Bug 1674518

Summary: Cannot run rootless podman commands
Product: Red Hat Enterprise Linux 8 Reporter: Suhaas Bhat <subhat>
Component: podmanAssignee: Giuseppe Scrivano <gscrivan>
Status: CLOSED CURRENTRELEASE QA Contact: atomic-bugs <atomic-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.1CC: dwalsh, fkluknav, jligon, lsm5, mheon, subhat
Target Milestone: rc   
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-13 10:59:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Suhaas Bhat 2019-02-11 14:27:06 UTC 
Description of problem:
Not able to create rootless containers due to not able to create /run/0/<id>

Version-Release number of selected component (if applicable):
podman-1.0.0-1.git82e8011.module+el8+2696+e59f0461.x86_64

XDG_RUNTIME_DIR=/run/user/0 is set. Even after removing it we cannot run podman commands

Error : error creating libpod runtime: mkdir /run/user/0/overlay-layers: permission denied

Logs :
-------------------
podman --log-level debug ps
INFO[0000] running as rootless                          
DEBU[0000] Initializing boltdb state at /home/harry/.local/share/containers/storage/libpod/bolt_state.db 
DEBU[0000] Using graph driver overlay                   
DEBU[0000] Using graph root /home/harry/.local/share/containers/storage 
DEBU[0000] Using run root /run/user/0                   
DEBU[0000] Using static dir /home/harry/.local/share/containers/storage/libpod 
DEBU[0000] Using tmp dir /run/user/0/libpod/tmp         
DEBU[0000] Set libpod namespace to ""                   
DEBU[0000] [graphdriver] trying provided driver "overlay" 
DEBU[0000] overlay: mount_program=/usr/bin/fuse-overlayfs 
DEBU[0000] backingFs=xfs, projectQuotaSupported=false, useNativeDiff=false 
ERRO[0000] error creating libpod runtime: mkdir /run/user/0/overlay-layers: permission denied 
-------------------

[root@vm252 ~]# cat /etc/subuid
harry:100000:65536
[root@vm252 ~]# cat /etc/subgid
harry:100000:65536
Comment 1 Giuseppe Scrivano 2019-02-11 20:06:26 UTC 
how is XDG_RUNTIME_DIR=/run/user/0 writeable by your user?

XDG_RUNTIME_DIR should be /run/user/$UID and the directory must be owned by your user.  Can you please check it?
Comment 2 Suhaas Bhat 2019-02-12 09:50:45 UTC 
#ll /run/user/
total 0
drwx------. 4 root root 100 Feb  4 16:11 0

Do we need to manually change it if we want to make rootless containers with podman ?

/run/user/$UID is not created automatically here.
Comment 3 Giuseppe Scrivano 2019-02-12 10:44:29 UTC 
it is created on login by PAM.  If it doesn't exist, then we have a fallback to temporary directory, and finally to the user directory.  If you force XDG_RUNTIME_DIR to a directory that is not writeable then it fails.

Could you try without setting XDG_RUNTIME_DIR and with a fresh storage (rm -rf ~/.local/share/containers ~/.config/containers) ?
Comment 4 Suhaas Bhat 2019-02-12 13:21:07 UTC 
I tried it after resetting the storage(/var/lib/containers/storage) and unset the env but it is still giving the same error.

  RunRoot: /var/run/containers/storage

I think these 2 files are responsible for setting up the user-namespace :
 # getcap /usr/bin/newuidmap
<no-result>
 
 #getcap /usr/bin/newgidmap
<no-result>

As there is no mapping ~/.local/share/containers/storage is not created.
Comment 5 Giuseppe Scrivano 2019-02-12 15:01:52 UTC 
on RHEL8 they should be installed as setuid binaries.

