Comments (8)
rhatdan
commented on July 18, 2024
What AVCs are you seeing when you do this command?
sudo ausearch -m avc -ts recent
from container-selinux.
rptaylor
commented on July 18, 2024
@rhatdan on the CentOS Stream 8 system with 2.195:
----
time->Thu Mar 2 20:53:51 2023
type=PROCTITLE msg=audit(1677790431.443:429): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002F726F6F742F2E616E7369626C652F746D702F616E7369626C652D746D702D313637373739303432362E373836393038342D393439352D3139323137363639303836313334362F416E736962616C6C5A5F646E662E7079
type=SYSCALL msg=audit(1677790431.443:429): arch=c000003e syscall=59 success=no exit=-13 a0=564ea9d22950 a1=564ea797bb70 a2=564ea6807a90 a3=7f4fdb58cd00 items=0 ppid=9517 pid=9523 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="platform-python" exe="/usr/libexec/platform-python3.6" subj=unconfined_u:system_r:spc_t:s0 key=(null)
type=AVC msg=audit(1677790431.443:429): avc: denied { transition } for pid=9523 comm="platform-python" path="/usr/bin/bash" dev="vda1" ino=12671019 scontext=unconfined_u:system_r:spc_t:s0 tcontext=unconfined_u:system_r:rpm_script_t:s0 tclass=process permissive=0
----
time->Thu Mar 2 20:53:51 2023
type=PROCTITLE msg=audit(1677790431.452:430): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002F726F6F742F2E616E7369626C652F746D702F616E7369626C652D746D702D313637373739303432362E373836393038342D393439352D3139323137363639303836313334362F416E736962616C6C5A5F646E662E7079
type=SYSCALL msg=audit(1677790431.452:430): arch=c000003e syscall=59 success=no exit=-13 a0=564ea84c8890 a1=564ea84c88b0 a2=564ea6807a90 a3=7f4fdb58cd00 items=0 ppid=9517 pid=9524 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="platform-python" exe="/usr/libexec/platform-python3.6" subj=unconfined_u:system_r:spc_t:s0 key=(null)
type=AVC msg=audit(1677790431.452:430): avc: denied { transition } for pid=9524 comm="platform-python" path="/usr/bin/bash" dev="vda1" ino=12671019 scontext=unconfined_u:system_r:spc_t:s0 tcontext=unconfined_u:system_r:rpm_script_t:s0 tclass=process permissive=0
----
time->Thu Mar 2 20:53:51 2023
type=PROCTITLE msg=audit(1677790431.461:431): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002F726F6F742F2E616E7369626C652F746D702F616E7369626C652D746D702D313637373739303432362E373836393038342D393439352D3139323137363639303836313334362F416E736962616C6C5A5F646E662E7079
type=SYSCALL msg=audit(1677790431.461:431): arch=c000003e syscall=59 success=no exit=-13 a0=564ea849e090 a1=564ea7aff390 a2=564ea6807a90 a3=7f4fdb58cd00 items=0 ppid=9517 pid=9526 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="platform-python" exe="/usr/libexec/platform-python3.6" subj=unconfined_u:system_r:spc_t:s0 key=(null)
type=AVC msg=audit(1677790431.461:431): avc: denied { transition } for pid=9526 comm="platform-python" path="/usr/bin/bash" dev="vda1" ino=12671019 scontext=unconfined_u:system_r:spc_t:s0 tcontext=unconfined_u:system_r:rpm_script_t:s0 tclass=process permissive=0
Log messages:
Mar 02 20:53:54 centos8.novalocal /SetroubleshootPrivileged.py[9544]: failed to retrieve rpm info for /var/lib/selinux/targeted/active/modules/200/container
Mar 02 20:53:54 centos8.novalocal setroubleshoot[9525]: SELinux is preventing /usr/libexec/platform-python3.6 from using the transition access on a process. For complete SE>
Mar 02 20:53:54 centos8.novalocal setroubleshoot[9525]: SELinux is preventing /usr/libexec/platform-python3.6 from using the transition access on a process.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that platform-python3.6 should be allowed transition access on processes labeled rpm_script_t by defa>
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'platform-python' --raw | audit2allow -M my-platformpython
# semodule -X 300 -i my-platformpython.pp
Mar 02 20:53:54 centos8.novalocal setroubleshoot[9525]: AnalyzeThread.run(): Set alarm timeout to 10
Mar 02 20:53:55 centos8.novalocal setroubleshoot[9525]: AnalyzeThread.run(): Cancel pending alarm
Mar 02 20:53:55 centos8.novalocal /SetroubleshootPrivileged.py[9544]: failed to retrieve rpm info for /var/lib/selinux/targeted/active/modules/200/container
Mar 02 20:53:55 centos8.novalocal setroubleshoot[9525]: SELinux is preventing /usr/libexec/platform-python3.6 from using the transition access on a process. For complete SE>
Mar 02 20:53:55 centos8.novalocal setroubleshoot[9525]: SELinux is preventing /usr/libexec/platform-python3.6 from using the transition access on a process.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that platform-python3.6 should be allowed transition access on processes labeled rpm_script_t by defa>
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'platform-python' --raw | audit2allow -M my-platformpython
# semodule -X 300 -i my-platformpython.pp
Mar 02 20:53:55 centos8.novalocal setroubleshoot[9525]: AnalyzeThread.run(): Set alarm timeout to 10
Mar 02 20:53:57 centos8.novalocal sudo[9552]: centos : TTY=pts/0 ; PWD=/home/centos ; USER=root ; COMMAND=/sbin/ausearch -m avc -ts recent
