-
Bug
-
Resolution: Not a Bug
-
Undefined
-
None
-
rhel-9.1.0
-
None
-
Important
-
rhel-container-tools
-
3
-
False
-
False
-
-
None
-
None
-
None
-
RegressionOnly
-
If docs needed, set a value
-
-
x86_64
-
None
-
57,005
-
-
- Description of problem:
-
(I don't know what component to file this for; please adjust as needed.)
When downloading a container image that the libnbd project uses in CI on
gitlab.com, the container cannot be entered with SELinux enforcing.
-
-
- Version-Release number of selected component (if applicable):
-
- podman: 4.2.0-11.el9_1
- selinux: 3.4-3.el9
- container-selinux: 2.189.0-1.el9
- selinux-policy: 34.1.43-1.el9_1.2
-
-
- How reproducible:
-
Always.
-
-
- Steps to Reproduce:
-
cd $HOME
podman system reset -f
rm -rf .local/share/containers
mkdir x
cd x
podman run -it --rm --userns=keep-id -v .:/repo:z -w /repo \
registry.gitlab.com/nbdkit/libnbd/ci-alpine-edge:latest \
bash
-
-
- Actual results:
-
> Trying to pull registry.gitlab.com/nbdkit/libnbd/ci-alpine-edge:latest...
> Getting image source signatures
> Copying blob 0ded2f83af0e done
> Copying blob 88ecf269dec3 done
> Copying config a3b4bffb18 done
> Writing manifest to image destination
> Storing signatures
> Error relocating /usr/lib/libreadline.so.8: RELRO protection failed: Permission denied
> Error relocating /lib/ld-musl-x86_64.so.1: RELRO protection failed: Permission denied
> Error relocating /usr/lib/libncursesw.so.6: RELRO protection failed: Permission denied
> Error relocating /bin/bash: RELRO protection failed: Permission denied
-
-
- Expected results:
-
> Trying to pull registry.gitlab.com/nbdkit/libnbd/ci-alpine-edge:latest...
> Getting image source signatures
> Copying blob 0ded2f83af0e done
> Copying blob 88ecf269dec3 done
> Copying config a3b4bffb18 done
> Writing manifest to image destination
> Storing signatures
> bash-5.2$
-
-
- Additional info:
-
(1) The "id" command outputs:
> uid=1000(lacos) gid=1000(lacos)
> groups=1000(lacos),10(wheel),18(dialout),135(mock),975(libvirt),1001(lmda)
> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
(2) The expected result is achievable when setting SELinux to
permissive.
(3) With SELinux permissive, a single AVC is generated. "sealert -a"
reports:
> SELinux is preventing /bin/bash from read access on the file
> /usr/lib/libreadline.so.8.2.
>
> ***** Plugin restorecon (99.5 confidence) suggests ************************
>
> If you want to fix the label.
> /usr/lib/libreadline.so.8.2 default label should be lib_t.
> Then you can run restorecon. The access attempt may have been stopped
> due to insufficient permissions to access a parent directory in which
> case try to change the following command accordingly.
> Do
> # /sbin/restorecon -v /usr/lib/libreadline.so.8.2
>
> ***** Plugin catchall (1.49 confidence) suggests **************************
>
> If you believe that bash should be allowed read access on the
> libreadline.so.8.2 file by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # ausearch -c 'bash' --raw | audit2allow -M my-bash
> # semodule -X 300 -i my-bash.pp
>
>
> Additional Information:
> Source Context system_u:system_r:container_t:s0:c62,c364
> Target Context unconfined_u:object_r:user_home_t:s0
> Target Objects /usr/lib/libreadline.so.8.2 [ file ]
> Source bash
> Source Path /bin/bash
> Port <Unknown>
> Host <Unknown>
> Source RPM Packages bash-5.1.8-6.el9_1.x86_64
> Target RPM Packages
> SELinux Policy RPM selinux-policy-targeted-34.1.43-1.el9_1.2.noarch
> Local Policy RPM selinux-policy-targeted-34.1.43-1.el9_1.2.noarch
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Permissive
> Host Name lacos-laptop-9.usersys.redhat.com
> Platform Linux lacos-laptop-9.usersys.redhat.com
> 5.14.0-162.18.1.el9_1.x86_64 #1 SMP
> PREEMPT_DYNAMIC Thu Feb 9 04:28:41 EST 2023 x86_64
> x86_64
> Alert Count 1
> First Seen 2023-03-22 12:57:44 CET
> Last Seen 2023-03-22 12:57:44 CET
> Local ID 0db129a5-552f-49b2-b3bc-ec206978affb
>
> Raw Audit Messages
> type=AVC msg=audit(1679486264.987:145): avc: denied
> pid=2752 comm="bash" path="/usr/lib/libreadline.so.8.2" dev="dm-3"
> ino=2907654 scontext=system_u:system_r:container_t:s0:c62,c364
> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
>
>
> type=SYSCALL msg=audit(1679486264.987:145): arch=x86_64
> syscall=mprotect success=yes exit=0 a0=7f761e694000 a1=3000 a2=1
> a3=55744feb9c80 items=0 ppid=2749 pid=2752 auid=1000 uid=1000 gid=1000
> euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0
> ses=2 comm=bash exe=/bin/bash
> subj=system_u:system_r:container_t:s0:c62,c364 key=(null)ARCH=x86_64
> SYSCALL=mprotect AUID=lacos UID=lacos GID=lacos EUID=lacos SUID=lacos
> FSUID=lacos EGID=lacos SGID=lacos FSGID=lacos
>
> Hash: bash,container_t,user_home_t,file,read
Note that any complaints about "/usr/lib/libreadline.so.8.2" having
wrong labels are presumably bogus, given that this file exists within
the container.
