Bug 1672891

Summary:	Many many AVCs from rootless podman on a system with unconfined disabled
Product:	[Fedora] Fedora	Reporter:	Robin Powell <rlpowell>
Component:	container-selinux	Assignee:	Lokesh Mandvekar <lsm5>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	high
Version:	29	CC:	amurdaca, dwalsh, fkluknav, jchaloup, lsm5, lvrabec, mgrepl, plautrba, rlpowell, zpytela
Target Milestone:	---	Keywords:	Reopened
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	container-selinux-2.82-1.git5e1f62f.fc29 container-selinux-2.82-1.git5e1f62f.fc28 container-selinux-2.95-1.gite3ebc68.fc30 container-selinux-2.95-1.gite3ebc68.fc29	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-04-13 00:03:51 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Robin Powell 2019-02-06 06:52:16 UTC

On a system with unconfined disabled,

podman run --rm -it fedora:28 echo 'Hello world'

causes 76 lines of AVCs, which you can find at http://users.teddyb.org/~rlpowell//media/regular/podman_avcs_2019-02-05.txt

I kind of assume you haven't worked on selinux for rootless podman yet?, except I know dwalsh is huge into podman (which, by the way, I *absolutely love*), so that seems odd.

Comment 1 Robin Powell 2019-02-06 06:54:25 UTC

Hmm.  Looking and what audit2allow comes up with, I wonder if it isn't so much "rootless podman doesn't work" as "rootless podman doesn't work as staff_t".

Comment 2 Daniel Walsh 2019-02-06 18:52:45 UTC

Makes sense.

Comment 3 Lukas Vrabec 2019-02-11 16:04:36 UTC

Could you please update SELinux denials somewhere else? I cannot access it. I'll do my best to fix it ASAP.

Comment 4 Daniel Walsh 2019-02-11 16:11:09 UTC

I have updated container-selinux to allow transitions from sysadm_t, staff_t and user_t to container runtimes domains.

container-selinux-2.82

Comment 5 Lukas Vrabec 2019-02-11 16:18:03 UTC

Moving to container-selinux component then. 

Thanks,
Lukas.

Comment 6 Fedora Update System 2019-02-17 18:30:36 UTC

container-selinux-2.82-1.git5e1f62f.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2019-ce1a6c2ac9

Comment 7 Fedora Update System 2019-02-17 18:30:43 UTC

container-selinux-2.82-1.git5e1f62f.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-b75beee237

Comment 8 Fedora Update System 2019-02-18 02:38:03 UTC

container-selinux-2.82-1.git5e1f62f.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-ce1a6c2ac9

Comment 9 Fedora Update System 2019-02-18 03:05:51 UTC

container-selinux-2.82-1.git5e1f62f.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-b75beee237

Comment 10 Fedora Update System 2019-02-24 02:32:45 UTC

container-selinux-2.82-1.git5e1f62f.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2019-02-26 01:29:54 UTC

container-selinux-2.82-1.git5e1f62f.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 Robin Powell 2019-04-04 16:35:56 UTC

I'm *really* sorry, I missed the comment that you couldn't see the link I gave.  :(

Here it is, fixed:  http://users.teddyb.org/~rlpowell//media/public/podman_avcs_2019-02-05.txt

And here's the one I generated just this morning, with updated everything, running the same command:

http://users.teddyb.org/~rlpowell//media/public/podman_avcs_2019-04-04.txt

on a host with unconfined disabled.

Let me know if you want me to open a new bug, instead.

Comment 13 Daniel Walsh 2019-04-04 16:41:15 UTC

optional_policy(`
	gen_require(`
		type sysadm_t, staff_t, user_t;
		role sysadm_r, staff_r, user_r;
	')

	container_runtime_run(sysadm_t, sysadm_r)
	role sysadm_r types container_t;
	role sysadm_r types spc_t;

	container_runtime_run(staff_t, staff_r)
	role staff_r types container_t;

	container_runtime_run(user_t, user_r)
	role user_r types container_t;
')
This policy should have caused a transition from staff_t to container runtime_t when you execute podman


Is podman labeled container_runtime_exec_t?

Comment 14 Lukas Vrabec 2019-04-05 17:37:37 UTC

Robin, 

Could you please test suggestion from comment#13 ? 


# cat local_podman_staff.te                                        
policy_module(local_podman_staff, 1.0)

optional_policy(`
	gen_require(`
		type sysadm_t, staff_t, user_t, container_t, spc_t;
		role sysadm_r, staff_r, user_r;
	')

	container_runtime_run(sysadm_t, sysadm_r)
	role sysadm_r types container_t;
	role sysadm_r types spc_t;

	container_runtime_run(staff_t, staff_r)
	role staff_r types container_t;

	container_runtime_run(user_t, user_r)
	role user_r types container_t;
')

# make -f /usr/share/selinux/devel/Makefile local_podman_staff.pp
# semodule -i local_podman_staff.pp

Thanks,
Lukas.

Comment 15 Fedora Update System 2019-04-05 21:08:51 UTC

container-selinux-2.95-1.gite3ebc68.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-9e36ddd5a5

Comment 16 Fedora Update System 2019-04-05 21:09:06 UTC

container-selinux-2.95-1.gite3ebc68.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-00c60ff381

Comment 17 Fedora Update System 2019-04-06 18:38:25 UTC

container-selinux-2.95-1.gite3ebc68.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-00c60ff381

Comment 18 Fedora Update System 2019-04-06 20:51:25 UTC

container-selinux-2.95-1.gite3ebc68.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-9e36ddd5a5

Comment 19 Fedora Update System 2019-04-13 00:03:51 UTC

container-selinux-2.95-1.gite3ebc68.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2019-04-16 04:03:51 UTC

container-selinux-2.95-1.gite3ebc68.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.