Bug 1881218

Summary: unable to run RHEL6 container in RHEL 8.3 (container-selinux not installed with podman)
Product: Red Hat Enterprise Linux 8 Reporter: Jakub Jelen <jjelen>
Component: podmanAssignee: Jindrich Novy <jnovy>
Status: CLOSED ERRATA QA Contact: Joy Pu <ypu>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.3CC: bbaude, dwalsh, gnecasov, jligon, jnovy, kanderso, lsm5, mheon, michele, omosnace, tsweeney, ypu
Target Milestone: rcKeywords: Regression, Reopened
Target Release: 8.0Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: podman-2.1.1-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-16 14:21:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jakub Jelen 2020-09-21 20:23:52 UTC 
Description of problem:
With the update to RHEL 8.3 I am no longer able to run containers using podman. It turned out that installation of podman did not trigger installation of container-selinux for some reason, which makes any containers operation impossible without much pointers whats wrong.

Version-Release number of selected component (if applicable):
podman-2.0.0-0.9.rc7.module+el8.3.0+7084+c16098dd.x86_64
selinux-policy-3.14.3-48.el8.noarch

How reproducible:
always

Steps to Reproduce:
0. Latest RHEL 8.3 compose installation
1. [root@RHEL-8-3-0-20200909-1 ~]# dnf install podman
...
... not installing container-selinux
...
2. [root@RHEL-8-3-0-20200909-1 ~]# podman run -it rhel6:6.10 /bin/bash

Actual results:

Trying to pull registry.access.redhat.com/rhel6:6.10...
Getting image source signatures
Copying blob 727cd7ac3772 done  
Copying blob 9c279408dd9d done  
Copying config 1020f27b5b done  
Writing manifest to image destination
Storing signatures
[root@RHEL-8-3-0-20200909-1 ~]# echo $?
127
... no reasonable error message -- just exit code ...

Expected results:
getting shell from the RHEL 6 container as it used to work in RHEL 8.2 and how it works with proper dependencies installed.

