Bug 2089257

Summary: avc: denied { ioctl } for pid=510216 comm="iptables" path="/var/lib/containers/storage/overlay/7d65c03c0ff08daf6366d735723151aa1f2cf165d51be30f62bded9ed586b838/merged" dev="overlay" ino=42308193 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023
Product: Red Hat Enterprise Linux 9 Reporter: Marius Vollmer <mvollmer>
Component: container-selinuxAssignee: Jindrich Novy <jnovy>
Status: CLOSED ERRATA QA Contact: Edward Shen <weshen>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.1CC: amurdaca, bgoncalv, dwalsh, dweomer5, extras-qa, grepl.miroslav, jchaloup, jnovy, lsm5, lvrabec, mboddu, mmalik, mmarusak, mpitt, omosnace, pehunt, pkoncity, rh.container.bot, tsweeney, vmojzis, ypu, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: CockpitTest
Fixed In Version: container-selinux-2.191.0-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2031022
: 2106396 (view as bug list) Environment:
Last Closed: 2023-05-09 07:33:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2031022    
Bug Blocks: 2106396    

Description Marius Vollmer 2022-05-23 09:57:29 UTC 
+++ This bug was initially created as a clone of Bug #2031022 +++

Description of problem:
During CKI podman test [1] we've hit the following issue:

avc:  denied  { ioctl } for  pid=510216 comm="iptables" path="/var/lib/containers/storage/overlay/7d65c03c0ff08daf6366d735723151aa1f2cf165d51be30f62bded9ed586b838/merged" dev="overlay" ino=42308193 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0:c878,c982 tclass=dir permissive=0

Version-Release number of selected component (if applicable):
selinux-policy-35.6-1.fc36.noarch

How reproducible:
It seems easily reproducible with podman test

Steps to Reproduce:
1. Run test [1]


Additional info:
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-35.6-1.fc36.noarch

[1] https://gitlab.com/cki-project/kernel-tests/-/tree/main/container/podman

--- Additional comment from Bruno Goncalves on 2021-12-10 11:19:12 UTC ---

beaker job: https://beaker.engineering.redhat.com/recipes/11120125#task136635605

--- Additional comment from Zdenek Pytela on 2021-12-10 11:37:43 UTC ---

Switching the component, there are already some rules in container-selinux:

f35# sesearch -A -s iptables_t -t container_file_t -c dir,file
allow application_domain_type logfile:file { append getattr ioctl lock };
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow iptables_t container_file_t:dir { getattr open search };
allow iptables_t container_file_t:file open;

--- Additional comment from Martin Pitt on 2022-01-10 07:36:05 UTC ---

In Cockpit we started to see these as well now, in our Fedora CoreOS CI: for example, [1]

audit: type=1400 audit(1641799023.984:237): avc:  denied  { ioctl } for  pid=1161 comm="iptables" path="/var/lib/containers/storage/overlay/0fac9b410d57d0f8ae6fa8f042e8672ae70ddbeb4e25845223e35a3b2260c169/merged" dev="overlay" ino=17950249 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0:c1022,c1023 tclass=dir permissive=0

Nothing in that test fiddles with iptables, that's somehow internal to podman. But lots of tests start a cockpit/ws container there, so this just feels random. E.g. here [2] and here[3] it hit two different, and completely unrelated tests. We haven't seen this before, and haven't refreshed our CoreOS image in a whole week. Was this some sort of a time bomb? (But I can't imagine SELinux rules being time dependent)

[1] https://logs.cockpit-project.org/logs/pull-16798-20220110-064948-be591291-fedora-coreos/log.html#232
[2] https://logs.cockpit-project.org/logs/pull-2784-20220110-024544-7afed88e-fedora-coreos-cockpit-project-cockpit/log.html#152
[3] https://logs.cockpit-project.org/logs/pull-2784-20220110-063907-7afed88e-fedora-coreos-cockpit-project-cockpit/log.html#241

--- Additional comment from Ben Cotton on 2022-02-08 21:15:40 UTC ---

This bug appears to have been reported against 'rawhide' during the Fedora 36 development cycle.
Changing version to 36.
Comment 1 Marius Vollmer 2022-05-23 10:01:29 UTC 
This now turns up on RHEL 9.1 as well.

selinux-policy-34.1.32-1.el9.noarch

https://cockpit-logs.us-east-1.linodeobjects.com/pull-3398-20220523-090548-c9f0c810-rhel-9-1-cockpit-project-cockpit/log.html#51
Comment 2 Zdenek Pytela 2022-09-19 14:21:53 UTC 
Switching the component, see
https://bugzilla.redhat.com/show_bug.cgi?id=2031022
Comment 3 Daniel Walsh 2022-12-01 00:14:04 UTC 
This looks like a leaked file descriptor.
Comment 4 Daniel Walsh 2022-12-01 00:15:46 UTC 
Fixed in container-selinux-2.191.0-1
Comment 11 errata-xmlrpc 2023-05-09 07:33:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (container-selinux bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2206