Bug 1680475

Summary: podman AVCs on a host with unconfined disabled
Product: [Fedora] Fedora Reporter: Robin Powell <rlpowell>
Component: podmanAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 29CC: bbaude, dwalsh, fkluknav, lsm5, lvrabec, mgrepl, mheon, plautrba, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: podman-1.1.2-1.git0ad9b6b.fc29 podman-1.1.2-1.git0ad9b6b.fc28 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-10 18:23:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robin Powell 2019-02-25 07:05:20 UTC
This is from running commands as root in a podman run as root:

$ ping [anything]

, or anything else that tries to do DNS, gives:

type=AVC msg=audit(1551078174.053:1832041): avc:  denied  { read } for  pid=31114 comm="ping" name="resolv.conf" dev="tmpfs" ino=57711603 scontext=system_u:system_r:container_t:s0:c111,c809 tcontext=staff_u:object_r:container_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551078174.053:1832041): avc:  denied  { open } for  pid=31114 comm="ping" path="/etc/resolv.conf" dev="tmpfs" ino=57711603 scontext=system_u:system_r:container_t:s0:c111,c809 tcontext=staff_u:object_r:container_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551078174.053:1832042): avc:  denied  { getattr } for  pid=31114 comm="ping" path="/etc/resolv.conf" dev="tmpfs" ino=57711603 scontext=system_u:system_r:container_t:s0:c111,c809 tcontext=staff_u:object_r:container_var_run_t:s0 tclass=file permissive=1

Comment 1 Daniel Walsh 2019-02-25 14:00:15 UTC
Which version of podman are you using?
What command did you execute?

Comment 2 Robin Powell 2019-02-25 15:39:33 UTC
I updated everything before my last test:

container-selinux.noarch                      2:2.82-1.git5e1f62f.fc29       @updates
container-storage-setup.noarch                0.11.0-4.dev.git413b408.fc29   @fedora
containernetworking-plugins.x86_64            0.7.4-1.fc29                   @updates
containers-common.x86_64                      1:0.1.34-1.dev.gite96a9b0.fc29 @updates
criu.x86_64                                   3.11-1.fc29                    @updates
oci-systemd-hook.x86_64                       1:0.1.17-3.gitbd86a79.fc29     @fedora
oci-umount.x86_64                             2:2.5-1.gitc3cda1f.fc29        @updates
podman.x86_64                                 1:1.0.0-1.git82e8011.fc29      @updates

The command was:

$ sudo podman exec -it [pod] ping lojban.org

, against an already-running container, but anything that causes a DNS lookup (nc, apt-get install; anything hostname-based) will do it.

Comment 3 Daniel Walsh 2019-02-25 21:55:48 UTC
What did the original podman command look like.

This looks like the resolv.conf inside of the container has the wrong label.

Comment 4 Robin Powell 2019-02-26 05:01:23 UTC
Oh, got it, sorry.  This is perhaps more than you're looking for, but:

[sampre_mw@jukni mediawiki]$ systemctl --user status lojban_mediawiki_web | cat
● lojban_mediawiki_web.service - Site/Webserver for mw.lojban.org
   Loaded: loaded (/home/sampre_mw/.config/systemd/user/lojban_mediawiki_web.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2019-02-24 23:01:11 PST; 21h ago
  Process: 30370 ExecStop=/bin/bash -x /home/sampre_mw/mediawiki/kill_web.sh 2>&1 (code=exited, status=0/SUCCESS)
 Main PID: 30475 (bash)
   CGroup: /user.slice/user-1086.slice/user/lojban_mediawiki_web.service
           ├─30475 /bin/bash -x /home/sampre_mw/mediawiki/run_web.sh 2>&1
           ├─30816 sudo /usr/bin/podman run --name lojban_mediawiki_web -v /srv/lojban/mediawiki-container/data/LocalSettings.php:/var/www/mediawiki/LocalSettings.php -v /srv/lojban/mediawiki-container/data/images:/var/www/mediawiki/images -v /srv/lojban/mediawiki-container/data/files:/var/www/mediawiki/files --network=container:lojban_mediawiki_db -i lojban/mediawiki_web:1.30-1
           └─30818 /usr/bin/podman run --name lojban_mediawiki_web -v /srv/lojban/mediawiki-container/data/LocalSettings.php:/var/www/mediawiki/LocalSettings.php -v /srv/lojban/mediawiki-container/data/images:/var/www/mediawiki/images -v /srv/lojban/mediawiki-container/data/files:/var/www/mediawiki/files --network=container:lojban_mediawiki_db -i lojban/mediawiki_web:1.30-1

There's also a build step, but there's nothing special there.  The Dockerfile is based on kristophjunge/mediawiki:1.30

I don't think I do anything that could muck with the resolv.conf label.

All the code is at https://github.com/lojban/mediawiki-docker , fwiw.

Comment 5 Fedora Update System 2019-02-27 13:30:16 UTC
podman-1.1.0-1.git006206a.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2019-2334f59273

Comment 6 Fedora Update System 2019-02-27 13:30:29 UTC
podman-1.1.0-1.git006206a.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-ead0cd452a

Comment 7 Fedora Update System 2019-02-28 18:55:37 UTC
podman-1.1.0-1.git006206a.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-2334f59273

Comment 8 Fedora Update System 2019-02-28 21:26:27 UTC
podman-1.1.0-1.git006206a.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-ead0cd452a

Comment 9 Fedora Update System 2019-03-05 19:11:06 UTC
podman-1.1.2-1.git0ad9b6b.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2019-d244a0fe3e

Comment 10 Fedora Update System 2019-03-05 19:11:19 UTC
podman-1.1.2-1.git0ad9b6b.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-5730099f0b

Comment 11 Fedora Update System 2019-03-06 15:12:56 UTC
podman-1.1.2-1.git0ad9b6b.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-d244a0fe3e

Comment 12 Fedora Update System 2019-03-06 15:57:11 UTC
podman-1.1.2-1.git0ad9b6b.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-5730099f0b

Comment 13 Fedora Update System 2019-03-10 18:23:26 UTC
podman-1.1.2-1.git0ad9b6b.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2019-03-15 03:35:13 UTC
podman-1.1.2-1.git0ad9b6b.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.