(4) After the described failure, I tried
restorecon -FvvR ~/.local/share/containers
restorecon -FvvR ~/x
This relabels a big bunch of files, but then the same "podman" command
fails the same way.
The new AVC is effectively identical to the previous one; here's the
diff between the "sealert -a" outputs:
> @@ -24,7 +24,7 @@
>
>
> Additional Information:
> -Source Context system_u:system_r:container_t:s0:c62,c364
> +Source Context system_u:system_r:container_t:s0:c436,c873
> Target Context unconfined_u:object_r:user_home_t:s0
> Target Objects /usr/lib/libreadline.so.8.2 [ file ]
> Source bash
> @@ -44,15 +44,15 @@
> PREEMPT_DYNAMIC Thu Feb 9 04:28:41 EST 2023 x86_64
> x86_64
> Alert Count 1
> -First Seen 2023-03-22 12:57:44 CET
> -Last Seen 2023-03-22 12:57:44 CET
> -Local ID 0db129a5-552f-49b2-b3bc-ec206978affb
> +First Seen 2023-03-22 13:01:49 CET
> +Last Seen 2023-03-22 13:01:49 CET
> +Local ID 2771711b-e2af-4c92-840d-36573a4fb12a
>
> Raw Audit Messages
> -type=AVC msg=audit(1679486264.987:145): avc: denied { read }
for pid=2752 comm="bash" path="/usr/lib/libreadline.so.8.2" dev="dm-3" ino=2907654 scontext=system_u:system_r:container_t:s0:c62,c364 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
> +type=AVC msg=audit(1679486509.713:167): avc: denied
for pid=3168 comm="bash" path="/usr/lib/libreadline.so.8.2" dev="dm-3" ino=2907654 scontext=system_u:system_r:container_t:s0:c436,c873 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
>
>
> -type=SYSCALL msg=audit(1679486264.987:145): arch=x86_64 syscall=mprotect success=yes exit=0 a0=7f761e694000 a1=3000 a2=1 a3=55744feb9c80 items=0 ppid=2749 pid=2752 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=2 comm=bash exe=/bin/bash subj=system_u:system_r:container_t:s0:c62,c364 key=(null)ARCH=x86_64 SYSCALL=mprotect AUID=lacos UID=lacos GID=lacos EUID=lacos SUID=lacos FSUID=lacos EGID=lacos SGID=lacos FSGID=lacos
> +type=SYSCALL msg=audit(1679486509.713:167): arch=x86_64 syscall=mprotect success=yes exit=0 a0=7f6318db1000 a1=3000 a2=1 a3=562c3fdd6c80 items=0 ppid=3165 pid=3168 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=2 comm=bash exe=/bin/bash subj=system_u:system_r:container_t:s0:c436,c873 key=(null)ARCH=x86_64 SYSCALL=mprotect AUID=lacos UID=lacos GID=lacos EUID=lacos SUID=lacos FSUID=lacos EGID=lacos SGID=lacos FSGID=lacos
>
> Hash: bash,container_t,user_home_t,file,read
(5) This is similar to bug 1969996 and bug 2019324, but the instructions
described there don't work here.
- external trackers
