1638847 – Privileged containers running as container_t instead of spc_t

Bug 1638847 - Privileged containers running as container_t instead of spc_t

Summary: Privileged containers running as container_t instead of spc_t

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	podman
Sub Component:
Version:	29
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lokesh Mandvekar
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	AcceptedFreezeException
Depends On:
Blocks:	F29FinalFreezeException
TreeView+	depends on / blocked

Reported:	2018-10-12 15:16 UTC by Jonathan Lebon
Modified:	2018-10-16 13:42 UTC (History)
CC List:	4 users (show)
Fixed In Version:	podman-0.10.1-1.gite4a1553.fc29
Clone Of:
Environment:
Last Closed:	2018-10-16 13:42:57 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jonathan Lebon 2018-10-12 15:16:06 UTC

Description of problem:

[root@jlebon-tmp ~]# podman run --rm --privileged --userns=host alpine cat /proc/self/attr/current
system_u:system_r:container_t:s0:c189,c295

Version-Release number of selected component (if applicable):

[root@jlebon-tmp ~]# rpm-ostree status
State: idle
AutomaticUpdates: disabled
Deployments:
● ostree://fedora-atomic:fedora/29/x86_64/atomic-host
                   Version: 29.20181011.n.0 (2018-10-11 11:37:46)
                    Commit: 5fbe7c478b5b0d3a33b0933592b62e24860a99fe64fef376d80dafa9088fb93e
              GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4
[root@jlebon-tmp ~]# rpm -q podman
podman-0.9.3.1-1.git1cd906d.fc29.x86_64

How reproducible:

Always

Steps to Reproduce:
1. podman run --rm --privileged --userns=host alpine cat /proc/self/attr/current

Actual results:

container_t

Expected results:

spc_t

Additional info:

Reported upstream as https://github.com/containers/libpod/issues/1575.
Fixed upstream in https://github.com/containers/libpod/pull/1576.

The end result of this bug is that privileged containers do not have the access expected, which is a major hindrance on platforms where the privileged pet container pattern are common like FAH and Silverblue:

[root@jlebon-tmp ~]# podman run --rm -ti --privileged -v $HOME:$HOME --workdir $HOME --userns=host alpine /bin/sh
~ # touch foo
touch: foo: Permission denied
~ # [root@jlebon-tmp ~]# ausearch -m avc -ts recent
----
time->Fri Oct 12 15:14:38 2018
type=PROCTITLE msg=audit(1539357278.583:308): proctitle="/bin/sh"
type=SYSCALL msg=audit(1539357278.583:308): arch=c000003e syscall=2 success=no exit=-13 a0=7f54e4591ba9 a1=441 a2=180 a3=0 items=0 ppid=2209 pid=2221 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/busybox" subj=system_u:system_r:container_t:s0:c319,c675 key=(null)
type=AVC msg=audit(1539357278.583:308): avc:  denied  { write } for  pid=2221 comm="sh" name="roothome" dev="dm-0" ino=8525295 scontext=system_u:system_r:container_t:s0:c319,c675 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir permissive=0
----
time->Fri Oct 12 15:14:38 2018
type=PROCTITLE msg=audit(1539357278.585:309): proctitle=746F75636800666F6F
type=SYSCALL msg=audit(1539357278.585:309): arch=c000003e syscall=2 success=no exit=-13 a0=7ffcc8641f58 a1=42 a2=1b6 a3=0 items=0 ppid=2221 pid=2233 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="touch" exe="/bin/busybox" subj=system_u:system_r:container_t:s0:c319,c675 key=(null)
type=AVC msg=audit(1539357278.585:309): avc:  denied  { write } for  pid=2233 comm="touch" name="roothome" dev="dm-0" ino=8525295 scontext=system_u:system_r:container_t:s0:c319,c675 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir permissive=0

Comment 1 Fedora Update System 2018-10-12 15:23:18 UTC

podman-0.10.1-1.gite4a1553.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-ac8f4cb9f0

Comment 2 Fedora Blocker Bugs Application 2018-10-12 17:23:37 UTC

Proposed as a Freeze Exception for 29-final by Fedora user dustymabe using the blocker tracking app because:

 We'd like to have containers run by podman be executed in the right selinux context.

Comment 3 Fedora Update System 2018-10-12 18:26:23 UTC

podman-0.10.1-1.gite4a1553.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-ac8f4cb9f0

Comment 4 Adam Williamson 2018-10-12 19:56:53 UTC

Is there a particular reason this needs to be in the compose, and wouldn't be OK as a zero-day update?

Comment 5 Adam Williamson 2018-10-12 19:57:52 UTC

Well, I guess we don't exactly have zero-day updates for ostree-based systems, so I guess that's an argument...

Comment 6 Dusty Mabe 2018-10-12 21:07:36 UTC

yeah that's the main reason

Comment 7 Geoffrey Marr 2018-10-15 19:25:07 UTC

Discussed during the 2018-10-15 blocker review meeting: [1]

The decision to classify this bug as an "AcceptedFreezeException" was made to make sure ostree-based installs work correctly on day one.

[1] https://meetbot.fedoraproject.org/fedora-blocker-review/2018-10-15/f29-blocker-review.2018-10-15-16.00.txt

Comment 8 Dusty Mabe 2018-10-15 19:30:52 UTC

Thanks!!

Comment 9 Fedora Update System 2018-10-16 13:42:57 UTC

podman-0.10.1-1.gite4a1553.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.