Bug 1671027

Summary: Building of ipa-server image with Podman on Fedora 29 via Beaker task produces AVC denial
Product: [Fedora] Fedora Reporter: Oleg Kozlov <okozlov>
Component: podmanAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED WORKSFORME QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 29CC: amurdaca, bbaude, dwalsh, fkluknav, jchaloup, lsm5, mheon, tdudlak
Target Milestone: ---Keywords: Regression, Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: podman-1.1.2-1.git0ad9b6b.fc29 podman-1.1.2-1.git0ad9b6b.fc28 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-14 10:34:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Oleg Kozlov 2019-01-30 15:30:57 UTC
Description of problem:
Beaker task fails at ipa-server image building with Podman (podman build) on Fedora 29 if selinux is in enforcing mode (avc-s listed below), the same task works fine with Docker. If selinux is in permissive mode (setenforce 0) image building works with Podman.

Version-Release number of selected component (if applicable):
$ rpm -q podman
podman-1.0.0-1.git82e8011.fc29.x86_64
$ rpm -q container-selinux
container-selinux-2.80-1.git1b655d9.fc29.noarch
$ rpm -qa | grep selinux-policy
selinux-policy-targeted-3.14.2-47.fc29.noarch
selinux-policy-3.14.2-47.fc29.noarch

How reproducible:
Run beaker job for building ipa-server image with Podman on Fedora 29.

Steps to Reproduce:
1. Setup job to use Fedora 29 as host system, Podman and Dockerfile.fedora-29
2. Run job

Actual results:
Building fails with "tee: /dev/stderr: Permission denied", see full error message below

Expected results:
Image building works on Fedora 29 with Podman

Additional info:

Full error message
```
STEP 40: RUN set -o pipefail ; patch --verbose -p0 --fuzz=0 < /root/ipa-rhel-8.patch | tee /dev/stderr | sed -n 's/^patching file //;T;/\.py$/p' | xargs /usr/libexec/platform-python -m compileall
tee: /dev/stderr: Permission denied
Compiling '/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py'...
Compiling '/usr/lib/python3.6/site-packages/ipapython/kernel_keyring.py'...
error building at step {Env:[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin container=oci] Command:run Args:[set -o pipefail ; patch --verbose -p0 --fuzz=0 < /root/ipa-rhel-8.patch | tee /dev/stderr | sed -n 's/^patching file //;T;/\.py$/p' | xargs /usr/libexec/platform-python -m compileall] Flags:[] Attrs:map[] Message:RUN set -o pipefail ; patch --verbose -p0 --fuzz=0 < /root/ipa-rhel-8.patch | tee /dev/stderr | sed -n 's/^patching file //;T;/\.py$/p' | xargs /usr/libexec/platform-python -m compileall Original:RUN set -o pipefail ; patch --verbose -p0 --fuzz=0 < /root/ipa-rhel-8.patch | tee /dev/stderr | sed -n 's/^patching file //;T;/\.py$/p' | xargs /usr/libexec/platform-python -m compileall}: error while running runtime: exit status 1
:: [ 06:16:30 ] :: [   FAIL   ] :: Command 'podman build --tls-verify=false -t freeipa-server:rhel-8-rhel-8 -f freeipa-server-rhel-8-rhel-8/Dockerfile.rhel-8 freeipa-server-rhel-8-rhel-8' (Expected 0, got 125)
```

AVC
----
time->Wed Jan 30 08:42:43 2019
type=AVC msg=audit(1548855763.160:243): avc:  denied  { add_name } for  pid=2576 comm="tee" name="2" scontext=system_u:system_r:container_t:s0:c210,c943 tcontext=system_u:system_r:container_t:s0:c210,c943 tclass=dir permissive=1
----
time->Wed Jan 30 08:42:43 2019
type=AVC msg=audit(1548855763.160:244): avc:  denied  { associate } for  pid=2576 comm="tee" name="2" scontext=system_u:object_r:container_t:s0:c210,c943 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1
----
time->Wed Jan 30 08:42:43 2019
type=AVC msg=audit(1548855763.160:245): avc:  denied  { open } for  pid=2576 comm="tee" path="pipe:[140202]" dev="pipefs" ino=140202 scontext=system_u:system_r:container_t:s0:c210,c943 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=fifo_file permissive=1
----
time->Wed Jan 30 08:42:46 2019
type=AVC msg=audit(1548855766.549:246): avc:  denied  { add_name } for  pid=2814 comm="tee" name="2" scontext=system_u:system_r:container_t:s0:c737,c977 tcontext=system_u:system_r:container_t:s0:c737,c977 tclass=dir permissive=1
----
time->Wed Jan 30 08:42:46 2019
type=AVC msg=audit(1548855766.549:247): avc:  denied  { associate } for  pid=2814 comm="tee" name="2" scontext=system_u:object_r:container_t:s0:c737,c977 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1
----
time->Wed Jan 30 08:42:46 2019
type=AVC msg=audit(1548855766.549:248): avc:  denied  { open } for  pid=2814 comm="tee" path="pipe:[145431]" dev="pipefs" ino=145431 scontext=system_u:system_r:container_t:s0:c737,c977 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=fifo_file permissive=1

