Bug 1811759

Summary: AVC denied when built ohpc-gnu9-easybuild container image: type=AVC msg=audit(1583773655.955:433): avc: denied { setattr } for pid=26347 comm="fuse-overlayfs"
Product: Red Hat Enterprise Linux 7 Reporter: Alex Jia <ajia>
Component: container-selinuxAssignee: Jindrich Novy <jnovy>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 7.8CC: dornelas, dwalsh, gscrivan, jnovy, spanjikk, tsweeney, weshen, ypu
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: container-selinux-2.119.2-1.911c772.el7_8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-06-23 14:27:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1186913, 1816260    

Description Alex Jia 2020-03-09 17:15:43 UTC 
Description of problem:
AVC denied when built ohpc-gnu9-easybuild container image.

Version-Release number of selected component (if applicable):
[ajia@hpe-bl460cgen8-01 ~]$ rpm -q fuse-overlayfs podman kernel
fuse-overlayfs-0.7.2-6.el7_8.x86_64
podman-1.6.4-13.el7_8.x86_64
kernel-3.10.0-1127.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. setup rootless environment 

2. $ cat Dockerfile.ohpc-gnu9-easybuild
FROM quay.io/ohpc/ohpc-gnu9:1.9.9

MAINTAINER The OpenHPC Project

RUN useradd -ms /bin/bash openhpc

RUN yum -y install EasyBuild-ohpc && \
    yum -y install patch make perl && \
    yum clean all

WORKDIR /home/openhpc
USER openhpc

ENV PATH="/opt/ohpc/pub/libs/easybuild/4.1.1/software/EasyBuild/4.1.1/bin:${PATH}"
ENV PYTHONPATH="/opt/ohpc/pub/libs/easybuild/4.1.1/software/EasyBuild/4.1.1/lib/python3.6/site-packages"

# This way all commands passed into the container are executed in a
# login shell which is necessary to get lmod working. Commands
# need to be enclosed in quotes.
ENTRYPOINT ["/bin/bash", "-l", "-c"]

$ podman build . -f Dockerfile.ohpc-gnu9-easybuild --tag=ohpc-gnu9-easybuild:1.9.9 

Actual results:

[ajia@hpe-bl460cgen8-01 ~]$ id
uid=1001(ajia) gid=1001(ajia) groups=1001(ajia) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[ajia@hpe-bl460cgen8-01 ~]$ podman unshare cat /proc/self/uid_map 
         0       1001          1
         1     165536      65536

[ajia@hpe-bl460cgen8-01 ~]$ podman build . -f Dockerfile.ohpc-gnu9-easybuild --tag=ohpc-gnu9-easybuild:1.9.9
...ignore...

[root@hpe-bl460cgen8-01 ~]# tailf /var/log/audit/audit.log 
...ignore...
type=AVC msg=audit(1583773655.955:433): avc:  denied  { setattr } for  pid=26347 comm="fuse-overlayfs" name="1060" dev="proc" ino=20406 scontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=lnk_file permissive=0

type=AVC msg=audit(1583773656.001:434): avc:  denied  { setattr } for  pid=26347 comm="fuse-overlayfs" name="1061" dev="proc" ino=20407 scontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=lnk_file permissive=0


Expected results:


Additional info:
Comment 12 Daniel Walsh 2020-05-01 12:08:40 UTC 
No you can not take the RHEL8 container-selinux and install it on a RHEL7 box.  The RHEL 7 system is too old.  If we want to fix this then we need to update the RHEL7 branch of containers-selinux.

The question is, whether or not we will update any more RHEL7 packages.   One good thing about updating container-selinux is that it is very unlikely to cause regressions, since we are just adding more allow rules.
Comment 20 Jindrich Novy 2020-06-04 07:12:06 UTC 
*** Bug 1811762 has been marked as a duplicate of this bug. ***
Comment 23 errata-xmlrpc 2020-06-23 14:27:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2685