Bug 1923728

Summary: the audit no longer works inside of podman containers
Product: [Fedora] Fedora Reporter: Jakub Jelen <jjelen>
Component: podmanAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 33CC: acui, bbaude, container-sig, debarshir, dwalsh, jnovy, lsm5, mheon, pehunt, rh.container.bot, santiago
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-01 21:23:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jakub Jelen 2021-02-01 17:54:23 UTC 
Description of problem:
Running sshd in podman fails. This was not an issue in the older versions (in RHEL8).

Version-Release number of selected component (if applicable):
podman-3.0.0-0.20rc1.el9.x86_64

How reproducible:
always

Steps to Reproduce:
1. podman run -p 22000:22 --expose=22 -it centos:7 /bin/bash -c "yum install -y openssh-server && ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' && /usr/sbin/sshd -Dd"
2. in other window, connect and authenticate (enter wrong password): ssh localhost -p 22000

Actual results:
connection fails, the std error of first window ends with

debug1: PAM: password authentication failed for root: Authentication failure
Failed password for root from 10.88.0.1 port 55440 ssh2
linux_audit_write_entry failed: Operation not permitted
debug1: do_cleanup
debug1: PAM: cleanup
debug1: Killing privsep child 70
linux_audit_write_entry failed: Operation not permitted


Expected results:
the connection is accepted authentication is prompted

Additional info:

The sshd attempts to write audit message, which fails. This worked in the past and this is a regression.
Comment 1 Matthew Heon 2021-02-01 17:59:53 UTC 
This looks like us dropping the Audit capability - tagging Dan Walsh to confirm
Comment 2 Daniel Walsh 2021-02-01 21:23:35 UTC 
Yes we have dropped the audit_write capability by default.  Since this is a very rare case and can easily be fixed by adding it on the command line

podman run --cap-add AUDIT_WRITE -p 22000:22 --expose=22 -it centos:7 /bin/bash -c "yum install -y openssh-server && ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' && /usr/sbin/sshd -Dd"
Comment 3 Daniel Walsh 2021-02-01 21:24:34 UTC 
BTW, if you want the old behaviour you can add the CAP back into /etc/containers/containers.conf (Based on /usr/share/containers/containers.conf).