Bug 2069586 - Can not read symbolic links in relabeled podman container volume
Summary: Can not read symbolic links in relabeled podman container volume
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: container-selinux
Version: 36
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-03-29 08:22 UTC by Pavel Raiskup
Modified: 2022-12-01 00:44 UTC (History)
7 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2022-12-01 00:44:10 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Pavel Raiskup 2022-03-29 08:22:41 UTC 
After recent system updates, I can not read symlinks from volumes inside podman
rootless containers.

$ rpm -q kernel-core container-selinux selinux-policy-targeted podman buildah
kernel-core-5.17.1-300.fc36.x86_64
container-selinux-2.181.0-1.fc36.noarch
selinux-policy-targeted-36.5-1.fc36.noarch
podman-4.0.2-1.fc36.x86_64
buildah-1.24.2-2.fc36.x86_64

Reproducer:

$ mkdir testdir
$ cd testdir
$ mkdir dir
$ echo world > dir/file
$ ln -s file -T dir/link
$ ls -l dir/
total 4
-rw-rw-r--. 1 praiskup praiskup 6 Mar 29 10:17 file
lrwxrwxrwx. 1 praiskup praiskup 4 Mar 29 10:19 link -> file
$ podman run --rm -ti -v `pwd`/dir:/dir:Z fedora:rawhide
[root@9e5aaa7c2bcb /]# ls -alhZ /dir
ls: cannot access '/dir/link': Permission denied
total 8.0K
drwxrwxr-x.  2 root root system_u:object_r:container_file_t:s0:c43,c1002   80 Mar 29 08:19 .
dr-xr-xr-x. 20 root root system_u:object_r:fusefs_t:s0                   4.0K Mar 29 08:19 ..
-rw-rw-r--.  1 root root system_u:object_r:container_file_t:s0:c43,c1002    6 Mar 29 08:17 file
l??????????  ? ?    ?    ?                                                  ?            ? link
Comment 1 Pavel Raiskup 2022-03-29 08:23:50 UTC 
# ausearch -c 'container-run' --raw | audit2allow 

#============= container_t ==============

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
#       mlsconstrain lnk_file { ioctl read getattr } ((h1 dom h2 -Fail-)  or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain lnk_file { write setattr } ((h1 dom h2 -Fail-)  or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain lnk_file { relabelfrom } ((h1 dom h2 -Fail-)  or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain lnk_file { create relabelto } ((h1 dom h2 -Fail-)  or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED

#       Possible cause is the source level (s0:c137,c441) and target level (s0:c778,c805) are different.
allow container_t container_file_t:lnk_file read;
Comment 2 Daniel Walsh 2022-03-29 11:21:53 UTC 
This is caused by a bug which was fixed upstream https://github.com/opencontainers/selinux/pull/173

The fix should be in podman 4.1.
Note You need to log in before you can comment on or make changes to this bug.