Mar 02 20:53:57 centos8.novalocal sudo[9552]: pam_systemd(sudo:session): Cannot create session: Already running in a session or user slice
Mar 02 20:53:57 centos8.novalocal sudo[9552]: pam_unix(sudo:session): session opened for user root by centos(uid=0)
Mar 02 20:53:57 centos8.novalocal sudo[9552]: pam_unix(sudo:session): session closed for user root
Mar 02 20:53:57 centos8.novalocal setroubleshoot[9525]: AnalyzeThread.run(): Cancel pending alarm
Mar 02 20:53:57 centos8.novalocal /SetroubleshootPrivileged.py[9544]: failed to retrieve rpm info for /var/lib/selinux/targeted/active/modules/200/container
Mar 02 20:53:57 centos8.novalocal setroubleshoot[9525]: SELinux is preventing /usr/libexec/platform-python3.6 from using the transition access on a process. For complete SE>
Mar 02 20:53:57 centos8.novalocal setroubleshoot[9525]: SELinux is preventing /usr/libexec/platform-python3.6 from using the transition access on a process.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that platform-python3.6 should be allowed transition access on processes labeled rpm_script_t by defa>
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'platform-python' --raw | audit2allow -M my-platformpython
# semodule -X 300 -i my-platformpython.pp
from container-selinux.
rhatdan
commented on July 18, 2024
Why are you running this container in privileged mode? Turns out there is a transition going on here, which I fixed in container-selinux-2.202.0.
But running in --privileged mode is almost definitely not called for here.
from container-selinux.
rptaylor
commented on July 18, 2024
@rhatdan that is required for the Ansible nsenter connection plugin to work. The container needs to have privileges to be able to nsenter -t 1 -a so that it can perform Ansible actions on the host as root.
from container-selinux.
rhatdan
commented on July 18, 2024
So the rpm script is running on the host system?
from container-selinux.
rhatdan
commented on July 18, 2024
Could you just run the container with
--cap-add SYS_ADMIN
or
--cap-add all
Does it work?
from container-selinux.
rptaylor
commented on July 18, 2024
The ansible process in the container does the equivalent of nsenter and 'dnf update' ; I'm not sure which RPM script you mean but yes it should act on the host.
Thanks for looking at this! I'll try out 2.202 and see if cap SYS_ADMIN is sufficient.
from container-selinux.
rptaylor
commented on July 18, 2024
I tried with several caps including SYS_ADMIN but it was not sufficient:
$ sudo podman run --pull=newer --rm -it --pid=host --cap-add SYS_ADMIN --cap-add SYS_CHROOT --cap-add SETUID --cap-add SETGID fedora:36
[root@75c3d90e2d3c /]# nsenter -t 1 -a
nsenter: stat of /proc/1/ns/user failed: Permission denied
With all caps it works:
$ sudo podman run --pull=newer --rm -it --pid=host --cap-add all fedora:36
[root@5ab4c2715757 /]# nsenter -t 1 -a
[root@centos8 /]#
I see you wrote a whole blog post about this.
I don't know what would be best to do here. The use case is basically the same as running ansible-pull with sudo or 'become: root' so that servers can autonomously and automatically update themselves (including potentially any arbitrary system configuration change that can be written in an Ansible role), but with the ansible environment, git repositories, etc. all managed in a podman container. One one hand it would be good to limit the container to only the privileges it needs, but OTOH Ansible should have full root access to the system so that there is no limitation in what configuration changes it can apply. I'm not sure what privileges Ansible needs to run with, e.g. perhaps making kernel-level configuration changes using sysfs?
from container-selinux.
Related Issues (20)
- Branch protection for main branch HOT 3
- gating tests? HOT 2
- iptables-restore cannot read file from inside a container HOT 6
- allow user_u to work with containers HOT 8
- Packit: Use packit for bumping official fedora package HOT 1
- CI: check for long-running relabels HOT 1
- [packit] Propose downstream failed for release v2.213.0 HOT 3
- Issues on Fedora (container-selinux-2.211.1) with container_domain_template HOT 5
- Issue on RHEL with iscsiadm on v2.205 HOT 4
- user_namespace { create } rule not working HOT 11
- Concern with use of dac_override in home_container.cil HOT 3
- `avc: denied { shutdown }` when using socket activation with rootless podman quadlet HOT 3
- dri_device_t cannot be accessed correctly by pods using device plugins. HOT 12
- Add support for `rpm --verify` HOT 2
- container_init_t does not possess ptrace process context HOT 13
- CRI-O CI broken due to SELinux AVC Denials with latest runc (main branch) build HOT 20
- systemd crashes while attempting to start under container_user_r role HOT 11
- /etc/kubernetes filetrans? HOT 1
- container_user_u issues related to `podmansh` HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from container-selinux.