[Podman] Re: SELinux denials on pod member containers for hosts and resolv.conf

Monday, 8 July 2019

FWIW, After a bit more experimentation I get the same results when attempting to run a
second container attached to first container's network stack using the —network
argument, without using a pod.

$ rpm -q podman container-selinux
podman-1.0.0-2.git921f98f.module+el8+2785+ff8a053f.x86_64
container-selinux-2.94-1.git1e99f1d.module+el8.0.0+2958+4e823551.noarch

AVC’s:
time->Mon Jul  8 13:08:18 2019
type=PROCTITLE msg=audit(1562616498.734:157):
proctitle=2F7573722F62696E2F6A617661002D586D733531326D002D586D783531326D002D446C6F67617070656E6465723D5354444F5554002D446A6176612E73656375726974792E6567643D2F6465762F7572616E646F6D002D6370002F6F70742F7075707065746C6162732F7365727665722F617070732F70757070657473657276
type=SYSCALL msg=audit(1562616498.734:157): arch=c000003e syscall=2 success=no exit=-13
a0=7f05ef7ab945 a1=80000 a2=1b6 a3=80000 items=0 ppid=3788 pid=3789 auid=1000 uid=999
gid=999 euid=999 suid=999 fsuid=999 egid=999 sgid=999 fsgid=999 tty=(none) ses=3
comm="java" exe="/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java"
subj=system_u:system_r:container_t:s0:c128,c866 key=(null)
type=AVC msg=audit(1562616498.734:157): avc:  denied  { read } for  pid=3789
comm="java" name="resolv.conf" dev="tmpfs" ino=63821
scontext=system_u:system_r:container_t:s0:c128,c866
tcontext=unconfined_u:object_r:container_var_run_t:s0 tclass=file permissive=0
----
time->Mon Jul  8 13:08:18 2019
type=PROCTITLE msg=audit(1562616498.734:158):
proctitle=2F7573722F62696E2F6A617661002D586D733531326D002D586D783531326D002D446C6F67617070656E6465723D5354444F5554002D446A6176612E73656375726974792E6567643D2F6465762F7572616E646F6D002D6370002F6F70742F7075707065746C6162732F7365727665722F617070732F70757070657473657276
type=SYSCALL msg=audit(1562616498.734:158): arch=c000003e syscall=2 success=no exit=-13
a0=7f05ec9712d1 a1=80000 a2=1b6 a3=80000 items=0 ppid=3788 pid=3789 auid=1000 uid=999
gid=999 euid=999 suid=999 fsuid=999 egid=999 sgid=999 fsgid=999 tty=(none) ses=3
comm="java" exe="/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java"
subj=system_u:system_r:container_t:s0:c128,c866 key=(null)
type=AVC msg=audit(1562616498.734:158): avc:  denied  { read } for  pid=3789
comm="java" name="hosts" dev="tmpfs" ino=63822
scontext=system_u:system_r:container_t:s0:c128,c866
tcontext=unconfined_u:object_r:container_var_run_t:s0 tclass=file permissive=0
----
time->Mon Jul  8 13:08:25 2019
type=PROCTITLE msg=audit(1562616505.888:165):
proctitle=2F7573722F62696E2F6A617661002D586D733531326D002D586D783531326D002D446C6F67617070656E6465723D5354444F5554002D446A6176612E73656375726974792E6567643D2F6465762F7572616E646F6D002D6370002F6F70742F7075707065746C6162732F7365727665722F617070732F70757070657473657276
type=SYSCALL msg=audit(1562616505.888:165): arch=c000003e syscall=2 success=no exit=-13
a0=7f05ec9712d1 a1=80000 a2=1b6 a3=80000 items=0 ppid=3788 pid=3789 auid=1000 uid=999
gid=999 euid=999 suid=999 fsuid=999 egid=999 sgid=999 fsgid=999 tty=(none) ses=3
comm="java" exe="/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java"
subj=system_u:system_r:container_t:s0:c128,c866 key=(null)
type=AVC msg=audit(1562616505.888:165): avc:  denied  { read } for  pid=3789
comm="java" name="hosts" dev="tmpfs" ino=63822
scontext=system_u:system_r:container_t:s0:c128,c866
tcontext=unconfined_u:object_r:container_var_run_t:s0 tclass=file permissive=0
----
time->Mon Jul  8 13:08:25 2019
type=PROCTITLE msg=audit(1562616505.889:166):
proctitle=2F7573722F62696E2F6A617661002D586D733531326D002D586D783531326D002D446C6F67617070656E6465723D5354444F5554002D446A6176612E73656375726974792E6567643D2F6465762F7572616E646F6D002D6370002F6F70742F7075707065746C6162732F7365727665722F617070732F70757070657473657276
type=SYSCALL msg=audit(1562616505.889:166): arch=c000003e syscall=2 success=no exit=-13
a0=7f05c44a18c8 a1=0 a2=1b6 a3=0 items=0 ppid=3788 pid=3789 auid=1000 uid=999 gid=999
euid=999 suid=999 fsuid=999 egid=999 sgid=999 fsgid=999 tty=(none) ses=3
comm="java" exe="/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java"
subj=system_u:system_r:container_t:s0:c128,c866 key=(null)
type=AVC msg=audit(1562616505.889:166): avc:  denied  { read } for  pid=3789
comm="java" name="resolv.conf" dev="tmpfs" ino=63821
scontext=system_u:system_r:container_t:s0:c128,c866
tcontext=unconfined_u:object_r:container_var_run_t:s0 tclass=file permissive=0
----
time->Mon Jul  8 13:08:31 2019
type=PROCTITLE msg=audit(1562616511.362:167):
proctitle=2F7573722F62696E2F6A617661002D586D733531326D002D586D783531326D002D446C6F67617070656E6465723D5354444F5554002D446A6176612E73656375726974792E6567643D2F6465762F7572616E646F6D002D6370002F6F70742F7075707065746C6162732F7365727665722F617070732F70757070657473657276
