Bug 2113941
| Summary: | podman did not set selinux labels to symbolic links | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | dominik.holler |
| Component: | podman | Assignee: | Jindrich Novy <jnovy> |
| Status: | CLOSED ERRATA | QA Contact: | Alex Jia <ajia> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.6 | CC: | bbaude, dwalsh, jligon, jnovy, lsm5, mheon, pthomas, tsweeney, umohnani, ypu |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | podman-4.1 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-11-08 09:16:44 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
dominik.holler
2022-08-02 11:28:12 UTC
This is fixed in podman 4.1 Assigning to Jindrich for any further BZ/packaging needs https://github.com/opencontainers/selinux/pull/173 Which was released in v1.10.1 Which should have come into Podman here: https://github.com/containers/podman/pull/13689 @jnovy Can this BZ be moved into ON_QA state? This was fixed in Podman 4.1.0 and beyond, maybe a bit earlier. I can reproduce this bug on podman-4.0.2-6.module+el8.6.0+14877+f643d2d6.x86_64 and verified it on podman 4.1. Reproducer [root@sweetpig-11 ~]# podman run -it -v /foo/data:/mnt/data:Z rhel7 ls -lZ /mnt/data ls: cannot access /mnt/data/ls: Permission denied ?--------- ? ? ls -rw-r--r--. root root system_u:object_r:container_file_t:s0:c539,c772 test.txt [root@sweetpig-11 ~]# rpm -q podman runc podman-4.0.2-6.module+el8.6.0+14877+f643d2d6.x86_64 runc-1.0.3-2.module+el8.6.0+14877+f643d2d6.x86_64 On 8.6 [root@sweetpig-11 ~]# cat /etc/redhat-release Red Hat Enterprise Linux release 8.6 (Ootpa) [root@sweetpig-11 ~]# rpm -q podman runc podman-4.1.1-2.module+el8.6.0+15917+093ca6f8.x86_64 runc-1.1.3-2.module+el8.6.0+15917+093ca6f8.x86_64 [root@sweetpig-11 ~]# podman run -it -v /foo/data:/mnt/data:Z rhel7 ls -lZ /mnt/data lrwxrwxrwx. root root system_u:object_r:container_file_t:s0:c481,c637 ls -> /usr/bin/ls -rw-r--r--. root root system_u:object_r:container_file_t:s0:c481,c637 test.txt [root@sweetpig-11 ~]# podman run -it -v /foo/data:/mnt/data:Z rhel7 /mnt/data/ls bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var [root@sweetpig-11 ~]# podman run -it -v /foo/data:/mnt/data:Z rhel7 cat /mnt/data/test.txt test On 8.7 [root@ibm-x3650m4-01-vm-16 ~]# cat /etc/redhat-release Red Hat Enterprise Linux release 8.7 Beta (Ootpa) [root@ibm-x3650m4-01-vm-16 ~]# rpm -q podman runc podman-4.1.1-6.module+el8.7.0+15895+a6753917.x86_64 runc-1.1.3-2.module+el8.7.0+15895+a6753917.x86_64 [root@ibm-x3650m4-01-vm-16 ~]# podman run -it -v /foo/data:/mnt/data:Z rhel7 ls -lZ /mnt/data lrwxrwxrwx. root root system_u:object_r:container_file_t:s0:c535,c760 ls -> /usr/bin/ls -rw-r--r--. root root system_u:object_r:container_file_t:s0:c535,c760 test.txt [root@ibm-x3650m4-01-vm-16 ~]# podman run -it -v /foo/data:/mnt/data:Z rhel7 /mnt/data/ls bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var [root@ibm-x3650m4-01-vm-16 ~]# podman run -it -v /foo/data:/mnt/data:Z rhel7 cat /mnt/data/test.txt test Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:7457 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |