Bug 2142597
| Summary: | Rootless Podman on RHEL8 as user_u returns exec /bin/bash: permission denied | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | ryan.parker |
| Component: | container-selinux | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED MIGRATED | QA Contact: | atomic-bugs <atomic-bugs> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.6 | CC: | bbaude, dornelas, dwalsh, jligon, jnovy, lsm5, lvrabec, mheon, mmalik, nknazeko, pthomas, tsweeney, umohnani |
| Target Milestone: | rc | Keywords: | MigratedToJIRA |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-09-11 19:06:51 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This is going to be difficult to fix properly. Right now container_runtime_t is an unconfined domain and can transition to spc_t which is an unconfined domain, allowing a confined user like user_t to do this, would be a security risk. I think we would need to rethink container technology to prevent the spc_t type from the user_r role. I am also not sure if podman currently runs containers as user_u:user_r:container_t:MCS, or does it force system_u:system_r:container_t:MCS. Adding @dornelas to the cc as an FYI What are the security implications of having a user, in this case a generic user with no sudo privileges, be assigned to the staff_u role? It appears that staff_u does not encounter the same issues when running containers as user_u does. For what it's worth, while all of my administrator accounts are mapped to staff_u, my sudoers file maps to an Active Directory group for administrators only, whose role and type are sysadm_r and sysadm_t (this is another STIG requirement). You could have them associated with the staff_r role (Not staff_u user) then they would only get access to staff_t and little different then user_r (user_u). They would not be able to become sysadm_r, which is what they are after. Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug. This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there. Due to differences in account names between systems, some fields were not replicated. Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information. To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer. You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like: "Bugzilla Bug" = 1234567 In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information. |
Description of problem: The Defense Information Systems Agency released a new Security Technical Implementation Guide for RHEL8 for Q4 2022. This version, V1R8, introduces a new requirement: all administrators must be mapped to the "sysadm_u", "staff_u", or an appropriately tailored confined role as defined by the organization. As such, implementing this requirement prevents users from being able to create containers from container images. Version-Release number of selected component (if applicable): RHEL8.6 4.18.0-372.26.1.el8_6.x86_64 Podman: podman-4.1.1-2.module+el8.6.0+15917+093ca6f8.x86_64 How reproducible: Works with every container I try to import and run. Steps to Reproduce: 1. Map all applicable admins to the staff_u role: semanage login -a -s staff_u <username> 2. Set the default SELinux context to user_u: semanage login -m -s user_u -r s0 __default__ 3. Perform a SELinux relabel 4. Reboot 5. On a system with an active internet connection, pull an image and save it to a tarball: sudo docker save -o ~/Downloads/ubi9.tar registry.access.redhat.com/ubi9/ubi:latest 6. Transfer tarball to the airgapped RHEL8 system 7. As a regular user, load the tarball: podman load < ./ubi9.tar 8. Test to see if container works: podman run -it registry.access.redhat.com/ubi9/ubi:latest /bin/bash Actual results: Encounter permission denied error [rparker70_user@rhel8swtest ~]$ podman run -it registry.access.redhat.com/ubi9/ubi:latest /bin/bash exec /bin/bash: permission denied Expected results: The user should be able to run a podman container. Additional info: The only additional SELinux error I could find is below: -------------------------------------------------------------------------------- SELinux is preventing /usr/bin/podman from using the rlimitinh access on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that podman should be allowed rlimitinh access on processes labeled container_runtime_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'podman' --raw | audit2allow -M my-podman # semodule -X 300 -i my-podman.pp Additional Information: Source Context user_u:user_r:user_t:s0 Target Context user_u:user_r:container_runtime_t:s0 Target Objects /usr/bin/podman [ process ] Source podman Source Path /usr/bin/podman Port <Unknown> Host rhel8swtest.scd.secret Source RPM Packages podman-4.1.1-2.module+el8.6.0+15917+093ca6f8.x86_6 4 Target RPM Packages podman-4.1.1-2.module+el8.6.0+15917+093ca6f8.x86_6 4 SELinux Policy RPM selinux-policy-targeted-3.14.3-95.el8_6.4.noarch Local Policy RPM selinux-policy-targeted-3.14.3-95.el8_6.4.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name rhel8swtest.scd.secret Platform Linux rhel8swtest.scd.secret 4.18.0-372.26.1.el8_6.x86_64 #1 SMP Sat Aug 27 02:44:20 EDT 2022 x86_64 x86_64 Alert Count 2 First Seen 2022-11-14 09:21:17 EST Last Seen 2022-11-14 09:22:40 EST Local ID 8c48533a-4295-4cb3-9398-d3b9220bff0d Raw Audit Messages type=AVC msg=audit(1668435760.293:5993): avc: denied { rlimitinh } for pid=381745 comm="podman" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:container_runtime_t:s0 tclass=process permissive=0 type=AVC msg=audit(1668435760.293:5993): avc: denied { siginh } for pid=381745 comm="podman" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:container_runtime_t:s0 tclass=process permissive=0 type=SYSCALL msg=audit(1668435760.293:5993): arch=x86_64 syscall=execve success=yes exit=0 a0=5594eda5a240 a1=5594ed8e1a70 a2=5594eda59960 a3=8 items=2 ppid=377132 pid=381745 auid=1570801184 uid=1570801184 gid=1570800513 euid=1570801184 suid=1570801184 fsuid=1570801184 egid=1570800513 sgid=1570800513 fsgid=1570800513 tty=pts1 ses=4 comm=podman exe=/usr/bin/podman subj=user_u:user_r:container_runtime_t:s0 key=(null)ARCH=x86_64 SYSCALL=execve AUID=rparker70_user UID=rparker70_user GID=646F6D61696E207573657273 EUID=rparker70_user SUID=rparker70_user FSUID=rparker70_user EGID=646F6D61696E207573657273 SGID=646F6D61696E207573657273 FSGID=646F6D61696E207573657273 type=CWD msg=audit(1668435760.293:5993): cwd=/home/rparker70_user type=PATH msg=audit(1668435760.293:5993): item=0 name=/usr/bin/podman inode=18514223 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID=root OGID=root Hash: podman,user_t,container_runtime_t,process,rlimitinh