Bug 1671027 - Building of ipa-server image with Podman on Fedora 29 via Beaker task produces AVC denial
Summary: Building of ipa-server image with Podman on Fedora 29 via Beaker task produce...
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Fedora
Classification: Fedora
Component: podman
Version: 29
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lokesh Mandvekar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-01-30 15:30 UTC by Oleg Kozlov
Modified: 2019-08-14 10:34 UTC (History)
8 users (show)

Fixed In Version: podman-1.1.2-1.git0ad9b6b.fc29 podman-1.1.2-1.git0ad9b6b.fc28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-14 10:34:12 UTC


Attachments (Terms of Use)

Description Oleg Kozlov 2019-01-30 15:30:57 UTC
Description of problem:
Beaker task fails at ipa-server image building with Podman (podman build) on Fedora 29 if selinux is in enforcing mode (avc-s listed below), the same task works fine with Docker. If selinux is in permissive mode (setenforce 0) image building works with Podman.

Version-Release number of selected component (if applicable):
$ rpm -q podman
podman-1.0.0-1.git82e8011.fc29.x86_64
$ rpm -q container-selinux
container-selinux-2.80-1.git1b655d9.fc29.noarch
$ rpm -qa | grep selinux-policy
selinux-policy-targeted-3.14.2-47.fc29.noarch
selinux-policy-3.14.2-47.fc29.noarch

How reproducible:
Run beaker job for building ipa-server image with Podman on Fedora 29.

Steps to Reproduce:
1. Setup job to use Fedora 29 as host system, Podman and Dockerfile.fedora-29
2. Run job

Actual results:
Building fails with "tee: /dev/stderr: Permission denied", see full error message below

Expected results:
Image building works on Fedora 29 with Podman

Additional info:

Full error message
```
STEP 40: RUN set -o pipefail ; patch --verbose -p0 --fuzz=0 < /root/ipa-rhel-8.patch | tee /dev/stderr | sed -n 's/^patching file //;T;/\.py$/p' | xargs /usr/libexec/platform-python -m compileall
tee: /dev/stderr: Permission denied
Compiling '/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py'...
Compiling '/usr/lib/python3.6/site-packages/ipapython/kernel_keyring.py'...
error building at step {Env:[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin container=oci] Command:run Args:[set -o pipefail ; patch --verbose -p0 --fuzz=0 < /root/ipa-rhel-8.patch | tee /dev/stderr | sed -n 's/^patching file //;T;/\.py$/p' | xargs /usr/libexec/platform-python -m compileall] Flags:[] Attrs:map[] Message:RUN set -o pipefail ; patch --verbose -p0 --fuzz=0 < /root/ipa-rhel-8.patch | tee /dev/stderr | sed -n 's/^patching file //;T;/\.py$/p' | xargs /usr/libexec/platform-python -m compileall Original:RUN set -o pipefail ; patch --verbose -p0 --fuzz=0 < /root/ipa-rhel-8.patch | tee /dev/stderr | sed -n 's/^patching file //;T;/\.py$/p' | xargs /usr/libexec/platform-python -m compileall}: error while running runtime: exit status 1
:: [ 06:16:30 ] :: [   FAIL   ] :: Command 'podman build --tls-verify=false -t freeipa-server:rhel-8-rhel-8 -f freeipa-server-rhel-8-rhel-8/Dockerfile.rhel-8 freeipa-server-rhel-8-rhel-8' (Expected 0, got 125)
```

AVC
----
time->Wed Jan 30 08:42:43 2019
type=AVC msg=audit(1548855763.160:243): avc:  denied  { add_name } for  pid=2576 comm="tee" name="2" scontext=system_u:system_r:container_t:s0:c210,c943 tcontext=system_u:system_r:container_t:s0:c210,c943 tclass=dir permissive=1
----
time->Wed Jan 30 08:42:43 2019
type=AVC msg=audit(1548855763.160:244): avc:  denied  { associate } for  pid=2576 comm="tee" name="2" scontext=system_u:object_r:container_t:s0:c210,c943 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1
----
time->Wed Jan 30 08:42:43 2019
type=AVC msg=audit(1548855763.160:245): avc:  denied  { open } for  pid=2576 comm="tee" path="pipe:[140202]" dev="pipefs" ino=140202 scontext=system_u:system_r:container_t:s0:c210,c943 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=fifo_file permissive=1
----
time->Wed Jan 30 08:42:46 2019
type=AVC msg=audit(1548855766.549:246): avc:  denied  { add_name } for  pid=2814 comm="tee" name="2" scontext=system_u:system_r:container_t:s0:c737,c977 tcontext=system_u:system_r:container_t:s0:c737,c977 tclass=dir permissive=1
----
time->Wed Jan 30 08:42:46 2019
type=AVC msg=audit(1548855766.549:247): avc:  denied  { associate } for  pid=2814 comm="tee" name="2" scontext=system_u:object_r:container_t:s0:c737,c977 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1
----
time->Wed Jan 30 08:42:46 2019
type=AVC msg=audit(1548855766.549:248): avc:  denied  { open } for  pid=2814 comm="tee" path="pipe:[145431]" dev="pipefs" ino=145431 scontext=system_u:system_r:container_t:s0:c737,c977 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=fifo_file permissive=1

