Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-85671

AVC while preparing creating QCOW2 images by bootc-image-builder

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • container-selinux-2.237.0-1.el10
    • No
    • Moderate
    • 6
    • rhel-container-tools
    • 3
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • RUN 270, RUN 271, RUN 272, RUN 273, RUN 274, RUN 275
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      I am following the steps from https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10-beta/html/using_image_mode_for_rhel_to_build_deploy_and_manage_operating_systems/creating-bootc-compatible-base-disk-images-with-bootc-image-builder#creating-qcow2-images-by-using-bootc-image-builder and getting AVC.

      What is the impact of this issue to you?

      AVC seems to be harmless.

      Please provide the package NVR for which the bug is seen:

      container-selinux-2.235.0-1.el10_0.noarch

      selinux-policy-40.13.26-1.el10.noarch

      How reproducible is this bug?:

      100%

      Steps to reproduce

       

      # cat 01-fips.toml
kargs = ["fips=1"]

# cat Containerfile
FROM images.paas.redhat.com/testingfarm/rhel-bootc:10.0
COPY 01-fips.toml /usr/lib/bootc/kargs.d/
RUN dnf install -y crypto-policies-scripts && update-crypto-policies --no-reload --set FIPS

# cat config.toml
[[customizations.user]]
name = "testuser"
password = "fo0m4nchU"

# podman build -t test-image .

# podman run --rm -it --privileged --pull=newer --security-opt label=type:unconfined_t -v $(pwd)/config.toml:/config.toml:ro -v $(pwd):/output -v /var/lib/containers/storage:/var/lib/containers/storage quay.io/centos-bootc/bootc-image-builder:latest --local --type qcow2 localhost/test-image

# ausearch -ts recent -m AVC

       

      Expected results

      No AVC.

      Actual results

      ----
time->Tue Apr  1 10:14:04 2025
type=PROCTITLE msg=audit(1743516844.372:756): proctitle=706F646D616E002D2D726F6F74002F72756E2F626F6F74632F73746F72616765002D2D72756E726F6F74002F70726F632F73656C662F66642F3300696D61676573
type=PATH msg=audit(1743516844.372:756): item=0 name="/lib64/ld-linux-x86-64.so.2" inode=46636586 dev=fd:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1743516844.372:756): cwd="/"
type=EXECVE msg=audit(1743516844.372:756): argc=6 a0="podman" a1="--root" a2="/run/bootc/storage" a3="--runroot" a4="/proc/self/fd/3" a5="images"
type=SYSCALL msg=audit(1743516844.372:756): arch=c000003e syscall=59 success=yes exit=0 a0=7fffb6d4ed80 a1=55772f8f0f00 a2=55772f78fc50 a3=1000 items=1 ppid=10251 pid=10264 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="podman" exe="/usr/bin/podman" subj=system_u:system_r:install_t:s0:c440,c982 key=(null)
type=SELINUX_ERR msg=audit(1743516844.372:756): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:install_t:s0:c440,c982 newcontext=system_u:system_r:container_runtime_t:s0:c440,c982
type=AVC msg=audit(1743516844.372:756): avc:  denied  { nnp_transition nosuid_transition } for  pid=10264 comm="bootc" scontext=system_u:system_r:install_t:s0:c440,c982 tcontext=system_u:system_r:container_runtime_t:s0:c440,c982 tclass=process2 permissive=0

      Additional Information

      # ausearch -ts boot -m AVC | audit2allow


#============= install_t ==============
allow install_t container_runtime_t:process2 { nnp_transition nosuid_transition };

              rhn-support-jnovy Jindrich Novy
              omoris Ondrej Moris
              Container Runtime Eng Bot Container Runtime Eng Bot
              Edward Shen Edward Shen
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: