Bug 2040301
| Summary: | avc: denied { read } for pid=1094371 comm="busybox-extras" path="/lib/ld-musl-x86_64.so.1" dev="sda9" ino=269733375 scontext=system_u:system_r:container_t:s0:c125,c559 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Bruno Goncalves <bgoncalv> |
| Component: | container-selinux | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED WORKSFORME | QA Contact: | atomic-bugs <atomic-bugs> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | CentOS Stream | CC: | bstinson, jnovy, jwboyer, tsweeney |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-01-14 21:00:44 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
cki tracker issue: https://datawarehouse.cki-project.org/issue/898 This looks like you have a mislabeled system under /var restorecon -R -v /var/lib Should fix the issue. This is not something that container-selinux can fix. |
Description of problem: During CKI tests we've start to hit the issue below, the issue seems to trigger after we run podman tests [1] as non-root user like [2]: time->Wed Jan 12 20:43:47 2022 type=PROCTITLE msg=audit(1642038227.199:5403): proctitle=2F62696E2F62757379626F782D657874726173006874747064002D66002D70003830 type=SYSCALL msg=audit(1642038227.199:5403): arch=c000003e syscall=10 success=no exit=-13 a0=7ff7d4bed000 a1=1000 a2=1 a3=7ff7d4bf0940 items=0 ppid=1094368 pid=1094371 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="busybox-extras" exe="/bin/busybox-extras" subj=system_u:system_r:container_t:s0:c125,c559 key=(null) type=AVC msg=audit(1642038227.199:5403): avc: denied { read } for pid=1094371 comm="busybox-extras" path="/lib/ld-musl-x86_64.so.1" dev="sda9" ino=269733375 scontext=system_u:system_r:container_t:s0:c125,c559 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 ---- Version-Release number of selected component (if applicable): selinux-policy-34.1.22-1.el9.noarch container-selinux-2.172.1-1.el9 How reproducible: it seems easily reproducible at least on cki environment Steps to Reproduce: 1. run podman test [1] 2. 3. Additional info: [1] https://gitlab.com/cki-project/kernel-tests/-/tree/main/container/podman [2] https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/trusted-artifacts/446779710/test%20x86_64/1968670551/artifacts/run.done.01/job.01/recipes/11278593/tasks/15/logs/taskout.log