Additional info:
logs
[root@RHEL-8-3-0-20200909-1 ~]# ausearch -m AVC -ts recent
----
time->Mon Sep 21 20:19:56 2020
type=PROCTITLE msg=audit(1600719596.120:192): proctitle="/bin/bash"
type=EXECVE msg=audit(1600719596.120:192): argc=1 a0="/bin/bash"
type=SYSCALL msg=audit(1600719596.120:192): arch=c000003e syscall=59 success=yes exit=0 a0=c0000c5860 a1=c00020d850 a2=c000090570 a3=a items=0 ppid=9985 pid=9997 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="bash" exe="/bin/bash" subj=system_u:system_r:container_t:s0:c232,c620 key=(null)
type=AVC msg=audit(1600719596.120:192): avc:  denied  { read write } for  pid=9997 comm="bash" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c232,c620 tcontext=system_u:object_r:container_file_t:s0:c232,c620 tclass=chr_file permissive=0
type=AVC msg=audit(1600719596.120:192): avc:  denied  { read write } for  pid=9997 comm="bash" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c232,c620 tcontext=system_u:object_r:container_file_t:s0:c232,c620 tclass=chr_file permissive=0
type=AVC msg=audit(1600719596.120:192): avc:  denied  { read write } for  pid=9997 comm="bash" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c232,c620 tcontext=system_u:object_r:container_file_t:s0:c232,c620 tclass=chr_file permissive=0
type=AVC msg=audit(1600719596.120:192): avc:  denied  { read write } for  pid=9997 comm="bash" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c232,c620 tcontext=system_u:object_r:container_file_t:s0:c232,c620 tclass=chr_file permissive=0
----
time->Mon Sep 21 20:19:56 2020
type=PROCTITLE msg=audit(1600719596.121:193): proctitle="/bin/bash"
type=SYSCALL msg=audit(1600719596.121:193): arch=c000003e syscall=10 success=no exit=-13 a0=7f8ba05d9000 a1=1ff000 a2=0 a3=1 items=0 ppid=9985 pid=9997 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="bash" exe="/bin/bash" subj=system_u:system_r:container_t:s0:c232,c620 key=(null)
type=AVC msg=audit(1600719596.121:193): avc:  denied  { read } for  pid=9997 comm="bash" path="/lib64/libtinfo.so.5.7" dev="dm-0" ino=16932394 scontext=system_u:system_r:container_t:s0:c232,c620 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
----
time->Mon Sep 21 20:19:56 2020
type=PROCTITLE msg=audit(1600719596.121:194): proctitle="/bin/bash"
type=SYSCALL msg=audit(1600719596.121:194): arch=c000003e syscall=10 success=no exit=-13 a0=7f8ba03ba000 a1=200000 a2=0 a3=1 items=0 ppid=9985 pid=9997 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="bash" exe="/bin/bash" subj=system_u:system_r:container_t:s0:c232,c620 key=(null)
type=AVC msg=audit(1600719596.121:194): avc:  denied  { read } for  pid=9997 comm="bash" path="/lib64/libdl-2.12.so" dev="dm-0" ino=16932625 scontext=system_u:system_r:container_t:s0:c232,c620 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
----
time->Mon Sep 21 20:19:56 2020
type=PROCTITLE msg=audit(1600719596.121:195): proctitle="/bin/bash"
type=SYSCALL msg=audit(1600719596.121:195): arch=c000003e syscall=10 success=no exit=-13 a0=7f8ba01af000 a1=1ff000 a2=0 a3=1 items=0 ppid=9985 pid=9997 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="bash" exe="/bin/bash" subj=system_u:system_r:container_t:s0:c232,c620 key=(null)
type=AVC msg=audit(1600719596.121:195): avc:  denied  { read } for  pid=9997 comm="bash" path="/lib64/libc-2.12.so" dev="dm-0" ino=16932467 scontext=system_u:system_r:container_t:s0:c232,c620 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
----
time->Mon Sep 21 20:19:56 2020
type=PROCTITLE msg=audit(1600719596.121:196): proctitle="/bin/bash"
type=SYSCALL msg=audit(1600719596.121:196): arch=c000003e syscall=10 success=no exit=-13 a0=7f8ba03ae000 a1=4000 a2=1 a3=7f8ba09fefd8 items=0 ppid=9985 pid=9997 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="bash" exe="/bin/bash" subj=system_u:system_r:container_t:s0:c232,c620 key=(null)
type=AVC msg=audit(1600719596.121:196): avc:  denied  { read } for  pid=9997 comm="bash" path="/lib64/libc-2.12.so" dev="dm-0" ino=16932467 scontext=system_u:system_r:container_t:s0:c232,c620 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
Comment 2 Jindrich Novy 2020-09-22 06:08:19 UTC 
This one is actually a feature. See bug 1806044. The container-selinux package is a soft dependency of podman. The motivation is to reduce the overall size of podman related images as hard dependency on container-selinux pulls in bulky selinux-policy.

The proposed solution to what you see is to install soft deps together with podman. This will be documented in the release notes.
Comment 3 Jakub Jelen 2020-09-22 07:28:23 UTC 
Really? Is there anything podman can do without the policy (well ... assuming selinux is enabled)? I am afraid this will cause a lot of pain as it causes weird issue without any reasonable error messages.

Would it make sense to modify podman to check this at runtime, if selinux is enabled to warn a user that the policy is missing and nothing will work?
Comment 4 Jindrich Novy 2020-09-22 07:34:12 UTC 
Sounds good. Matt, does comment #3 sound like a good feature for 8.3.1 and later?
Comment 5 Ondrej Mosnacek 2020-09-22 07:49:03 UTC 
Maybe podman should have:

Requires: container-selinux if selinux-policy

(At least I hope boolean dependencies [1] work in RHEL-8...)

[1] https://rpm.org/user_doc/boolean_dependencies.html
Comment 6 Jindrich Novy 2020-09-22 08:46:54 UTC 
Yes, Ondrej Moskacek, this makes sense. Leaving it upon Matt to decide whether runtime check is a good thing to do.