type=SYSCALL msg=audit(1562616511.362:167): arch=c000003e syscall=2 success=no exit=-13
a0=7f05ef7ab945 a1=80000 a2=1b6 a3=80000 items=0 ppid=3788 pid=3789 auid=1000 uid=999
gid=999 euid=999 suid=999 fsuid=999 egid=999 sgid=999 fsgid=999 tty=(none) ses=3
comm="java" exe="/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java"
subj=system_u:system_r:container_t:s0:c128,c866 key=(null)
type=AVC msg=audit(1562616511.362:167): avc:  denied  { read } for  pid=3789
comm="java" name="resolv.conf" dev="tmpfs" ino=63821
scontext=system_u:system_r:container_t:s0:c128,c866
tcontext=unconfined_u:object_r:container_var_run_t:s0 tclass=file permissive=0
----
time->Mon Jul  8 13:08:31 2019
type=PROCTITLE msg=audit(1562616511.362:168):
proctitle=2F7573722F62696E2F6A617661002D586D733531326D002D586D783531326D002D446C6F67617070656E6465723D5354444F5554002D446A6176612E73656375726974792E6567643D2F6465762F7572616E646F6D002D6370002F6F70742F7075707065746C6162732F7365727665722F617070732F70757070657473657276
type=SYSCALL msg=audit(1562616511.362:168): arch=c000003e syscall=2 success=no exit=-13
a0=7f05ec9712d1 a1=80000 a2=1b6 a3=80000 items=0 ppid=3788 pid=3789 auid=1000 uid=999
gid=999 euid=999 suid=999 fsuid=999 egid=999 sgid=999 fsgid=999 tty=(none) ses=3
comm="java" exe="/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java"
subj=system_u:system_r:container_t:s0:c128,c866 key=(null)
type=AVC msg=audit(1562616511.362:168): avc:  denied  { read } for  pid=3789
comm="java" name="hosts" dev="tmpfs" ino=63822
scontext=system_u:system_r:container_t:s0:c128,c866
tcontext=unconfined_u:object_r:container_var_run_t:s0 tclass=file permissive=0
----
time->Mon Jul  8 13:08:31 2019
type=PROCTITLE msg=audit(1562616511.363:169):
proctitle=2F7573722F62696E2F6A617661002D586D733531326D002D586D783531326D002D446C6F67617070656E6465723D5354444F5554002D446A6176612E73656375726974792E6567643D2F6465762F7572616E646F6D002D6370002F6F70742F7075707065746C6162732F7365727665722F617070732F70757070657473657276
type=SYSCALL msg=audit(1562616511.363:169): arch=c000003e syscall=2 success=no exit=-13
a0=7f05ec9712d1 a1=80000 a2=1b6 a3=80000 items=0 ppid=3788 pid=3789 auid=1000 uid=999
gid=999 euid=999 suid=999 fsuid=999 egid=999 sgid=999 fsgid=999 tty=(none) ses=3
comm="java" exe="/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java"
subj=system_u:system_r:container_t:s0:c128,c866 key=(null)
type=AVC msg=audit(1562616511.363:169): avc:  denied  { read } for  pid=3789
comm="java" name="hosts" dev="tmpfs" ino=63822
scontext=system_u:system_r:container_t:s0:c128,c866
tcontext=unconfined_u:object_r:container_var_run_t:s0 tclass=file permissive=0
----
time->Mon Jul  8 13:08:31 2019
type=PROCTITLE msg=audit(1562616511.804:170):
proctitle=2F7573722F62696E2F6A617661002D586D733531326D002D586D783531326D002D446C6F67617070656E6465723D5354444F5554002D446A6176612E73656375726974792E6567643D2F6465762F7572616E646F6D002D6370002F6F70742F7075707065746C6162732F7365727665722F617070732F70757070657473657276
type=SYSCALL msg=audit(1562616511.804:170): arch=c000003e syscall=2 success=no exit=-13
a0=7f05ef7ab945 a1=80000 a2=1b6 a3=80000 items=0 ppid=3788 pid=3789 auid=1000 uid=999
gid=999 euid=999 suid=999 fsuid=999 egid=999 sgid=999 fsgid=999 tty=(none) ses=3
comm="java" exe="/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java"
subj=system_u:system_r:container_t:s0:c128,c866 key=(null)
type=AVC msg=audit(1562616511.804:170): avc:  denied  { read } for  pid=3789
comm="java" name="resolv.conf" dev="tmpfs" ino=63821
scontext=system_u:system_r:container_t:s0:c128,c866
tcontext=unconfined_u:object_r:container_var_run_t:s0 tclass=file permissive=0
----
time->Mon Jul  8 13:08:31 2019
type=PROCTITLE msg=audit(1562616511.805:171):
proctitle=2F7573722F62696E2F6A617661002D586D733531326D002D586D783531326D002D446C6F67617070656E6465723D5354444F5554002D446A6176612E73656375726974792E6567643D2F6465762F7572616E646F6D002D6370002F6F70742F7075707065746C6162732F7365727665722F617070732F70757070657473657276
type=SYSCALL msg=audit(1562616511.805:171): arch=c000003e syscall=2 success=no exit=-13
a0=7f05ec9712d1 a1=80000 a2=1b6 a3=80000 items=0 ppid=3788 pid=3789 auid=1000 uid=999
gid=999 euid=999 suid=999 fsuid=999 egid=999 sgid=999 fsgid=999 tty=(none) ses=3
comm="java" exe="/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java"
subj=system_u:system_r:container_t:s0:c128,c866 key=(null)
type=AVC msg=audit(1562616511.805:171): avc:  denied  { read } for  pid=3789
comm="java" name="hosts" dev="tmpfs" ino=63822
scontext=system_u:system_r:container_t:s0:c128,c866
tcontext=unconfined_u:object_r:container_var_run_t:s0 tclass=file permissive=0

