Bug 1671027
Summary: | Building of ipa-server image with Podman on Fedora 29 via Beaker task produces AVC denial | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Oleg Kozlov <okozlov> |
Component: | podman | Assignee: | Lokesh Mandvekar <lsm5> |
Status: | CLOSED WORKSFORME | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 29 | CC: | amurdaca, bbaude, dwalsh, fkluknav, jchaloup, lsm5, mheon, tdudlak |
Target Milestone: | --- | Keywords: | Regression, Reopened |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | podman-1.1.2-1.git0ad9b6b.fc29 podman-1.1.2-1.git0ad9b6b.fc28 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-08-14 10:34:12 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Oleg Kozlov
2019-01-30 15:30:57 UTC
This looks like a container is attempting to communicate back with the parent, which we are blocking. We do not want to allow containers to connect back to container_runtime_t. podman-1.1.0-1.git006206a.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2019-2334f59273 podman-1.1.0-1.git006206a.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-ead0cd452a podman-1.1.0-1.git006206a.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-2334f59273 podman-1.1.0-1.git006206a.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-ead0cd452a podman-1.1.2-1.git0ad9b6b.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2019-d244a0fe3e podman-1.1.2-1.git0ad9b6b.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-5730099f0b podman-1.1.2-1.git0ad9b6b.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-d244a0fe3e podman-1.1.2-1.git0ad9b6b.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-5730099f0b podman-1.1.2-1.git0ad9b6b.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. podman-1.1.2-1.git0ad9b6b.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. I still have issues while building container at fedora 29 with selinux-policy-3.14.2-51.fc29.noarch but now without denied open for target container_runtime_t. # ausearch -m avc ---- time->Mon Jun 17 10:39:31 2019 type=AVC msg=audit(1560782371.949:532): avc: denied { add_name } for pid=17893 comm="tee" name="2" scontext=system_u:system_r:container_t:s0:c111,c308 tcontext=system_u:system_r:container_t:s0:c111,c308 tclass=dir permissive=1 ---- time->Mon Jun 17 10:39:31 2019 type=AVC msg=audit(1560782371.951:533): avc: denied { associate } for pid=17893 comm="tee" name="2" scontext=system_u:object_r:container_t:s0:c111,c308 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1 ---- time->Mon Jun 17 10:39:35 2019 type=AVC msg=audit(1560782375.796:534): avc: denied { add_name } for pid=17998 comm="tee" name="2" scontext=system_u:system_r:container_t:s0:c51,c174 tcontext=system_u:system_r:container_t:s0:c51,c174 tclass=dir permissive=1 ---- time->Mon Jun 17 10:39:35 2019 type=AVC msg=audit(1560782375.799:535): avc: denied { associate } for pid=17998 comm="tee" name="2" scontext=system_u:object_r:container_t:s0:c51,c174 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1 An update for comment https://bugzilla.redhat.com/show_bug.cgi?id=1671027#c13 package version: container-selinux-2.101-1.gitb0061dc.fc29.noarch I can not get this to recreate. Could you see if you could get a simpler Dockerfile to get this to happen. FROM fedora RUN cat /etc/passwd | tee /etc/stderr | grep root ENTRYPOINT /usr/bin/sh This works for me on Fedora. |