Proposing this for 8.3.1.
Comment 7 Jindrich Novy 2020-09-22 08:48:39 UTC 
https://pkgs.devel.redhat.com/cgit/rpms/podman/patch/?id=0538626d5f57c8e511628900ea44cb4e79abf2cd

Can we get qa ack please?
Comment 8 Matthew Heon 2020-09-22 13:31:59 UTC 
I defer the question about a runtime check to Dan Walsh and his superior knowledge of SELinux, but this sounds like a good idea to me.
Comment 9 Jakub Jelen 2020-09-24 11:17:57 UTC 
The same issue is also in Fedora packages. Do you need separate bug for Fedora or can you pull the same change there too?
Comment 10 Jindrich Novy 2020-09-24 11:26:17 UTC 
Yes Jakub, Fedora packages are maintained by Lokesh, not me.
Comment 11 Ondrej Mosnacek 2020-09-24 11:34:59 UTC 
But you can submit a pull request, no? What about the "upstream first" principle?
Comment 12 Jakub Jelen 2020-09-24 12:39:01 UTC 
Fedora Pull request: https://src.fedoraproject.org/rpms/podman/pull-request/39
Comment 13 Michele Baldessari 2020-09-30 14:11:22 UTC 
(In reply to Jindrich Novy from comment #7)
> https://pkgs.devel.redhat.com/cgit/rpms/podman/patch/
> ?id=0538626d5f57c8e511628900ea44cb4e79abf2cd
> 

I believe that:
-Recommends: container-selinux
+Requires: container-selinux if selinux-policy

Needs to be "Requires: (container-selinux if selinux-policy)"

From the guide ' Boolean Expressions are always enclosed with parenthesis.'

In fact the current podman-2.1.1-1.module+el8.3.1+8253+050ebf3c.x86_64.rpm build is not installable as it has all the requirements now:
$ rpm -qp --requires podman-2.1.1-1.module+el8.3.1+8253+050ebf3c.x86_64.rpm |grep -e if -e selinux
container-selinux
if
selinux-policy
Comment 15 Tom Sweeney 2020-09-30 21:06:08 UTC 
Dan/Jindrich,

Thoughts on Michele's comment?  https://bugzilla.redhat.com/show_bug.cgi?id=1881218#c13
Comment 16 Michele Baldessari 2020-10-01 06:31:01 UTC 
(In reply to Tom Sweeney from comment #15)
> Dan/Jindrich,
> 
> Thoughts on Michele's comment? 
> https://bugzilla.redhat.com/show_bug.cgi?id=1881218#c13

It's been fixed in  podman-2.1.1-2.module+el8.3.1+8286+0ceb9ba9 and is installable again, thanks!
Comment 17 Jindrich Novy 2020-10-01 07:19:34 UTC 
Thanks Michele. The podman-2.1.1-2.module+el8.3.1+8286+0ceb9ba9 in the rhel8 test branch now contains the fix for the boolean dep. Let's give it some testing.
Comment 19 Tom Sweeney 2020-10-01 18:12:40 UTC 
As it looks like Jindrich has the fix in hand, I'm going to change this to POST for any futher packaging needs and BZ changes.
Comment 20 Michele Baldessari 2020-10-02 15:29:51 UTC 
(In reply to Jindrich Novy from comment #17)
> Thanks Michele. The podman-2.1.1-2.module+el8.3.1+8286+0ceb9ba9 in the rhel8
> test branch now contains the fix for the boolean dep. Let's give it some
> testing.

Just as a quick drive-by info, podman-2.1.1-2 has worked well in my OSP testing so far. You all have a nice weekend!
Comment 27 Joy Pu 2020-11-11 15:42:26 UTC 
Checked with podman-2.1.1-3.module+el8.3.1+8686+2a59bca3.x86_64 and the dependency is already updated. So set this to verified. Details:
# yum deplist podman
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.

Last metadata expiration check: 0:12:59 ago on Wed 11 Nov 2020 10:26:48 AM EST.
package: podman-2.1.1-3.module+el8.3.1+8686+2a59bca3.x86_64
  dependency: (container-selinux if selinux-policy)
   provider: container-selinux-2:2.151.0-1.module+el8.3.1+8686+2a59bca3.noarch
...
Comment 29 errata-xmlrpc 2021-02-16 14:21:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:0531
Comment 30 Red Hat Bugzilla 2023-09-15 00:48:30 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days