I was not able to reproduce this issue with `podman build` and `podman run` in clean virtual machine with Fedora 29 (without beaker task), but this issue happens every time with beaker when podman is used, at the same time beaker tasks work fine with docker.

Comment 2 Daniel Walsh 2019-01-30 15:55:43 UTC
This looks like a container is attempting to communicate back with the parent, which we are blocking.  We do not want to allow containers to connect back to container_runtime_t.

Comment 3 Fedora Update System 2019-02-27 13:30:17 UTC
podman-1.1.0-1.git006206a.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2019-2334f59273

Comment 4 Fedora Update System 2019-02-27 13:30:30 UTC
podman-1.1.0-1.git006206a.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-ead0cd452a

Comment 5 Fedora Update System 2019-02-28 18:55:38 UTC
podman-1.1.0-1.git006206a.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-2334f59273

Comment 6 Fedora Update System 2019-02-28 21:26:28 UTC
podman-1.1.0-1.git006206a.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-ead0cd452a

Comment 7 Fedora Update System 2019-03-05 19:11:08 UTC
podman-1.1.2-1.git0ad9b6b.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2019-d244a0fe3e

Comment 8 Fedora Update System 2019-03-05 19:11:21 UTC
podman-1.1.2-1.git0ad9b6b.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-5730099f0b

Comment 9 Fedora Update System 2019-03-06 15:12:57 UTC
podman-1.1.2-1.git0ad9b6b.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-d244a0fe3e

Comment 10 Fedora Update System 2019-03-06 15:57:12 UTC
podman-1.1.2-1.git0ad9b6b.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-5730099f0b

Comment 11 Fedora Update System 2019-03-10 18:23:28 UTC
podman-1.1.2-1.git0ad9b6b.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2019-03-15 03:35:14 UTC
podman-1.1.2-1.git0ad9b6b.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 Tibor Dudlák 2019-06-17 15:23:42 UTC
I still have issues while building container at fedora 29 with selinux-policy-3.14.2-51.fc29.noarch but now without denied open for target container_runtime_t. 

# ausearch -m avc 
----
time->Mon Jun 17 10:39:31 2019
type=AVC msg=audit(1560782371.949:532): avc:  denied  { add_name } for  pid=17893 comm="tee" name="2" scontext=system_u:system_r:container_t:s0:c111,c308 tcontext=system_u:system_r:container_t:s0:c111,c308 tclass=dir permissive=1
----
time->Mon Jun 17 10:39:31 2019
type=AVC msg=audit(1560782371.951:533): avc:  denied  { associate } for  pid=17893 comm="tee" name="2" scontext=system_u:object_r:container_t:s0:c111,c308 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1
----
time->Mon Jun 17 10:39:35 2019
type=AVC msg=audit(1560782375.796:534): avc:  denied  { add_name } for  pid=17998 comm="tee" name="2" scontext=system_u:system_r:container_t:s0:c51,c174 tcontext=system_u:system_r:container_t:s0:c51,c174 tclass=dir permissive=1
----
time->Mon Jun 17 10:39:35 2019
type=AVC msg=audit(1560782375.799:535): avc:  denied  { associate } for  pid=17998 comm="tee" name="2" scontext=system_u:object_r:container_t:s0:c51,c174 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1

Comment 14 Tibor Dudlák 2019-06-17 16:16:45 UTC
An update for comment https://bugzilla.redhat.com/show_bug.cgi?id=1671027#c13 package version: container-selinux-2.101-1.gitb0061dc.fc29.noarch

Comment 15 Daniel Walsh 2019-06-17 16:58:04 UTC
I can not get this to recreate.  Could you see if you could get a simpler Dockerfile to get this to happen.

FROM fedora 
RUN cat /etc/passwd | tee /etc/stderr | grep root 
ENTRYPOINT /usr/bin/sh

This works for me on Fedora.