Description of problem: When I try to create a UNIX socket from within a podman container using the following python3 script: #!/usr/bin/python3 import socket s = socket.socket(socket.AF_UNIX) s.bind('somesocket') the bind attempt fails and the following SELinux AVC is generated: SELinux is preventing python3 from create access on the sock_file somesocket. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that python3 should be allowed create access on the somesocket sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'python3' --raw | audit2allow -M my-python3 # semodule -X 300 -i my-python3.pp Additional Information: Source Context system_u:system_r:container_t:s0:c60,c960 Target Context system_u:object_r:fusefs_t:s0 Target Objects somesocket [ sock_file ] [...] Note that everything works fine when the container is running in --privileged mode. Also, with docker, this works even without --privileged. Apologies if this is a SELinux policy issue and should be reassigned to a different component (I'm not sure so filing against "podman" first). Version-Release number of selected component (if applicable): podman-1.1.2-2.dev.git0ad9b6b.fc30.x86_64 How reproducible: always Steps to Reproduce: $ podman run -it --rm fedora bash $ vi test.py # paste the above python script and :wq $ python3 test.py Actual results: Traceback (most recent call last): File "test.py", line 4, in <module> s.bind('somesocket') PermissionError: [Errno 13] Permission denied Also, a SELinux AVC is generated (see above). Expected results: No traceback or AVC, socket should be bound.
Can you try this with container-selinux-2.94? Should be available in updates.
Yeah, I actually have the latest version already but it doesn't help: container-selinux-2:2.94-1.git1e99f1d.fc29.noarch
OK, I'm actually on a F29 (although I upgraded podman to the F30 version previously to check if it still occurs with it). So I upgraded container-selinux to the F30 as well: container-selinux-2:2.94-1.git1e99f1d.fc30.noarch But still no success :(
Oh, looking at the changelog, it seems this was really addressed recently: * Thu Mar 28 2019 Dan Walsh <dwalsh> - 2.94-1 - Allow init_t to manage container content - Allow container domains to create fifo_files on fusefs file systems - Add boolean to allow containers to use ceph file systems Isn't there some kind of action needed in order for the policy to apply (when coming from the earlier version of the package)?
Well lets see what the AVC's are. If you are not seeing any, could you do the following sudo semodule -DB Now create the failure. sudo ausearch -m avc -ts recent sudo semodule -B And attach the AVCs
# ausearch -m avc --start recent ---- time->Fri Apr 5 16:42:14 2019 type=AVC msg=audit(1554475334.573:725): avc: denied { create } for pid=22188 comm="python3" name="somesocket" scontext=system_u:system_r:container_t:s0:c427,c633 tcontext=system_u:object_r:fusefs_t:s0 tclass=sock_file permissive=0 Is that sufficient or do you need more detailed data?
podman-1.3.1-1.git7210727.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-fe6ef87556
podman-1.3.1-1.git7210727.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-a0ddb8df76
podman-1.3.1-1.git7210727.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-a0ddb8df76
podman-1.3.1-1.git7210727.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-fe6ef87556
podman-1.3.1-1.git7210727.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
podman-1.3.1-1.git7210727.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.