+++ This bug was initially created as a clone of Bug #2031022 +++
Description of problem:
During CKI podman test [1] we've hit the following issue:
avc: denied { ioctl } for pid=510216 comm="iptables" path="/var/lib/containers/storage/overlay/7d65c03c0ff08daf6366d735723151aa1f2cf165d51be30f62bded9ed586b838/merged" dev="overlay" ino=42308193 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0:c878,c982 tclass=dir permissive=0
Version-Release number of selected component (if applicable):
selinux-policy-35.6-1.fc36.noarch
How reproducible:
It seems easily reproducible with podman test
Steps to Reproduce:
1. Run test [1]
Additional info:
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
selinux-policy-35.6-1.fc36.noarch
[1] https://gitlab.com/cki-project/kernel-tests/-/tree/main/container/podman
--- Additional comment from Bruno Goncalves on 2021-12-10 11:19:12 UTC ---
beaker job: https://beaker.engineering.redhat.com/recipes/11120125#task136635605
--- Additional comment from Zdenek Pytela on 2021-12-10 11:37:43 UTC ---
Switching the component, there are already some rules in container-selinux:
f35# sesearch -A -s iptables_t -t container_file_t -c dir,file
allow application_domain_type logfile:file { append getattr ioctl lock };
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow iptables_t container_file_t:dir { getattr open search };
allow iptables_t container_file_t:file open;
--- Additional comment from Martin Pitt on 2022-01-10 07:36:05 UTC ---
In Cockpit we started to see these as well now, in our Fedora CoreOS CI: for example, [1]
audit: type=1400 audit(1641799023.984:237): avc: denied { ioctl } for pid=1161 comm="iptables" path="/var/lib/containers/storage/overlay/0fac9b410d57d0f8ae6fa8f042e8672ae70ddbeb4e25845223e35a3b2260c169/merged" dev="overlay" ino=17950249 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0:c1022,c1023 tclass=dir permissive=0
Nothing in that test fiddles with iptables, that's somehow internal to podman. But lots of tests start a cockpit/ws container there, so this just feels random. E.g. here [2] and here[3] it hit two different, and completely unrelated tests. We haven't seen this before, and haven't refreshed our CoreOS image in a whole week. Was this some sort of a time bomb? (But I can't imagine SELinux rules being time dependent)
[1] https://logs.cockpit-project.org/logs/pull-16798-20220110-064948-be591291-fedora-coreos/log.html#232
[2] https://logs.cockpit-project.org/logs/pull-2784-20220110-024544-7afed88e-fedora-coreos-cockpit-project-cockpit/log.html#152
[3] https://logs.cockpit-project.org/logs/pull-2784-20220110-063907-7afed88e-fedora-coreos-cockpit-project-cockpit/log.html#241
--- Additional comment from Ben Cotton on 2022-02-08 21:15:40 UTC ---
This bug appears to have been reported against 'rawhide' during the Fedora 36 development cycle.
Changing version to 36.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (container-selinux bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2023:2206