Bug 2392871
| Summary: | AVC check fails when beakerlib library rlWaitForSocket function is run. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Ganna Starovoytova <gstarovo> |
| Component: | container-selinux | Assignee: | Lokesh Mandvekar <lsm5> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 42 | CC: | amurdaca, asosedki, dwalsh, dweomer5, jchaloup, lsm5, lvrabec, pehunt, pholzing |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | container-selinux-2.242.0-1.fc42 container-selinux-2.242.0-1.fc41 container-selinux-2.242.0-1.fc43 | Doc Type: | --- |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2025-09-08 00:55:33 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Here's a smaller reproducer that doesn't use beakerlib or custom containers:
podman run fedora:42 /bin/sh -c 'dnf -y install ss && ss -nl --tcp'
sudo ausearch -m avc -ts recent
That gives me
time->Thu Sep 4 14:58:20 2025
type=AVC msg=audit(1756990700.051:18565): avc: denied { nlmsg_read } for pid=1738878 comm="ss" scontext=system_u:system_r:container_t:s0:c113,c412 tcontext=system_u:system_r:container_t:s0:c113,c412 tclass=netlink_tcpdiag_socket permissive=0
with
container-selinux-2.240.0-1.fc42
podman-5.5.2-1.fc42
iproute-0:6.12.0-3.fc42
Do you see this with container-selinux v2.241.0 https://bodhi.fedoraproject.org/updates/FEDORA-2025-ed320aaa31 ? Never mind, I see it on rawhide with container-selinux from the latest main. I'll create a PR upstream. Yep, same denial with container-selinux-2.241.0-1.fc42 PTAL https://github.com/containers/container-selinux/pull/399 . To test out the changes, follow the copr installation instructions at: https://dashboard.packit.dev/jobs/copr/2753744 in my testing, that 1d55427ba5c8e79a-container-selinux-2.241.0-1.20250904150520265949.pr399.9.g681bed9.fc42.noarch.rpm does make the AVC denial go away FEDORA-2025-a9062c828c (container-selinux-2.242.0-1.fc43) has been submitted as an update to Fedora 43. https://bodhi.fedoraproject.org/updates/FEDORA-2025-a9062c828c FEDORA-2025-70af4a4430 (container-selinux-2.242.0-1.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2025-70af4a4430 FEDORA-2025-d08a78f5e8 (container-selinux-2.242.0-1.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2025-d08a78f5e8 FEDORA-2025-70af4a4430 has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-70af4a4430` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-70af4a4430 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2025-a9062c828c has been pushed to the Fedora 43 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-a9062c828c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-a9062c828c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2025-d08a78f5e8 has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-d08a78f5e8` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-d08a78f5e8 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2025-70af4a4430 (container-selinux-2.242.0-1.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2025-d08a78f5e8 (container-selinux-2.242.0-1.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2025-a9062c828c (container-selinux-2.242.0-1.fc43) has been pushed to the Fedora 43 stable repository. If problem still persists, please make note of it in this bug report. |
The command that evokes the AVC to FAIL is rlWaitForSocket. The test starts the OpenSSL server and waits for the process to start. rlWaitForSocket pauses script execution until the local socket starts listening. Affects fedora 42 and fedora rawhide. Reproducible: Always Steps to Reproduce: The commands are run with the beaeklib testing library 1. Clone the repository (choosing the branch f42/rawhide) -b f42 ---> for fedora 42 -b main ---> for fedora rawhide rlRun "git clone -b f42 git:QUBIP/pq-container.git" 2. Go inside the directory rlRun "pushd pq-container" 2. Build and run the container. rlRun "podman build -t pq-container ." rlRun "podman run -dt localhost/pq-container" 3. Execute the test rlRun "podman exec -ti $container_id ./test.sh" Actual Results: [ ERROR ] AVC check: FAIL ---- type=AVC msg=audit(09/03/2025 07:05:49.708:2186) : avc: denied { nlmsg_read } for pid=34626 comm=ss scontext=system_u:system_r:container_t:s0:c6,c1002 tcontext=system_u:system_r:container_t:s0:c6,c1002 tclass=netlink_tcpdiag_socket permissive=0 Expected Results: AVC check: OK Additional Information: This bug seems to be similar to the bug described: https://bugzilla.redhat.com/show_bug.cgi?id=2090800