stream-127-0-0-2-2201 systemd[1]: Started Podman API Service.
      Dec 02 06:11:23 centos-9-stream-127-0-0-2-2201 podman[11815]: time="2022-12-02T06:11:23-05:00" level=info msg="/usr/bin/podman filtering at log level info"
      Dec 02 06:11:23 centos-9-stream-127-0-0-2-2201 podman[11815]: time="2022-12-02T06:11:23-05:00" level=info msg="Not using native diff for overlay, this may cause degraded p>
      Dec 02 06:11:23 centos-9-stream-127-0-0-2-2201 podman[11815]: Error: open /etc/containers/networks/netavark.lock: permission denied
      Dec 02 06:11:23 centos-9-stream-127-0-0-2-2201 systemd[1]: podman.service: Main process exited, code=exited, status=125/n/a
      Dec 02 06:11:23 centos-9-stream-127-0-0-2-2201 systemd[1]: podman.service: Failed with result 'exit-code'.
      Dec 02 06:11:23 centos-9-stream-127-0-0-2-2201 systemd[1]: podman.socket: Trigger limit hit, refusing further activation.
      Dec 02 06:11:23 centos-9-stream-127-0-0-2-2201 systemd[1]: podman.socket: Failed with result 'trigger-limit-hit'.

              lmandvek Lokesh Mandvekar
              jvanderw@redhat.com Jelle van der Waa
              Container Runtime Eng Bot Container Runtime Eng Bot
              Edward Shen Edward Shen
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: