1672891 – Many many AVCs from rootless podman on a system with unconfined disabled

Bug 1672891 - Many many AVCs from rootless podman on a system with unconfined disabled

Summary: Many many AVCs from rootless podman on a system with unconfined disabled

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	container-selinux
Sub Component:
Version:	29
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	---
Assignee:	Lokesh Mandvekar
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-02-06 06:52 UTC by Robin Powell
Modified:	2019-04-16 04:03 UTC (History)
CC List:	10 users (show)
Fixed In Version:	container-selinux-2.82-1.git5e1f62f.fc29 container-selinux-2.82-1.git5e1f62f.fc28 container-selinux-2.95-1.gite3ebc68.fc30 container-selinux-2.95-1.gite3ebc68.fc29
Clone Of:
Environment:
Last Closed:	2019-04-13 00:03:51 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Robin Powell 2019-02-06 06:52:16 UTC

On a system with unconfined disabled,

podman run --rm -it fedora:28 echo 'Hello world'

causes 76 lines of AVCs, which you can find at http://users.teddyb.org/~rlpowell//media/regular/podman_avcs_2019-02-05.txt

I kind of assume you haven't worked on selinux for rootless podman yet?, except I know dwalsh is huge into podman (which, by the way, I *absolutely love*), so that seems odd.

Comment 1 Robin Powell 2019-02-06 06:54:25 UTC

Hmm.  Looking and what audit2allow comes up with, I wonder if it isn't so much "rootless podman doesn't work" as "rootless podman doesn't work as staff_t".

Comment 2 Daniel Walsh 2019-02-06 18:52:45 UTC

Makes sense.

Comment 3 Lukas Vrabec 2019-02-11 16:04:36 UTC

Could you please update SELinux denials somewhere else? I cannot access it. I'll do my best to fix it ASAP.

Comment 4 Daniel Walsh 2019-02-11 16:11:09 UTC

I have updated container-selinux to allow transitions from sysadm_t, staff_t and user_t to container runtimes domains.

container-selinux-2.82

Comment 5 Lukas Vrabec 2019-02-11 16:18:03 UTC

Moving to container-selinux component then. 

Thanks,
Lukas.

Comment 6 Fedora Update System 2019-02-17 18:30:36 UTC

container-selinux-2.82-1.git5e1f62f.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2019-ce1a6c2ac9

Comment 7 Fedora Update System 2019-02-17 18:30:43 UTC

container-selinux-2.82-1.git5e1f62f.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-b75beee237

Comment 8 Fedora Update System 2019-02-18 02:38:03 UTC

container-selinux-2.82-1.git5e1f62f.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-ce1a6c2ac9

Comment 9 Fedora Update System 2019-02-18 03:05:51 UTC

container-selinux-2.82-1.git5e1f62f.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-b75beee237

Comment 10 Fedora Update System 2019-02-24 02:32:45 UTC

container-selinux-2.82-1.git5e1f62f.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2019-02-26 01:29:54 UTC

container-selinux-2.82-1.git5e1f62f.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 Robin Powell 2019-04-04 16:35:56 UTC

I'm *really* sorry, I missed the comment that you couldn't see the link I gave.  :(

Here it is, fixed:  http://users.teddyb.org/~rlpowell//media/public/podman_avcs_2019-02-05.txt

And here's the one I generated just this morning, with updated everything, running the same command:

http://users.teddyb.org/~rlpowell//media/public/podman_avcs_2019-04-04.txt

on a host with unconfined disabled.

Let me know if you want me to open a new bug, instead.

Comment 13 Daniel Walsh 2019-04-04 16:41:15 UTC

optional_policy(`
	gen_require(`
		type sysadm_t, staff_t, user_t;
		role sysadm_r, staff_r, user_r;
	')

	container_runtime_run(sysadm_t, sysadm_r)
	role sysadm_r types container_t;
	role sysadm_r types spc_t;

	container_runtime_run(staff_t, staff_r)
	role staff_r types container_t;

	container_runtime_run(user_t, user_r)
	role user_r types container_t;
')
This policy should have caused a transition from staff_t to container runtime_t when you execute podman


Is podman labeled container_runtime_exec_t?

Comment 14 Lukas Vrabec 2019-04-05 17:37:37 UTC

Robin, 

Could you please test suggestion from comment#13 ? 


# cat local_podman_staff.te                                        
policy_module(local_podman_staff, 1.0)

optional_policy(`
	gen_require(`
		type sysadm_t, staff_t, user_t, container_t, spc_t;
		role sysadm_r, staff_r, user_r;
	')

	container_runtime_run(sysadm_t, sysadm_r)
	role sysadm_r types container_t;
	role sysadm_r types spc_t;

	container_runtime_run(staff_t, staff_r)
	role staff_r types container_t;

	container_runtime_run(user_t, user_r)
	role user_r types container_t;
')

# make -f /usr/share/selinux/devel/Makefile local_podman_staff.pp
# semodule -i local_podman_staff.pp

Thanks,
Lukas.

Comment 15 Fedora Update System 2019-04-05 21:08:51 UTC

container-selinux-2.95-1.gite3ebc68.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-9e36ddd5a5

Comment 16 Fedora Update System 2019-04-05 21:09:06 UTC

container-selinux-2.95-1.gite3ebc68.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-00c60ff381

Comment 17 Fedora Update System 2019-04-06 18:38:25 UTC

container-selinux-2.95-1.gite3ebc68.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-00c60ff381

Comment 18 Fedora Update System 2019-04-06 20:51:25 UTC

container-selinux-2.95-1.gite3ebc68.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-9e36ddd5a5

Comment 19 Fedora Update System 2019-04-13 00:03:51 UTC

container-selinux-2.95-1.gite3ebc68.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2019-04-16 04:03:51 UTC

container-selinux-2.95-1.gite3ebc68.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.