You need to reset the user storage (sudo rm -rf ~/.local/share/containers ~/.config/containers), not the system storage that is used only when running as root.
Comment 6 Suhaas Bhat 2019-02-12 16:16:24 UTC 
Now I can successfully run all the podman commands but cannot get into a shell. Getting AVC denials :


Feb 12 21:42:59 vm252 setroubleshoot[9420]: SELinux is preventing bash from map access on the file /usr/bin/bash. For complete SELinux messages run: sealert -l edcdfb68-705b-47b9-9eca-fb4c693b43a0
Feb 12 21:42:59 vm252 platform-python[9420]: SELinux is preventing bash from map access on the file /usr/bin/bash.#012#012*****  Plugin restorecon (85.9 confidence) suggests   ************************#012#012If you want to fix the label. #012/usr/bin/bash default label should be shell_exec_t.#012Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.#012Do#012# /sbin/restorecon -v /usr/bin/bash#012#012*****  Plugin catchall_boolean (7.33 confidence) suggests   ******************#012#012If you want to allow domain to can mmap files#012Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean.#012#012Do#012setsebool -P domain_can_mmap_files 1#012#012*****  Plugin catchall_boolean (7.33 confidence) suggests   ******************#012#012If you want to allow virt to sandbox use fusefs#012Then you must tell SELinux about this by enabling the 'virt_sandbox_use_fusefs' boolean.#012#012Do#012setsebool -P virt_sandbox_use_fusefs 1#012#012*****  Plugin catchall (1.35 confidence) suggests   **************************#012#012If you believe that bash should be allowed map access on the bash file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'bash' --raw | audit2allow -M my-bash#012# semodule -X 300 -i my-bash.pp#012

SELinux is preventing sh from map access on the file /usr/bin/bash.

*****  Plugin restorecon (85.9 confidence) suggests   ************************

If you want to fix the label. 
/usr/bin/bash default label should be shell_exec_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /usr/bin/bash

*****  Plugin catchall_boolean (7.33 confidence) suggests   ******************

If you want to allow domain to can mmap files
Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean.

Do
setsebool -P domain_can_mmap_files 1

*****  Plugin catchall_boolean (7.33 confidence) suggests   ******************

If you want to allow virt to sandbox use fusefs
Then you must tell SELinux about this by enabling the 'virt_sandbox_use_fusefs' boolean.

Do
setsebool -P virt_sandbox_use_fusefs 1

*****  Plugin catchall (1.35 confidence) suggests   **************************

If you believe that sh should be allowed map access on the bash file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sh' --raw | audit2allow -M my-sh
# semodule -X 300 -i my-sh.pp


Additional Information:
Source Context                system_u:system_r:container_t:s0:c277,c920
Target Context                system_u:object_r:fusefs_t:s0
Target Objects                /usr/bin/bash [ file ]
Source                        sh
Source Path                   sh
Port                          <Unknown>
Host                          vm252.gsslab.pnq.redhat.com
Source RPM Packages           
Target RPM Packages           bash-4.4.19-6.el8.x86_64
Policy RPM                    selinux-policy-3.14.1-46.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     vm252.gsslab.pnq.redhat.com
Platform                      Linux vm252.gsslab.pnq.redhat.com
                              4.18.0-32.el8.x86_64 #1 SMP Sat Oct 27 19:26:37
                              UTC 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2019-02-12 21:43:49 IST
Last Seen                     2019-02-12 21:43:49 IST
Local ID                      d391b649-30b8-4c30-a3c3-19ec4f318c8e

Raw Audit Messages
type=AVC msg=audit(1549988029.752:99780): avc:  denied  { map } for  pid=9460 comm="sh" path="/usr/bin/bash" dev="fuse" ino=34856096 scontext=system_u:system_r:container_t:s0:c277,c920 tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=0


Hash: sh,container_t,fusefs_t,file,map
Comment 7 Daniel Walsh 2019-02-13 05:13:33 UTC 
setsebool -P virt_sandbox_use_fusefs 1

Should fix the issue. It looks like container-selinux on RHEL8 is a little out of date.

rpm -q container-selinux
Comment 8 Suhaas Bhat 2019-02-13 10:45:33 UTC 
Thanks Dan,

With container-selinux-2.75-1.git99e2cfd.module+el8+2650+e6b3d617.noarch it is working smoothly now.