Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-37912

fapolicyd default rule file 30-patterns.rules prevents starting containers

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-9.4
    • fapolicyd
    • None
    • None
    • Moderate
    • rhel-sst-security-special-projects
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • None
    • None
    • None

      What were you trying to do that didn't work?

      A customer is trying to enable fapolicyd on his system running a Quay service, which relies on podman containers.
      It appears rule 5 gets hit when container's

      {/usr/sbin/crun}

      starts:

      rule=5 dec=deny_audit perm=open auid=0 pid=1464 exe=/ : path=/usr/lib64/libsystemd.so.0.35.0 ftype=application/x-sharedlib trust=1

      5. deny_audit perm=any pattern=ld_so : all

      Please provide the package NVR for which bug is seen:

      fapolicyd-1.3.2-100.el9.x86_64

      How reproducible:

      Always

      Steps to reproduce

      1. Register to redhat registry then try starting a container, e.g. "redis" 
        # podman login registry.redhat.io
# podman run -d --rm --name redis -p 6379:6379 -e REDIS_PASSWORD=strongpassword registry.redhat.io/rhel8/redis-6:1-110

      Expected results

      Container starts

      Actual results

      /usr/bin/crun: error while loading shared libraries: libsystemd.so.0: cannot open shared object file: Operation not permitted
/usr/bin/crun: error while loading shared libraries: libsystemd.so.0: cannot open shared object file: Operation not permitted
ERRO[0000] Container 02128b0e33b316208da989a8e3cab52942a97c970b96bfa2889d7e35368362f0 failed to be removed 
Error: `/usr/bin/crun start 02128b0e33b316208da989a8e3cab52942a97c970b96bfa2889d7e35368362f0` failed: exit status 127

      Through stracing podman, we can see the attemp to load the library:

      1464  15:33:44.397587 execveat(3</>, "", ["/usr/bin/crun", "--systemd-cgroup", "--log-format=json", "--log", "/run/containers/storage/overlay-containers/7fbeda0eab2671ef83fc5722de7b88daacf057b332a070933bbd7795471debad/userdata/oci-log", "create", "--bundle", "/var/lib/containers/storage/overlay-containers/7fbeda0eab2671ef83fc5722de7b88daacf057b332a070933bbd7795471debad/userdata", "--pid-file", "/run/containers/storage/overlay-containers/7fbeda0eab2671ef83fc5722de7b88daacf057b332a070933bbd7795471debad/userdata/pidfile", "7fbeda0eab2671ef83fc5722de7b88daacf057b332a070933bbd7795471debad"], ..., AT_EMPTY_PATH) = 0 <0.000151>
 :
1464  15:33:44.397959 openat(AT_FDCWD</root>, "/lib64/libsystemd.so.0", O_RDONLY|O_CLOEXEC) = -1 EPERM (Operation not permitted) <0.000069>
 :
1464  15:33:44.398543 openat(AT_FDCWD</root>, "/lib64/libsystemd.so.0", O_RDONLY|O_CLOEXEC) = -1 EPERM (Operation not permitted) <0.000058>
 :
1464  15:33:44.398635 writev(2<pipe:[24399]>, [{iov_base="/usr/bin/crun", iov_len=13}, {iov_base=": ", iov_len=2}, {iov_base="error while loading shared libraries", iov_len=36}, {iov_base=": ", iov_len=2}, {iov_base="libsystemd.so.0", iov_len=15}, {iov_base=": ", iov_len=2}, {iov_base="cannot open shared object file", iov_len=30}, {iov_base=": ", iov_len=2}, {iov_base="Operation not permitted", iov_len=23}, {iov_base="\n", iov_len=1}], 10) = 126 <0.000005>
1464  15:33:44.398657 exit_group(127)   = ?
1464  15:33:44.398686 +++ exited with 127 +++

              rsroka@redhat.com Radovan Sroka
              rhn-support-rmetrich Renaud Métrich
              Radovan Sroka Radovan Sroka
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: