Bug 2156828
| Summary: | crun is not whitelisted to run within fapolicyd | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | zkharitonov | ||||
| Component: | fapolicyd | Assignee: | Radovan Sroka <rsroka> | ||||
| Status: | NEW --- | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||
| Severity: | low | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 9.1 | CC: | dapospis | ||||
| Target Milestone: | rc | Keywords: | MigratedToJIRA, Triaged | ||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | Type: | Bug | |||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
fapolicyd is blocking direct ld.so execution with ld_so pattern. crun I think workaround would be about adding a rule before pattern that allows crun from following deny: rule=5 dec=deny_audit perm=execute auid=0 pid=5043 exe=/usr/bin/crun : path=/usr/lib64/ld-linux-x86-64.so.2 ftype=application/x-sharedlib trust=1 Long term solution could be something like exception list. |
Created attachment 1934786 [details] View crun unable to run when fapolicyd is enabled Description of problem: crun is not whitelisted and unable to run within fapolicyd Version-Release number of selected component (if applicable): crun version 1.5 commit: 54ebb8ca8bf7e6ddae2eb919f5b82d1d96863dea spec: 1.0.0 How reproducible: Reproducible through running crun command while fapolicyd is enabled Steps to Reproduce: 1. Ensure that fapolicyd is enabled by: systemctl status fapolicy 2. Run the crun command: crun 3. Observe that crun cannot run while fapolicyd is enabled 4. View attachment for additional information Actual results: Running crun is disabled when fapolicyd is enabled Expected results: Running crun should be successful when fapolicyd is enabled Additional info: View attached screenshot to view additional information