Bug 2180937
| Summary: | Denials from some CLI tools writing to container PTYs | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Colin Walters <walters> |
| Component: | container-selinux | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED MIGRATED | QA Contact: | atomic-bugs <atomic-bugs> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 9.2 | CC: | dollierp, dwalsh, jnovy, lsm5, mboddu, sdodson, travier, tsweeney |
| Target Milestone: | rc | Keywords: | MigratedToJIRA, Reopened |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-09-11 19:41:56 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Colin Walters
2023-03-22 16:58:19 UTC
@dwalsh PTAL. Might this be related to https://bugzilla.redhat.com/show_bug.cgi?id=2178990 ? Turn on the daemons_use_tty boolean. # sudo setsebool -P daemons_use_tty 1 This boolean will allow the access. (I have also confirmed that this is an issue on current Fedora/FCOS)
Hmmm. So the pattern of using privileged containers to debug the host is really prevalent now. We've kind of enshrined it really in `toolbox` and `oc debug node`/. As you know we've continually run up against these little "sharp edges" from running spc_t containers.
> # sudo setsebool -P daemons_use_tty 1
But are you suggesting that's something we should default to in OCP nodes? Or we expect users to do it?
The more I think about this the more I feel like really though the fix is to step away from spc_t. I think it's caused us more problems than it solves. See the difference here:
[root@cosa-devsh ~]# podman run -q --privileged --rm -ti -v /:/run/host quay.io/centos/centos:stream8 chroot /run/host ip addr
[root@cosa-devsh ~]# podman run -q --privileged --rm --security-opt label=type:unconfined_t -ti -v /:/run/host quay.io/centos/centos:stream8 chroot /run/host ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether d2:99:c3:df:77:c6 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.88.0.3/16 brd 10.88.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::d099:c3ff:fedf:77c6/64 scope link tentative
valid_lft forever preferred_lft forever
[root@cosa-devsh ~]#
So in OCP, we can definitely change `oc debug node` to detect when a node is new enough to support the pod level customization for this and use unconfined_t. And we can unconditionally change `toolbox`.
What do you think about that?
@dwalsh please see Colins prior comment. I had a pull request to use an unconfined domain for debug containers up at https://github.com/openshift/oc/pull/842 but never managed to make it work. Maybe we should revive that. But we found and reverted a fix here, correct? https://github.com/containers/container-selinux/pull/223 Seems like we should reopen this bug and track it for 9.2? What am I being asked here exactly? What fix needs to be in containers-selinux? Is this RHAOS only? That we update 9.2 and newer to at least container-selinux-208 which includes the PR in comment 6. I'm not sure whether to say this is RHAOS specific or not, I think unless we believe we'll perpetually have a fork of container-selinux for OpenShift I'd say no. We have a possibility to make an OpenShift-only fork Scott. Let me know if that's desirable. For now, as I understand it, the default container-selinux build with https://github.com/containers/container-selinux/pull/223 reverted. I'd like to also hear what's Dan's opinion on this. Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug. This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there. Due to differences in account names between systems, some fields were not replicated. Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information. To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer. You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like: "Bugzilla Bug" = 1234567 In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information. The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |