-
Bug
-
Resolution: Done
-
Normal
-
None
-
rhel-9.2.0
-
None
-
None
-
rhel-sst-container-tools
-
3
-
False
-
-
None
-
None
-
None
-
None
-
If docs needed, set a value
-
-
Unspecified
-
None
Forwarding this from https://issues.redhat.com/browse/OCPBUGS-10615
Basically on RHEL8 (coreos):
[root@cosa-devsh ~]# rpm -q container-selinux
container-selinux-2.188.0-1.rhaos4.12.el8.noarch
[root@cosa-devsh ~]# podman run -q --privileged --rm -ti -v /:/run/host quay.io/centos/centos:stream8 chroot /run/host ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 62:6e:84:c3:1e:20 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.88.0.2/16 brd 10.88.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::606e:84ff:fec3:1e20/64 scope link tentative
valid_lft forever preferred_lft forever
[root@cosa-devsh ~]#
Whereas on RHEL9 (coreos)
[root@cosa-devsh ~]# rpm -q container-selinux
container-selinux-2.199.0-1.el9.noarch
[root@cosa-devsh ~]# podman run -q --privileged --rm -ti -v /:/run/host quay.io/centos/centos:stream8 chroot /run/host ip addr
[root@cosa-devsh ~]#
And the AVC denials here are of the form:
type=AVC msg=audit(1679502253.287:86): avc: denied
{ read write } for pid=35372 comm="ip" path="/0" dev="devpts" ino=3 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:container_devpts_t:s0 tclass=chr_file permissive=0type=AVC msg=audit(1679502253.287:86): avc: denied { read append } for pid=35372 comm="ip" path="/0" dev="devpts" ino=3 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:container_devpts_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1679502253.287:86): avc: denied { read append } for pid=35372 comm="ip" path="/0" dev="devpts" ino=3 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:container_devpts_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1679502253.287:86): avc: denied { read append } for pid=35372 comm="ip" path="/0" dev="devpts" ino=3 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:container_devpts_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1679502144.467:84): avc: denied { read write }
for pid=34189 comm="dmesg" path="/0" dev="devpts" ino=3 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:container_devpts_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1679502144.467:84): avc: denied
type=AVC msg=audit(1679502144.467:84): avc: denied { read append }
for pid=34189 comm="dmesg" path="/0" dev="devpts" ino=3 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:container_devpts_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1679502144.467:84): avc: denied
for pid=34189 comm="dmesg" path="/0" dev="devpts" ino=3 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:container_devpts_t:s0 tclass=chr_file permissive=0
- external trackers
