This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2180937 - Denials from some CLI tools writing to container PTYs
Summary: Denials from some CLI tools writing to container PTYs
Keywords:
Status: CLOSED MIGRATED
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: container-selinux
Version: 9.2
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact: atomic-bugs@redhat.com
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-03-22 16:58 UTC by Colin Walters
Modified: 2024-01-22 04:25 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-09-11 19:41:56 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker OCPBUGS-10615 0 None None None 2023-03-22 16:59:16 UTC
Red Hat Issue Tracker   RHEL-3130 0 None Migrated None 2023-09-23 02:19:39 UTC
Red Hat Issue Tracker RHELPLAN-152775 0 None None None 2023-03-22 17:00:00 UTC

Description Colin Walters 2023-03-22 16:58:19 UTC 
Forwarding this from https://issues.redhat.com/browse/OCPBUGS-10615

Basically on RHEL8 (coreos):

[root@cosa-devsh ~]# rpm -q container-selinux
container-selinux-2.188.0-1.rhaos4.12.el8.noarch
[root@cosa-devsh ~]# podman run -q --privileged --rm -ti -v /:/run/host quay.io/centos/centos:stream8 chroot /run/host ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 62:6e:84:c3:1e:20 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.88.0.2/16 brd 10.88.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::606e:84ff:fec3:1e20/64 scope link tentative 
       valid_lft forever preferred_lft forever
[root@cosa-devsh ~]# 

Whereas on RHEL9 (coreos)

[root@cosa-devsh ~]# rpm -q container-selinux
container-selinux-2.199.0-1.el9.noarch
[root@cosa-devsh ~]# podman run -q --privileged --rm -ti -v /:/run/host quay.io/centos/centos:stream8 chroot /run/host ip addr
[root@cosa-devsh ~]# 


And the AVC denials here are of the form:

type=AVC msg=audit(1679502253.287:86): avc:  denied  { read write } for  pid=35372 comm="ip" path="/0" dev="devpts" ino=3 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:container_devpts_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1679502253.287:86): avc:  denied  { read append } for  pid=35372 comm="ip" path="/0" dev="devpts" ino=3 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:container_devpts_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1679502253.287:86): avc:  denied  { read append } for  pid=35372 comm="ip" path="/0" dev="devpts" ino=3 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:container_devpts_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1679502253.287:86): avc:  denied  { read append } for  pid=35372 comm="ip" path="/0" dev="devpts" ino=3 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:container_devpts_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1679502144.467:84): avc:  denied  { read write } for  pid=34189 comm="dmesg" path="/0" dev="devpts" ino=3 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:container_devpts_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1679502144.467:84): avc:  denied  { read append } for  pid=34189 comm="dmesg" path="/0" dev="devpts" ino=3 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:container_devpts_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1679502144.467:84): avc:  denied  { read append } for  pid=34189 comm="dmesg" path="/0" dev="devpts" ino=3 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:container_devpts_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1679502144.467:84): avc:  denied  { read append } for  pid=34189 comm="dmesg" path="/0" dev="devpts" ino=3 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:container_devpts_t:s0 tclass=chr_file permissive=0
Comment 1 Tom Sweeney 2023-03-22 19:48:21 UTC 
@dwalsh PTAL.  Might this be related to https://bugzilla.redhat.com/show_bug.cgi?id=2178990 ?
Comment 2 Daniel Walsh 2023-03-24 11:25:49 UTC 
Turn on the daemons_use_tty boolean.

# sudo setsebool -P daemons_use_tty 1

This boolean will allow the access.
Comment 3 Colin Walters 2023-03-24 16:05:50 UTC 
(I have also confirmed that this is an issue on current Fedora/FCOS)

Hmmm.  So the pattern of using privileged containers to debug the host is really prevalent now.  We've kind of enshrined it really in `toolbox` and `oc debug node`/.  As you know we've continually run up against these little "sharp edges" from running spc_t containers.  

> # sudo setsebool -P daemons_use_tty 1

But are you suggesting that's something we should default to in OCP nodes?  Or we expect users to do it?

The more I think about this the more I feel like really though the fix is to step away from spc_t.  I think it's caused us more problems than it solves.  See the difference here:

[root@cosa-devsh ~]# podman run -q --privileged --rm -ti -v /:/run/host quay.io/centos/centos:stream8 chroot /run/host ip addr
[root@cosa-devsh ~]# podman run -q --privileged --rm --security-opt label=type:unconfined_t -ti -v /:/run/host quay.io/centos/centos:stream8 chroot /run/host ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether d2:99:c3:df:77:c6 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.88.0.3/16 brd 10.88.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::d099:c3ff:fedf:77c6/64 scope link tentative 
       valid_lft forever preferred_lft forever
[root@cosa-devsh ~]# 

So in OCP, we can definitely change `oc debug node` to detect when a node is new enough to support the pod level customization for this and use unconfined_t.  And we can unconditionally change `toolbox`. 
What do you think about that?
Comment 4 Tom Sweeney 2023-03-27 18:44:42 UTC 
@dwalsh please see Colins prior comment.
Comment 5 Timothée Ravier 2023-03-29 11:30:56 UTC 
I had a pull request to use an unconfined domain for debug containers up at https://github.com/openshift/oc/pull/842 but never managed to make it work. Maybe we should revive that.
Comment 6 Scott Dodson 2023-04-18 14:11:26 UTC 
But we found and reverted a fix here, correct?

https://github.com/containers/container-selinux/pull/223

Seems like we should reopen this bug and track it for 9.2?
Comment 8 Jindrich Novy 2023-04-19 09:20:31 UTC 
What am I being asked here exactly? What fix needs to be in containers-selinux? Is this RHAOS only?
Comment 9 Scott Dodson 2023-04-19 13:34:18 UTC 
That we update 9.2 and newer to at least container-selinux-208 which includes the PR in comment 6.

I'm not sure whether to say this is RHAOS specific or not, I think unless we believe we'll perpetually have a fork of container-selinux for OpenShift I'd say no.
Comment 10 Jindrich Novy 2023-04-19 13:40:38 UTC 
We have a possibility to make an OpenShift-only fork Scott. Let me know if that's desirable. For now, as I understand it, the default container-selinux build with https://github.com/containers/container-selinux/pull/223 reverted.

I'd like to also hear what's Dan's opinion on this.
Comment 11 RHEL Program Management 2023-09-11 19:36:54 UTC 
Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.
Comment 12 RHEL Program Management 2023-09-11 19:41:56 UTC 
This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated.  Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.
Comment 13 Red Hat Bugzilla 2024-01-22 04:25:30 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days
Note You need to log in before you can comment on or make changes to this bug.