...
 On Jul 8, 2019, at 11:48 AM, Daniel Walsh <dwalsh(a)redhat.com&gt;
wrote:

 On 7/4/19 2:05 PM, Chris Vale wrote:
> Hello,
> 
> Just starting to experiment with Podman on RHEL8 and I’m seeing SELinux denials (on
the host) related to containers I create within a pod for the files automatically created
as overlays, most typically hosts and resolv.conf, when performing network related tasks
that require name resolution. Of course the containers are unable to read the files in
question due to the denials. I don’t see this behavior when deploying containers outside
of a pod.
> 
> On containers that work as expected I notice the SELinux type for the files in
question on the host are container_file_t. However, for containers that experience the
denials the SELinux type for the files in question on the host are set to
container_var_run_t. Interestingly enough the pod infrastructure container has files
labeled with container_file_t
> 
> Is this normal behavior for containers added to a pod or perhaps I’m missing
something?
> 
> 
> _______________________________________________
> Podman mailing list -- podman(a)lists.podman.io
> To unsubscribe send an email to podman-leave(a)lists.podman.io

 This sounds like a bug.  Could you attach the AVCs.

 rpm -q podman container-selinux

 _______________________________________________
 Podman mailing list -- podman(a)lists.podman.io
 To unsubscribe send an email to podman-leave(a)lists.podman.io 

2024

2023

2022

2021

2020

2019

[Podman] Re: SELinux denials on pod member containers for hosts and resolv.conf