RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2089257 - avc: denied { ioctl } for pid=510216 comm="iptables" path="/var/lib/containers/storage/overlay/7d65c03c0ff08daf6366d735723151aa1f2cf165d51be30f62bded9ed586b838/merged" dev="overlay" ino=42308193 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023
Summary: avc: denied { ioctl } for pid=510216 comm="iptables" path="/var/lib/contai...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: container-selinux
Version: 9.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jindrich Novy
QA Contact: Edward Shen
URL:
Whiteboard: CockpitTest
Depends On: 2031022
Blocks: 2106396
TreeView+ depends on / blocked
 
Reported: 2022-05-23 09:57 UTC by Marius Vollmer
Modified: 2023-05-09 08:27 UTC (History)
22 users (show)

Fixed In Version: container-selinux-2.191.0-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 2031022
: 2106396 (view as bug list)
Environment:
Last Closed: 2023-05-09 07:33:44 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-122773 0 None None None 2023-03-28 06:46:44 UTC
Red Hat Product Errata RHBA-2023:2206 0 None None None 2023-05-09 07:34:18 UTC

Description Marius Vollmer 2022-05-23 09:57:29 UTC 
+++ This bug was initially created as a clone of Bug #2031022 +++

Description of problem:
During CKI podman test [1] we've hit the following issue:

avc:  denied  { ioctl } for  pid=510216 comm="iptables" path="/var/lib/containers/storage/overlay/7d65c03c0ff08daf6366d735723151aa1f2cf165d51be30f62bded9ed586b838/merged" dev="overlay" ino=42308193 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0:c878,c982 tclass=dir permissive=0

Version-Release number of selected component (if applicable):
selinux-policy-35.6-1.fc36.noarch

How reproducible:
It seems easily reproducible with podman test

Steps to Reproduce:
1. Run test [1]


Additional info:
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-35.6-1.fc36.noarch

[1] https://gitlab.com/cki-project/kernel-tests/-/tree/main/container/podman

--- Additional comment from Bruno Goncalves on 2021-12-10 11:19:12 UTC ---

beaker job: https://beaker.engineering.redhat.com/recipes/11120125#task136635605

--- Additional comment from Zdenek Pytela on 2021-12-10 11:37:43 UTC ---

Switching the component, there are already some rules in container-selinux:

f35# sesearch -A -s iptables_t -t container_file_t -c dir,file
allow application_domain_type logfile:file { append getattr ioctl lock };
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow iptables_t container_file_t:dir { getattr open search };
allow iptables_t container_file_t:file open;

--- Additional comment from Martin Pitt on 2022-01-10 07:36:05 UTC ---

In Cockpit we started to see these as well now, in our Fedora CoreOS CI: for example, [1]

audit: type=1400 audit(1641799023.984:237): avc:  denied  { ioctl } for  pid=1161 comm="iptables" path="/var/lib/containers/storage/overlay/0fac9b410d57d0f8ae6fa8f042e8672ae70ddbeb4e25845223e35a3b2260c169/merged" dev="overlay" ino=17950249 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0:c1022,c1023 tclass=dir permissive=0

Nothing in that test fiddles with iptables, that's somehow internal to podman. But lots of tests start a cockpit/ws container there, so this just feels random. E.g. here [2] and here[3] it hit two different, and completely unrelated tests. We haven't seen this before, and haven't refreshed our CoreOS image in a whole week. Was this some sort of a time bomb? (But I can't imagine SELinux rules being time dependent)

[1] https://logs.cockpit-project.org/logs/pull-16798-20220110-064948-be591291-fedora-coreos/log.html#232
[2] https://logs.cockpit-project.org/logs/pull-2784-20220110-024544-7afed88e-fedora-coreos-cockpit-project-cockpit/log.html#152
[3] https://logs.cockpit-project.org/logs/pull-2784-20220110-063907-7afed88e-fedora-coreos-cockpit-project-cockpit/log.html#241

--- Additional comment from Ben Cotton on 2022-02-08 21:15:40 UTC ---

This bug appears to have been reported against 'rawhide' during the Fedora 36 development cycle.
Changing version to 36.
Comment 1 Marius Vollmer 2022-05-23 10:01:29 UTC 
This now turns up on RHEL 9.1 as well.

selinux-policy-34.1.32-1.el9.noarch

https://cockpit-logs.us-east-1.linodeobjects.com/pull-3398-20220523-090548-c9f0c810-rhel-9-1-cockpit-project-cockpit/log.html#51
Comment 2 Zdenek Pytela 2022-09-19 14:21:53 UTC 
Switching the component, see
https://bugzilla.redhat.com/show_bug.cgi?id=2031022
Comment 3 Daniel Walsh 2022-12-01 00:14:04 UTC 
This looks like a leaked file descriptor.
Comment 4 Daniel Walsh 2022-12-01 00:15:46 UTC 
Fixed in container-selinux-2.191.0-1
Comment 11 errata-xmlrpc 2023-05-09 07:33:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (container-selinux bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2206
Note You need to log in before you can comment on or make changes to this bug.