Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-3158

avc: denied { execmod } for pid=335139 comm="sh" path="/bin/sh" dev="dm-4" ino=138505864 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0

XMLWordPrintable

    • container-selinux-2.219.0-1.rhaos4.13.el9
    • None
    • Important
    • rhel-sst-container-tools
    • 3
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • If docs needed, set a value
    • None

      Description of problem:
      Since the 27th of July (for OpenShift 4.14), the versions of OpenShift running on an RHCOS based on RHEL 9.2 have been hitting this permission denied error when scheduling a privileged container.

      Version-Release number of selected component (if applicable):

      How reproducible:
      1. Deploy a nightly of OpenShift 4.12,4.13, or 4.14.
      2. Run an openshift-test that schedules a privileged container. E.g.:
      $ KUBE_TEST_REPO_LIST="" KUBE_TEST_REPO="quay.io/openshift/community-e2e-images" ./openshift-tests run-test '[sig-storage] In-tree Volumes [Driver: hostPath] [Testpattern: Inline-volume (default fs)] volumes should store data [Suite:openshift/conformance/parallel] [Suite:k8s]'
      3. Monitor the journal logs on the worker for selinux errors

      Actual results:
      type=AVC msg=audit(1691587536.149:914): avc: denied

      { execmod }

      for pid=335139 comm="sh" path="/bin/sh" dev="dm-4" ino=138505864 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0

      Expected results:
      No avc errors.

              rhatdan Daniel Walsh (Inactive)
              jpoulin Jeremy Poulin
              Edward Shen Edward Shen
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: