2142597 – Rootless Podman on RHEL8 as user_u returns exec /bin/bash: permission denied

This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2142597 - Rootless Podman on RHEL8 as user_u returns exec /bin/bash: permission denied

Summary: Rootless Podman on RHEL8 as user_u returns exec /bin/bash: permission denied

Keywords:
Status:	CLOSED MIGRATED
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	container-selinux
Sub Component:
Version:	8.6
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:	atomic-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-11-14 14:41 UTC by ryan.parker
Modified:	2023-09-11 19:06 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-09-11 19:06:51 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHEL-3103	0	None	Migrated	None	2023-09-11 19:06:56 UTC
Red Hat Issue Tracker	RHELPLAN-139300	0	None	None	None	2022-11-14 14:46:32 UTC

Description ryan.parker 2022-11-14 14:41:48 UTC

Description of problem:

The Defense Information Systems Agency released a new Security Technical Implementation Guide for RHEL8 for Q4 2022. This version, V1R8, introduces a new requirement: all administrators must be mapped to the "sysadm_u", "staff_u", or an appropriately tailored confined role as defined by the organization.

As such, implementing this requirement prevents users from being able to create containers from container images. 

Version-Release number of selected component (if applicable): 

RHEL8.6
4.18.0-372.26.1.el8_6.x86_64

Podman: podman-4.1.1-2.module+el8.6.0+15917+093ca6f8.x86_64

How reproducible:

Works with every container I try to import and run.

Steps to Reproduce:
1. Map all applicable admins to the staff_u role:  semanage login -a -s staff_u <username> 
2. Set the default SELinux context to user_u: semanage login -m -s user_u -r s0 __default__
3. Perform a SELinux relabel 
4. Reboot
5. On a system with an active internet connection, pull an image and save it to a tarball: sudo docker save -o ~/Downloads/ubi9.tar registry.access.redhat.com/ubi9/ubi:latest
6. Transfer tarball to the airgapped RHEL8 system
7. As a regular user, load the tarball: podman load < ./ubi9.tar
8. Test to see if container works: podman run -it registry.access.redhat.com/ubi9/ubi:latest /bin/bash


Actual results:

Encounter permission denied error

[rparker70_user@rhel8swtest ~]$ podman run -it registry.access.redhat.com/ubi9/ubi:latest /bin/bash                             
exec /bin/bash: permission denied

Expected results:

The user should be able to run a podman container. 

Additional info:

The only additional SELinux error I could find is below: 

--------------------------------------------------------------------------------

SELinux is preventing /usr/bin/podman from using the rlimitinh access on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that podman should be allowed rlimitinh access on processes labeled container_runtime_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'podman' --raw | audit2allow -M my-podman
# semodule -X 300 -i my-podman.pp


Additional Information:
Source Context                user_u:user_r:user_t:s0
Target Context                user_u:user_r:container_runtime_t:s0
Target Objects                /usr/bin/podman [ process ]
Source                        podman
Source Path                   /usr/bin/podman
Port                          <Unknown>
Host                          rhel8swtest.scd.secret
Source RPM Packages           podman-4.1.1-2.module+el8.6.0+15917+093ca6f8.x86_6
                              4
Target RPM Packages           podman-4.1.1-2.module+el8.6.0+15917+093ca6f8.x86_6
                              4
SELinux Policy RPM            selinux-policy-targeted-3.14.3-95.el8_6.4.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-95.el8_6.4.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     rhel8swtest.scd.secret
Platform                      Linux rhel8swtest.scd.secret
                              4.18.0-372.26.1.el8_6.x86_64 #1 SMP Sat Aug 27
                              02:44:20 EDT 2022 x86_64 x86_64
Alert Count                   2
First Seen                    2022-11-14 09:21:17 EST
Last Seen                     2022-11-14 09:22:40 EST
Local ID                      8c48533a-4295-4cb3-9398-d3b9220bff0d

Raw Audit Messages
type=AVC msg=audit(1668435760.293:5993): avc:  denied  { rlimitinh } for  pid=381745 comm="podman" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:container_runtime_t:s0 tclass=process permissive=0                                                                      


type=AVC msg=audit(1668435760.293:5993): avc:  denied  { siginh } for  pid=381745 comm="podman" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:container_runtime_t:s0 tclass=process permissive=0                                                                         


type=SYSCALL msg=audit(1668435760.293:5993): arch=x86_64 syscall=execve success=yes exit=0 a0=5594eda5a240 a1=5594ed8e1a70 a2=5594eda59960 a3=8 items=2 ppid=377132 pid=381745 auid=1570801184 uid=1570801184 gid=1570800513 euid=1570801184 suid=1570801184 fsuid=1570801184 egid=1570800513 sgid=1570800513 fsgid=1570800513 tty=pts1 ses=4 comm=podman exe=/usr/bin/podman subj=user_u:user_r:container_runtime_t:s0 key=(null)ARCH=x86_64 SYSCALL=execve AUID=rparker70_user UID=rparker70_user GID=646F6D61696E207573657273 EUID=rparker70_user SUID=rparker70_user FSUID=rparker70_user EGID=646F6D61696E207573657273 SGID=646F6D61696E207573657273 FSGID=646F6D61696E207573657273

type=CWD msg=audit(1668435760.293:5993): cwd=/home/rparker70_user

type=PATH msg=audit(1668435760.293:5993): item=0 name=/usr/bin/podman inode=18514223 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID=root OGID=root      

Hash: podman,user_t,container_runtime_t,process,rlimitinh

Comment 1 Daniel Walsh 2022-11-14 16:51:50 UTC

This is going to be difficult to fix properly. 

Right now container_runtime_t is an unconfined domain and can transition to spc_t which is an unconfined domain, allowing a confined user
like user_t to do this, would be a security risk.

I think we would need to rethink container technology to prevent the spc_t type from the user_r role.

I am also not sure if podman currently runs containers as user_u:user_r:container_t:MCS, or does it force
system_u:system_r:container_t:MCS.

Comment 2 Tom Sweeney 2022-11-14 20:30:35 UTC

Adding @dornelas to the cc as an FYI

Comment 3 ryan.parker 2023-01-20 18:37:40 UTC

What are the security implications of having a user, in this case a generic user with no sudo privileges, be assigned to the staff_u role? It appears that staff_u does not encounter the same issues when running containers as user_u does. For what it's worth, while all of my administrator accounts are mapped to staff_u, my sudoers file maps to an Active Directory group for administrators only, whose role and type are sysadm_r and sysadm_t (this is another STIG requirement).

Comment 4 Daniel Walsh 2023-01-23 17:32:23 UTC

You could have them associated with the staff_r role (Not staff_u user) then they would only get access to staff_t and little different then user_r (user_u).
They would not be able to become sysadm_r, which is what they are after.

Comment 6 RHEL Program Management 2023-09-11 19:03:55 UTC

Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.

Comment 7 RHEL Program Management 2023-09-11 19:06:51 UTC

This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated.  Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.

Note You need to log in before you can comment on or make changes to this bug.