Bug 2112014
| Summary: | Unable to start container with -it and runc | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Joy Pu <ypu> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 9.0 | CC: | bbaude, dwalsh, jnovy, lsm5, lvrabec, mheon, mmalik, nknazeko, pthomas, ssekidde, tsweeney, umohnani |
| Target Milestone: | rc | Keywords: | AutoVerified, Triaged |
| Target Release: | 9.1 | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-34.1.41-1.el9 | Doc Type: | Bug Fix |
| Doc Text: |
Cause: Missing policy rule to allow unconfined domains to bpf all other domains
Consequence: AVC denials
Fix: Allow unconfined domains to bpf all other domains
Result: No AVC
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-11-15 11:14:11 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Joy Pu
2022-07-28 15:48:55 UTC
Selinux log:
time->Thu Jul 28 12:07:10 2022
type=PROCTITLE msg=audit(1659024430.677:32811): proctitle=2F7573722F62696E2F72756E63002D2D73797374656D642D6367726F7570002D2D6C6F672D666F726D61743D6A736F6E002D2D6C6F67002F72756E2F636F6E7461696E6572732F73746F726167652F6F7665726C61792D636F6E7461696E6572732F646464383635356164363733613939376263616435353531353364626233
type=SYSCALL msg=audit(1659024430.677:32811): arch=c000003e syscall=321 success=no exit=-13 a0=d a1=c00013e040 a2=8 a3=7f4b2cf673b0 items=0 ppid=590627 pid=590628 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="runc" exe="/usr/bin/runc" subj=unconfined_u:system_r:container_runtime_t:s0 key=(null)
type=AVC msg=audit(1659024430.677:32811): avc: denied { prog_run } for pid=590628 comm="runc" scontext=unconfined_u:system_r:container_runtime_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
Dan PTAL ASAP This is a policy that is allowed in Fedora.
$ sesearch -A -s container_runtime_t -t init_t -c bpf
allow unconfined_domain_type domain:bpf { map_create map_read map_write prog_load prog_run };
$ rpm -q selinux-policy
selinux-policy-36.10-1.fc36.noarch
It would seem that the kernel has been updated with new SELinux constraints on prog_run, and the policy was not updated to allow unconfined programs the access.
Commit to backport:
commit 74e737596525407e600f63c0ba4f4df65d5766cd
Author: Daniel J Walsh <dwalsh>
Date: Fri Jul 16 06:32:34 2021 -0400
Allow unconfined domains to bpf all other domains
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:8283 |