Comments (6)
rhatdan
commented on July 18, 2024
This is not a container-selinux issue but a selinux-policy issue.
I have no idea why /tmp/hello is being labeled admin_home_t (Label of /root).
The other question I have if the container is running as spc_t, then how do we transition to iptables_t.
from container-selinux.
rptaylor
commented on July 18, 2024
Hmm .. unfortunately my reproduction was faulty, I must have accidentally reused a pre-existing /tmp/hello file that was created by an Ansible template task. I think the reason it has that label must be related to how Ansible sets it up starting from /root/.ansible:
TASK [Test] *****************************************************************************************************************************************************************
task path: /play.yml:4
fatal: [testhost]: FAILED! => {"changed": false, "checksum": "c30b59e5e5af2cf5840483b7ed8932d1bb1a44e3", "exit_status": 1, "msg": "failed to validate", "stderr": "Can't open /root/.ansible/tmp/ansible-tmp-1679430906.8702123-172253-47066720203546/source: Permission denied\n", "stderr_lines": ["Can't open /root/.ansible/tmp/ansible-tmp-1679430906.8702123-172253-47066720203546/source: Permission denied"], "stdout": "", "stdout_lines": []}
So maybe it is an Ansible-related issue ... I will take a closer look. Thanks.
from container-selinux.
rptaylor
commented on July 18, 2024
from container-selinux.
rptaylor
commented on July 18, 2024
The "hello" file being in /tmp is immaterial I think. Ansible prepares content in ~/.ansible/tmp which is in the root home dir in this situation anyway.
Here are some cases that can be easily reproduced without Ansible.
Starting off
[centos@centos8 ~]$ sudo dnf -y install podman iptables
[centos@centos8 ~]$ sudo podman run --pull=newer --rm -it --pid=host --privileged fedora:37
[root@47946f8aefce /]# nsenter -t 1 -a
[root@centos8 /]#
And then, if writing in /tmp or /etc it works:
[root@centos8 /]# echo whatever > /tmp/tmptest; ls -lZ /tmp/tmptest; /usr/sbin/iptables-restore --test /tmp/tmptest
-rw-r--r--. 1 root root unconfined_u:object_r:tmp_t:s0 9 Mar 23 23:02 /tmp/tmptest
iptables-restore: line 1 failed
[root@centos8 /]# echo whatever > /etc/etctest; ls -lZ /etc/etctest; /usr/sbin/iptables-restore --test /etc/etctest
-rw-r--r--. 1 root root unconfined_u:object_r:etc_t:s0 9 Mar 23 23:06 /etc/etctest
iptables-restore: line 1 failed
This one really baffles me, it fails if writing in a user home - but there is no AVC denial nor a setroubleshoot SELinux syslog error message! Is SELinux silently blocking it?
[root@centos8 /]# echo whatever > /home/centos/hometest; ls -lZ /home/centos/hometest; /usr/sbin/iptables-restore --test /home/centos/hometest
-rw-r--r--. 1 root root unconfined_u:object_r:user_home_t:s0 9 Mar 23 23:03 /home/centos/hometest
Can't open /home/centos/hometest: Permission denied
Anyway the relevant case is still writing in /root
[root@centos8 /]# echo whatever > /root/roottest; ls -lZ /root/roottest; /usr/sbin/iptables-restore --test /root/roottest
-rw-r--r--. 1 root root unconfined_u:object_r:admin_home_t:s0 9 Mar 23 23:03 /root/roottest
Can't open /root/roottest: Permission denied
with this denial:
----
time->Thu Mar 23 23:03:12 2023
type=PROCTITLE msg=audit(1679612592.358:710): proctitle=2F7573722F7362696E2F69707461626C65732D726573746F7265002D2D74657374002F726F6F742F726F6F7474657374
type=SYSCALL msg=audit(1679612592.358:710): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffd9a4dc79f a2=80000 a3=0 items=0 ppid=11825 pid=11868 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="iptables-restor" exe="/usr/sbin/xtables-nft-multi" subj=unconfined_u:system_r:iptables_t:s0 key=(null)
type=AVC msg=audit(1679612592.358:710): avc: denied { read } for pid=11868 comm="iptables-restor" name="roottest" dev="vda1" ino=4224539 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
The other question I have if the container is running as spc_t, then how do we transition to iptables_t.
I don't know , is there anything I can do to determine that?
This is not a container-selinux issue but a selinux-policy issue.
My apologies. I have already opened ansible/ansible#80269 and ansible-collections/community.docker#599 ; I don't know enough about SELinux to understand where the problem is.
Anyway maybe I will try opening a selinux-policy issue but any advice you have would be greatly appreciated @rhatdan
from container-selinux.
rhatdan
commented on July 18, 2024
Try this and see if it works.
sudo podman run --pull=newer --security-opt label=type:unconfined_t --rm -it --pid=host --privileged fedora:37
from container-selinux.
rptaylor
commented on July 18, 2024
Aha that works, thanks! It also avoids some of the issues in #205
from container-selinux.
Related Issues (20)
- SELinux blocks ansible from doing DNF updates with the nsenter connection plugin HOT 8
- Branch protection for main branch HOT 3
- gating tests? HOT 2
- allow user_u to work with containers HOT 8
- Packit: Use packit for bumping official fedora package HOT 1
- CI: check for long-running relabels HOT 1
- [packit] Propose downstream failed for release v2.213.0 HOT 3
- Issues on Fedora (container-selinux-2.211.1) with container_domain_template HOT 5
- Issue on RHEL with iscsiadm on v2.205 HOT 4
- user_namespace { create } rule not working HOT 11
- Concern with use of dac_override in home_container.cil HOT 3
- `avc: denied { shutdown }` when using socket activation with rootless podman quadlet HOT 3
- dri_device_t cannot be accessed correctly by pods using device plugins. HOT 12
- Add support for `rpm --verify` HOT 2
- container_init_t does not possess ptrace process context HOT 13
- CRI-O CI broken due to SELinux AVC Denials with latest runc (main branch) build HOT 20
- systemd crashes while attempting to start under container_user_r role HOT 11
- /etc/kubernetes filetrans? HOT 1
- container_user_u issues related to `podmansh` HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from container-selinux.