Bug 1638847

Summary: Privileged containers running as container_t instead of spc_t
Product: [Fedora] Fedora Reporter: Jonathan Lebon <jlebon>
Component: podmanAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 29CC: awilliam, dustymabe, gmarr, lsm5
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: AcceptedFreezeException
Fixed In Version: podman-0.10.1-1.gite4a1553.fc29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-16 13:42:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1517014    

Description Jonathan Lebon 2018-10-12 15:16:06 UTC 
Description of problem:

[root@jlebon-tmp ~]# podman run --rm --privileged --userns=host alpine cat /proc/self/attr/current
system_u:system_r:container_t:s0:c189,c295

Version-Release number of selected component (if applicable):

[root@jlebon-tmp ~]# rpm-ostree status
State: idle
AutomaticUpdates: disabled
Deployments:
● ostree://fedora-atomic:fedora/29/x86_64/atomic-host
                   Version: 29.20181011.n.0 (2018-10-11 11:37:46)
                    Commit: 5fbe7c478b5b0d3a33b0933592b62e24860a99fe64fef376d80dafa9088fb93e
              GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4
[root@jlebon-tmp ~]# rpm -q podman
podman-0.9.3.1-1.git1cd906d.fc29.x86_64

How reproducible:

Always

Steps to Reproduce:
1. podman run --rm --privileged --userns=host alpine cat /proc/self/attr/current

Actual results:

container_t

Expected results:

spc_t

Additional info:

Reported upstream as https://github.com/containers/libpod/issues/1575.
Fixed upstream in https://github.com/containers/libpod/pull/1576.

The end result of this bug is that privileged containers do not have the access expected, which is a major hindrance on platforms where the privileged pet container pattern are common like FAH and Silverblue:

[root@jlebon-tmp ~]# podman run --rm -ti --privileged -v $HOME:$HOME --workdir $HOME --userns=host alpine /bin/sh
~ # touch foo
touch: foo: Permission denied
~ # [root@jlebon-tmp ~]# ausearch -m avc -ts recent
----
time->Fri Oct 12 15:14:38 2018
type=PROCTITLE msg=audit(1539357278.583:308): proctitle="/bin/sh"
type=SYSCALL msg=audit(1539357278.583:308): arch=c000003e syscall=2 success=no exit=-13 a0=7f54e4591ba9 a1=441 a2=180 a3=0 items=0 ppid=2209 pid=2221 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/busybox" subj=system_u:system_r:container_t:s0:c319,c675 key=(null)
type=AVC msg=audit(1539357278.583:308): avc:  denied  { write } for  pid=2221 comm="sh" name="roothome" dev="dm-0" ino=8525295 scontext=system_u:system_r:container_t:s0:c319,c675 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir permissive=0
----
time->Fri Oct 12 15:14:38 2018
type=PROCTITLE msg=audit(1539357278.585:309): proctitle=746F75636800666F6F
type=SYSCALL msg=audit(1539357278.585:309): arch=c000003e syscall=2 success=no exit=-13 a0=7ffcc8641f58 a1=42 a2=1b6 a3=0 items=0 ppid=2221 pid=2233 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="touch" exe="/bin/busybox" subj=system_u:system_r:container_t:s0:c319,c675 key=(null)
type=AVC msg=audit(1539357278.585:309): avc:  denied  { write } for  pid=2233 comm="touch" name="roothome" dev="dm-0" ino=8525295 scontext=system_u:system_r:container_t:s0:c319,c675 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir permissive=0
Comment 1 Fedora Update System 2018-10-12 15:23:18 UTC 
podman-0.10.1-1.gite4a1553.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-ac8f4cb9f0
Comment 2 Fedora Blocker Bugs Application 2018-10-12 17:23:37 UTC 
Proposed as a Freeze Exception for 29-final by Fedora user dustymabe using the blocker tracking app because:

 We'd like to have containers run by podman be executed in the right selinux context.
Comment 3 Fedora Update System 2018-10-12 18:26:23 UTC 
podman-0.10.1-1.gite4a1553.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-ac8f4cb9f0
Comment 4 Adam Williamson 2018-10-12 19:56:53 UTC 
Is there a particular reason this needs to be in the compose, and wouldn't be OK as a zero-day update?
Comment 5 Adam Williamson 2018-10-12 19:57:52 UTC 
Well, I guess we don't exactly have zero-day updates for ostree-based systems, so I guess that's an argument...
Comment 6 Dusty Mabe 2018-10-12 21:07:36 UTC 
yeah that's the main reason
Comment 7 Geoffrey Marr 2018-10-15 19:25:07 UTC 
Discussed during the 2018-10-15 blocker review meeting: [1]

The decision to classify this bug as an "AcceptedFreezeException" was made to make sure ostree-based installs work correctly on day one.

[1] https://meetbot.fedoraproject.org/fedora-blocker-review/2018-10-15/f29-blocker-review.2018-10-15-16.00.txt
Comment 8 Dusty Mabe 2018-10-15 19:30:52 UTC 
Thanks!!
Comment 9 Fedora Update System 2018-10-16 13:42:57 UTC 
podman-0.10.1-1.gite4a1553.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.