Bug 2069586

Summary: Can not read symbolic links in relabeled podman container volume
Product: [Fedora] Fedora Reporter: Pavel Raiskup <praiskup>
Component: container-selinuxAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 36CC: amurdaca, dwalsh, dweomer5, jchaloup, lsm5, pehunt, rh.container.bot
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-01 00:44:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pavel Raiskup 2022-03-29 08:22:41 UTC 
After recent system updates, I can not read symlinks from volumes inside podman
rootless containers.

$ rpm -q kernel-core container-selinux selinux-policy-targeted podman buildah
kernel-core-5.17.1-300.fc36.x86_64
container-selinux-2.181.0-1.fc36.noarch
selinux-policy-targeted-36.5-1.fc36.noarch
podman-4.0.2-1.fc36.x86_64
buildah-1.24.2-2.fc36.x86_64

Reproducer:

$ mkdir testdir
$ cd testdir
$ mkdir dir
$ echo world > dir/file
$ ln -s file -T dir/link
$ ls -l dir/
total 4
-rw-rw-r--. 1 praiskup praiskup 6 Mar 29 10:17 file
lrwxrwxrwx. 1 praiskup praiskup 4 Mar 29 10:19 link -> file
$ podman run --rm -ti -v `pwd`/dir:/dir:Z fedora:rawhide
[root@9e5aaa7c2bcb /]# ls -alhZ /dir
ls: cannot access '/dir/link': Permission denied
total 8.0K
drwxrwxr-x.  2 root root system_u:object_r:container_file_t:s0:c43,c1002   80 Mar 29 08:19 .
dr-xr-xr-x. 20 root root system_u:object_r:fusefs_t:s0                   4.0K Mar 29 08:19 ..
-rw-rw-r--.  1 root root system_u:object_r:container_file_t:s0:c43,c1002    6 Mar 29 08:17 file
l??????????  ? ?    ?    ?                                                  ?            ? link
Comment 1 Pavel Raiskup 2022-03-29 08:23:50 UTC 
# ausearch -c 'container-run' --raw | audit2allow 

#============= container_t ==============

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
#       mlsconstrain lnk_file { ioctl read getattr } ((h1 dom h2 -Fail-)  or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain lnk_file { write setattr } ((h1 dom h2 -Fail-)  or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain lnk_file { relabelfrom } ((h1 dom h2 -Fail-)  or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain lnk_file { create relabelto } ((h1 dom h2 -Fail-)  or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED

#       Possible cause is the source level (s0:c137,c441) and target level (s0:c778,c805) are different.
allow container_t container_file_t:lnk_file read;
Comment 2 Daniel Walsh 2022-03-29 11:21:53 UTC 
This is caused by a bug which was fixed upstream https://github.com/opencontainers/selinux/pull/173

The fix should be in podman 4.1.