I was not able to reproduce this issue with `podman build` and `podman run` in clean virtual machine with Fedora 29 (without beaker task), but this issue happens every time with beaker when podman is used, at the same time beaker tasks work fine with docker.

Comment 2 Daniel Walsh 2019-01-30 15:55:43 UTC
This looks like a container is attempting to communicate back with the parent, which we are blocking.  We do not want to allow containers to connect back to container_runtime_t.

Comment 3 Fedora Update System 2019-02-27 13:30:17 UTC
podman-1.1.0-1.git006206a.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2019-2334f59273

Comment 4 Fedora Update System 2019-02-27 13:30:30 UTC
podman-1.1.0-1.git006206a.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-ead0cd452a

Comment 5 Fedora Update System 2019-02-28 18:55:38 UTC
podman-1.1.0-1.git006206a.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-2334f59273

Comment 6 Fedora Update System 2019-02-28 21:26:28 UTC
podman-1.1.0-1.git006206a.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-ead0cd452a

Comment 7 Fedora Update System 2019-03-05 19:11:08 UTC
podman-1.1.2-1.git0ad9b6b.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2019-d244a0fe3e

Comment 8 Fedora Update System 2019-03-05 19:11:21 UTC
podman-1.1.2-1.git0ad9b6b.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-5730099f0b

Comment 9 Fedora Update System 2019-03-06 15:12:57 UTC
podman-1.1.2-1.git0ad9b6b.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-d244a0fe3e

Comment 10 Fedora Update System 2019-03-06 15:57:12 UTC
podman-1.1.2-1.git0ad9b6b.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-5730099f0b

Comment 11 Fedora Update System 2019-03-10 18:23:28 UTC
podman-1.1.2-1.git0ad9b6b.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2019-03-15 03:35:14 UTC
podman-1.1.2-1.git0ad9b6b.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 Tibor Dudlák 2019-06-17 15:23:42 UTC
I still have issues while building container at fedora 29 with selinux-policy-3.14.2-51.fc29.noarch but now without denied open for target container_runtime_t. 

# ausearch -m avc 
----
time->Mon Jun 17 10:39:31 2019
type=AVC msg=audit(1560782371.949:532): avc:  denied  { add_name } for  pid=17893 comm="tee" name="2" scontext=system_u:system_r:container_t:s0:c111,c308 tcontext=system_u:system_r:container_t:s0:c111,c308 tclass=dir permissive=1
----
time->Mon Jun 17 10:39:31 2019
type=AVC msg=audit(1560782371.951:533): avc:  denied  { associate } for  pid=17893 comm="tee" name="2" scontext=system_u:object_r:container_t:s0:c111,c308 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1
----
time->Mon Jun 17 10:39:35 2019
type=AVC msg=audit(1560782375.796:534): avc:  denied  { add_name } for  pid=17998 comm="tee" name="2" scontext=system_u:system_r:container_t:s0:c51,c174 tcontext=system_u:system_r:container_t:s0:c51,c174 tclass=dir permissive=1
----
time->Mon Jun 17 10:39:35 2019
type=AVC msg=audit(1560782375.799:535): avc:  denied  { associate } for  pid=17998 comm="tee" name="2" scontext=system_u:object_r:container_t:s0:c51,c174 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1

Comment 14 Tibor Dudlák 2019-06-17 16:16:45 UTC
An update for comment https://bugzilla.redhat.com/show_bug.cgi?id=1671027#c13 package version: container-selinux-2.101-1.gitb0061dc.fc29.noarch

Comment 15 Daniel Walsh 2019-06-17 16:58:04 UTC
I can not get this to recreate.  Could you see if you could get a simpler Dockerfile to get this to happen.

FROM fedora 
RUN cat /etc/passwd | tee /etc/stderr | grep root 
ENTRYPOINT /usr/bin/sh

This works for me on Fedora.


Note You need to log in before you can comment on or make changes to this bug.