Bug 1680475 - podman AVCs on a host with unconfined disabled
Summary: podman AVCs on a host with unconfined disabled
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: podman
Version: 29
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lokesh Mandvekar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-02-25 07:05 UTC by Robin Powell
Modified: 2019-03-15 03:35 UTC (History)
9 users (show)

Fixed In Version: podman-1.1.2-1.git0ad9b6b.fc29 podman-1.1.2-1.git0ad9b6b.fc28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-03-10 18:23:26 UTC


Attachments (Terms of Use)

Description Robin Powell 2019-02-25 07:05:20 UTC
This is from running commands as root in a podman run as root:

$ ping [anything]

, or anything else that tries to do DNS, gives:

type=AVC msg=audit(1551078174.053:1832041): avc:  denied  { read } for  pid=31114 comm="ping" name="resolv.conf" dev="tmpfs" ino=57711603 scontext=system_u:system_r:container_t:s0:c111,c809 tcontext=staff_u:object_r:container_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551078174.053:1832041): avc:  denied  { open } for  pid=31114 comm="ping" path="/etc/resolv.conf" dev="tmpfs" ino=57711603 scontext=system_u:system_r:container_t:s0:c111,c809 tcontext=staff_u:object_r:container_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551078174.053:1832042): avc:  denied  { getattr } for  pid=31114 comm="ping" path="/etc/resolv.conf" dev="tmpfs" ino=57711603 scontext=system_u:system_r:container_t:s0:c111,c809 tcontext=staff_u:object_r:container_var_run_t:s0 tclass=file permissive=1

Comment 1 Daniel Walsh 2019-02-25 14:00:15 UTC
Which version of podman are you using?
What command did you execute?

Comment 2 Robin Powell 2019-02-25 15:39:33 UTC
I updated everything before my last test:

container-selinux.noarch                      2:2.82-1.git5e1f62f.fc29       @updates
container-storage-setup.noarch                0.11.0-4.dev.git413b408.fc29   @fedora
containernetworking-plugins.x86_64            0.7.4-1.fc29                   @updates
containers-common.x86_64                      1:0.1.34-1.dev.gite96a9b0.fc29 @updates
criu.x86_64                                   3.11-1.fc29                    @updates
oci-systemd-hook.x86_64                       1:0.1.17-3.gitbd86a79.fc29     @fedora
oci-umount.x86_64                             2:2.5-1.gitc3cda1f.fc29        @updates
podman.x86_64                                 1:1.0.0-1.git82e8011.fc29      @updates

The command was:

$ sudo podman exec -it [pod] ping lojban.org

, against an already-running container, but anything that causes a DNS lookup (nc, apt-get install; anything hostname-based) will do it.

Comment 3 Daniel Walsh 2019-02-25 21:55:48 UTC
What did the original podman command look like.

This looks like the resolv.conf inside of the container has the wrong label.

Comment 4 Robin Powell 2019-02-26 05:01:23 UTC
Oh, got it, sorry.  This is perhaps more than you're looking for, but:

[sampre_mw@jukni mediawiki]$ systemctl --user status lojban_mediawiki_web | cat
● lojban_mediawiki_web.service - Site/Webserver for mw.lojban.org
   Loaded: loaded (/home/sampre_mw/.config/systemd/user/lojban_mediawiki_web.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2019-02-24 23:01:11 PST; 21h ago
  Process: 30370 ExecStop=/bin/bash -x /home/sampre_mw/mediawiki/kill_web.sh 2>&1 (code=exited, status=0/SUCCESS)
 Main PID: 30475 (bash)
   CGroup: /user.slice/user-1086.slice/user@1086.service/lojban_mediawiki_web.service
           ├─30475 /bin/bash -x /home/sampre_mw/mediawiki/run_web.sh 2>&1
           ├─30816 sudo /usr/bin/podman run --name lojban_mediawiki_web -v /srv/lojban/mediawiki-container/data/LocalSettings.php:/var/www/mediawiki/LocalSettings.php -v /srv/lojban/mediawiki-container/data/images:/var/www/mediawiki/images -v /srv/lojban/mediawiki-container/data/files:/var/www/mediawiki/files --network=container:lojban_mediawiki_db -i lojban/mediawiki_web:1.30-1
           └─30818 /usr/bin/podman run --name lojban_mediawiki_web -v /srv/lojban/mediawiki-container/data/LocalSettings.php:/var/www/mediawiki/LocalSettings.php -v /srv/lojban/mediawiki-container/data/images:/var/www/mediawiki/images -v /srv/lojban/mediawiki-container/data/files:/var/www/mediawiki/files --network=container:lojban_mediawiki_db -i lojban/mediawiki_web:1.30-1

There's also a build step, but there's nothing special there.  The Dockerfile is based on kristophjunge/mediawiki:1.30

I don't think I do anything that could muck with the resolv.conf label.

All the code is at https://github.com/lojban/mediawiki-docker , fwiw.

Comment 5 Fedora Update System 2019-02-27 13:30:16 UTC
podman-1.1.0-1.git006206a.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2019-2334f59273

Comment 6 Fedora Update System 2019-02-27 13:30:29 UTC
podman-1.1.0-1.git006206a.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-ead0cd452a

Comment 7 Fedora Update System 2019-02-28 18:55:37 UTC
podman-1.1.0-1.git006206a.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-2334f59273

Comment 8 Fedora Update System 2019-02-28 21:26:27 UTC
podman-1.1.0-1.git006206a.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-ead0cd452a

Comment 9 Fedora Update System 2019-03-05 19:11:06 UTC
podman-1.1.2-1.git0ad9b6b.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2019-d244a0fe3e

Comment 10 Fedora Update System 2019-03-05 19:11:19 UTC
podman-1.1.2-1.git0ad9b6b.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-5730099f0b

Comment 11 Fedora Update System 2019-03-06 15:12:56 UTC
podman-1.1.2-1.git0ad9b6b.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-d244a0fe3e

Comment 12 Fedora Update System 2019-03-06 15:57:11 UTC
podman-1.1.2-1.git0ad9b6b.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-5730099f0b

Comment 13 Fedora Update System 2019-03-10 18:23:26 UTC
podman-1.1.2-1.git0ad9b6b.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2019-03-15 03:35:13 UTC
podman-1.1.2-1.git0ad9b6b.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.