Bug 2211479 - avc: denied { name_bind } when pinging from rootless container using pasta network
Summary: avc: denied { name_bind } when pinging from rootless container using pasta ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: container-selinux
Version: 38
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-05-31 18:10 UTC by Juan Orti
Modified: 2023-06-15 02:40 UTC (History)
14 users (show)

Fixed In Version: container-selinux-2.218.0-1.fc38 container-selinux-2.218.0-1.fc37
Clone Of:
Environment:
Last Closed: 2023-06-08 02:03:01 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Juan Orti 2023-05-31 18:10:07 UTC 
Every time that you use ping in a rootless container using --network=pasta I get an AVC.



Reproducible: Always

Steps to Reproduce:
1. As a non-root user run:

podman run --network=pasta -ti --rm fedora:latest bash -c "dnf install -y iputils && ping -c 5 8.8.8.8"
Actual Results:  
We get this AVC:

AVC avc:  denied  { name_bind } for  pid=149601 comm="passt.avx2" src=6278 scontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=icmp_socket permissive=0

However, the ping works.

Expected Results:  
No AVC
Comment 1 Juan Orti 2023-05-31 18:11:49 UTC 
Tested with:

passt-0^20230509.g96f8d55-1.fc38.x86_64
passt-selinux-0^20230509.g96f8d55-1.fc38.noarch
selinux-policy-38.12-1.fc38.noarch
selinux-policy-targeted-38.12-1.fc38.noarch


● fedora:fedora/x86_64/coreos/stable
                  Version: 38.20230430.3.1 (2023-05-15T21:32:02Z)
               BaseCommit: e7109bec01fdc47125e43fca01b9817d2371557a019bbcfc6a45527c93a23f98
             GPGSignature: Valid signature by 6A51BBABBA3D5467B6171221809A8D7CEB10B464
          LayeredPackages: borgbackup borgmatic btrbk passt python3 vim
Comment 2 Zdenek Pytela 2023-06-01 09:02:43 UTC 
Switching the component.
Comment 3 Daniel Walsh 2023-06-05 18:29:19 UTC 
Fixed in https://github.com/containers/container-selinux/releases/tag/v2.217.0
Comment 4 Fedora Update System 2023-06-06 12:06:52 UTC 
FEDORA-2023-0e2449e909 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-0e2449e909
Comment 5 Fedora Update System 2023-06-06 12:07:34 UTC 
FEDORA-2023-a6bd0b248b has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-a6bd0b248b
Comment 6 Fedora Update System 2023-06-07 01:32:03 UTC 
FEDORA-2023-d41fad4b7b has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-d41fad4b7b`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-d41fad4b7b

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Fedora Update System 2023-06-07 01:39:07 UTC 
FEDORA-2023-f3847c4ae8 has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-f3847c4ae8`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-f3847c4ae8

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2023-06-08 02:03:01 UTC 
FEDORA-2023-f3847c4ae8 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 9 Fedora Update System 2023-06-15 02:40:42 UTC 
FEDORA-2023-d41fad4b7b has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.