Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-85434

SELinux container_logreader_t cannot watch /var/log symlinks - [RHEL 9.6] 0day

XMLWordPrintable

    • container-selinux-2.235.0-2.el9_6
    • No
    • Important
    • 0day
    • 2
    • rhel-sst-container-tools
    • 2
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • RUN 268, RUN 269
    • Unspecified
    • Unspecified
    • Unspecified
    • All
    • None

      Based on https://issues.redhat.com/browse/OCPBUGS-48555.  This is an important fix to get into RHEL 9.6 and 10.0 and later for OCP.

      From that Jira card's description:

      Description of problem:

          A container using the SELinux domain of container_logreader_t to watch container logs on the host at /var/log cannot access the logs from /var/log/containers since those logs are a symbolic link to /var/log/pods.  All other log files in /var/log are accessible just not ones that are symlinks.

      Version-Release number of selected component (if applicable):

      How reproducible:

          100%

      Steps to Reproduce:

          1. Create symlinks in /var/log
    2. Use container_logreader_t
    3. Attempt follow symlinks to watch attributes on files    

      Actual results:

          Permission denied

      Expected results:

          No permission issues

      Additional info:

       

              container-runtime-eng Container Runtime Eng Bot
              tsweeney@redhat.com Tom Sweeney
              Container Runtime Eng Bot Container Runtime Eng Bot
              Edward Shen Edward Shen
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: