[Podman] Re: Logs show permission denied error

Hi Chintan, I got the envoy container running, but used the example config on envoy's Getting Started page: https://www.envoyproxy.io/docs/envoy/latest/start/start Steps I followed: 1) Created a starter container 2) Created an selinux policy using udica 3) Started the container and monitored /var/log/audit/audit.log for denials 4) Updated the udica generated *.cil file everytime the container failed to start, until it finally started. This took 3 attempts, starting on the 4th. Granted, not the most user friendly way of getting the container running, but I think contained from a security standpoint. 1) Starter Container ``` podman create --name envoy \ --label envoy=envoy \ -p 10000:10000 \ -v ${PWD}/envoy_example.yaml:/etc/envoy/envoy.yaml \ envoyproxy/envoy:v1.15.0 ``` 2) Create Policy & remove starter container ``` podman inspect envoy > envoy_container.json udica -j envoy_container.json envoy semodule -i envoy.cil /usr/share/udica/templates/{base_container.cil,net_container.cil} podman rm envoy ``` 3) Create Final Container, attempt to start and monitor audit.log ``` podman create --name envoy \ --security-opt label=type:envoy.process \ --label envoy=envoy \ -p 10000:10000 \ -v ${PWD}/envoy_example.yaml:/etc/envoy/envoy.yaml:Z \ envoyproxy/envoy:v1.15.0 podman start envoy ``` Each time the container failed to start it would log a denial. After each denial I updated the *.cil policy file to allow the denial, and re-applied the policy with: `semodule -i envoy.cil /usr/share/udica/templates/{base_container.cil,net_container.cil}` - Startup 1 ``` type=AVC msg=audit(1599771689.994:11166): avc: denied { read } for \ pid=1194200 comm="docker-entrypoi" path="/lib/x86_64-linux-gnu/libc-2.27.so" \ dev="dm-9" ino=71349652 scontext=system_u:system_r:envoy.process:s0:c76,c889 tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=0 ``` - Results in allow rule ``` (allow process default_t ( file ( read ))) ``` - Startup 2 ``` type=AVC msg=audit(1599772073.397:11205): avc: denied { setattr } for \ pid=1218170 comm="chown" name="" dev="pipefs" \ ino=6650489 scontext=system_u:system_r:envoy.process:s0:c76,c889 tcontext=unconfined_u:system_r:container_runtime_t:s0 tclass=fifo_file permissive=0 ``` - Results in allow rule ``` (allow process container_runtime_t ( fifo_file ( setattr ))) ``` - Startup 3 ``` type=AVC msg=audit(1599772272.855:11237): avc: denied { name_bind } for \ pid=1232662 comm="envoy" src=9901 \ scontext=system_u:system_r:envoy.process:s0:c76,c889 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0 ``` - Results in allow rule ``` (allow process unreserved_port_t ( tcp_socket ( name_bind ))) ``` The final *.cil file looked like this: ``` (block envoy (blockinherit container) (blockinherit restricted_net_container) (allow process process ( capability ( audit_write chown dac_override fowner fsetid kill mknod net_bind_service net_raw setfcap setgid setpcap setuid sys_chroot ))) (allow process usr_t ( dir ( open read getattr lock search ioctl add_name remove_name write ))) (allow process usr_t ( file ( getattr read write append ioctl lock map open create ))) (allow process usr_t ( sock_file ( getattr read write append open ))) (allow process default_t ( file ( read ))) (allow process container_runtime_t ( fifo_file ( setattr ))) (allow process unreserved_port_t ( tcp_socket ( name_bind ))) ) ``` Container started and a curl test was successful ``` # podman ps -a --filter "label=envoy=envoy" CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 44f02a9f2ac3 docker.io/envoyproxy/envoy:v1.15.0 envoy -c /etc/env... About a minute ago Up About a minute ago 0.0.0.0:10000->10000/tcp envoy # curl -I localhost:10000 HTTP/1.1 200 OK content-type: text/html; charset=ISO-8859-1 p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info." date: Thu, 10 Sep 2020 21:40:16 GMT server: envoy x-xss-protection: 0 x-frame-options: SAMEORIGIN expires: Thu, 10 Sep 2020 21:40:16 GMT cache-control: private set-cookie: 1P_JAR=2020-09-10-21; expires=Sat, 10-Oct-2020 21:40:16 GMT; path=/; domain=.google.com; Secure set-cookie: NID=204=Py9ONzAvLYe41BNU_HWe88th45fOsxWWmjbh6aodR2wroK8r7gY8blxHV54zG7deSKNmtOT66FQQnyPn8vpk_vb6CwE6ZH-_D3KQgNByttyF2qdUifuYnfzMlirQKv1aWejLrQPdTpt7WDjULDZDTlNpa9BIsvfA4dSShDrfgx4; expires=Fri, 12-Mar-2021 21:40:16 GMT; path=/; domain=.google.com; HttpOnly alt-svc: h3-29=":443"; ma=2592000,h3-27=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" x-envoy-upstream-service-time: 64 transfer-encoding: chunked ``` Hope this helps.