Bug 1748519
| Summary: | avc: podman run --security-opt label=type:svirt_qemu_net_t | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Ed Santiago <santiago> | |
| Component: | container-selinux | Assignee: | Jindrich Novy <jnovy> | |
| Status: | CLOSED ERRATA | QA Contact: | atomic-bugs <atomic-bugs> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | urgent | |||
| Version: | 8.1 | CC: | ddarrah, dornelas, dwalsh, toneata, weshen | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | 8.2 | Flags: | pm-rhel:
mirror+
|
|
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | container-selinux-2.123.0-1.el8 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1764318 1779787 (view as bug list) | Environment: | ||
| Last Closed: | 2020-04-28 15:47:35 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1734579, 1764318, 1779787 | |||
I just updated container-selinux-2.116.0-1.gitc5ef5ac.fc31 in Fedora to block this transition. Jindrich we will need an updated container-selinux package with this fix for RHEL8.1 This git checkin should be built for RHEL8.1.* c5ef5ac658a0d616d53b81272694e778a2115b29 This is definitely NOT a blocker. This looks correct to me. We don't want containers running in a VM's label. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:1650 |
The following command emits no output on RHEL8, but generates an AVC and (incorrectly) exits 0: # podman run --rm --security-opt label=type:svirt_qemu_net_t registry.access.redhat.com/rhel7/rhel:latest date # echo $? 0 /var/log/audit/audit.log shows: type=AVC msg=audit(1567536261.639:82): avc: denied { read write } for pid=5062 comm="date" path="/dev/null" dev="tmpfs" ino=38157 scontext=system_u:system_r:svirt_qemu_net_t:s0:c805,c868 tcontext=system_u:object_r:container_file_t:s0:c805,c868 tclass=chr_file permissive=0 type=AVC msg=audit(1567536261.639:82): avc: denied { write } for pid=5062 comm="date" path="pipe:[36973]" dev="pipefs" ino=36973 scontext=system_u:system_r:svirt_qemu_net_t:s0:c805,c868 tcontext=unconfined_u:system_r:container_runtime_t:s0 tclass=fifo_file permissive=0 type=AVC msg=audit(1567536261.639:82): avc: denied { write } for pid=5062 comm="date" path="pipe:[36974]" dev="pipefs" ino=36974 scontext=system_u:system_r:svirt_qemu_net_t:s0:c805,c868 tcontext=unconfined_u:system_r:container_runtime_t:s0 tclass=fifo_file permissive=0 It works fine when setenforce->0 podman-1.4.2-2.module+el8.1.0+4016+4220c060.x86_64 container-selinux-2.107-2.module+el8.1.0+4016+4220c060.noarch selinux-policy-3.14.3-19.el8.noarch kernel 4.18.0-141.el8.x86_64 In case it's relevant, this is a system that I've been using for FIPS testing. However, FIPS mode is disabled and I've done several reboots since disabling it: # fips-mode-setup --check FIPS mode is disabled.