Hello Mr. Dan and Colleagues, Currently, I'm trying to run podman co

Update Rootless Podman also won't work under <code class="notransl

<div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clip

Comments (11)

Thor-x86 commented on August 17, 2024

Update

Rootless Podman also won't work under container_user_r role, even though using cgroup v2. Here's what happened if I run the container:

[[email protected] ~]$ podman start -ai nginx
WARN[0000] The cgroupv2 manager is set to systemd but there is no systemd user session available
WARN[0000] For using systemd, you may need to log in using a user session
WARN[0000] Alternatively, you can enable lingering with: `loginctl enable-linger 1008` (possibly as root)
WARN[0000] Falling back to --cgroup-manager=cgroupfs
{"msg":"exec container process `/docker-entrypoint.sh`: Permission denied","level":"error","time":"2023-1115T15:04:49.311235Z"}

Then the ausearch logs:

$ sudo ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent
----
time->Wed Nov 15 22:02:57 2023
type=SELINUX_ERR msg=audit(1700060577.134:1354): op=security_compute_sid invalid_context="container_u:container_user_r:kmod_t:s0-s0:c512" scontext=container_u:container_user_r:container_runtime_t:s0-s0:c512 tcontext=system_u:object_r:kmod_exec_t:s0 tclass=process
----
time->Wed Nov 15 22:03:25 2023
type=AVC msg=audit(1700060605.934:1363): avc:  denied  { search } for  pid=6020 comm="sudo" name="1" dev="proc" ino=2107 scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0
----
time->Wed Nov 15 22:04:08 2023
type=SELINUX_ERR msg=audit(1700060648.070:1412): op=security_compute_sid invalid_context="container_u:container_user_r:kmod_t:s0-s0:c512" scontext=container_u:container_user_r:container_runtime_t:s0-s0:c512 tcontext=system_u:object_r:kmod_exec_t:s0 tclass=process
----
time->Wed Nov 15 22:04:22 2023
type=AVC msg=audit(1700060662.201:1413): avc:  denied  { transition } for  pid=6197 comm="3" path="/docker-entrypoint.sh" dev="overlay" ino=20386 scontext=container_u:container_user_r:container_runtime_t:s0 tcontext=system_u:system_r:container_t:s0:c429,c593 tclass=process permissive=0
----
time->Wed Nov 15 22:04:49 2023
type=AVC msg=audit(1700060689.310:1418): avc:  denied  { transition } for  pid=6260 comm="3" path="/docker-entrypoint.sh" dev="overlay" ino=20386 scontext=container_u:container_user_r:container_runtime_t:s0 tcontext=system_u:system_r:container_t:s0:c429,c593 tclass=process permissive=0
[DONE]

I have no idea what's happening with SELinux. I literally stuck now ☹️ I'm doubt to uninstall container-selinux package then using staff_u for each container is a safe option. Please for the guidance, or at least information how to debug that pesky segfaults (I have experience in GDB but not for running systemd process).

from container-selinux.

Thor-x86 commented on August 17, 2024

Update 2

Running under user_u also not working. The reason is same, permission denied. AVC report almost similar with previous comment. However, systemd and user DBus is working properly. Changing to permissive mode definitely works as expected, but that's defeat the purpose of SELinux. At this point, I'm not sure if rootless podman is designed to work with SELinux, or perhaps I missed something? I dunno... @rhatdan please for your guidance

from container-selinux.

rhatdan commented on August 17, 2024

What version of podman are you attempting this with?

from container-selinux.

Thor-x86 commented on August 17, 2024

What version of podman are you attempting this with?

At that time, Podman is up-to-date. I believe v4.7.2.

from container-selinux.

rhatdan commented on August 17, 2024

Could you try again to make sure it is 4.7.2 or better yet 4.8.*

from container-selinux.

Thor-x86 commented on August 17, 2024

I'm going to re-install Fedora Server again after finished my work today and I'll tell you the result. Thank you for your attention

from container-selinux.

Thor-x86 commented on August 17, 2024

I re-installed the latest stable Fedora Server 39 and container-selinux package release. Then I ran these commands:

# dnf upgrade
# reboot
# restorecon -RF /
# semanage user -a -L s0-s0 -r s0-s0:c0.c1023 -R container_user_r container_u
# useradd -d /home/container -F -m -U -s /bin/bash -Z container_u --selinux-range s0-s0:c0.1023 container
$ exit 0

Then login as container and I ran this command

$ systemctl --user status
-bash: systemctl: command not found

$ ls $(which systemctl)
/usr/bin/which: no systemctl in (/home/container/.local/bin:/home/container/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin)

Well... that's weird, then I went back to admin user (which is staff_u) and run this command:

$ ls $(which systemctl)
-rwxr-xr-x. 1 root root system_u:object_r:systemd_systemctl_exec_t:s0 316K Nov 29 07:00 /usr/bin/systemctl

# systemctl start user@1001
Job for [email protected] failed because a fatal signal was delivered to the control process.
See "systemctl status [email protected]" and "journalctl -xeu [email protected]" for details.

# journalctl -xeu [email protected]
 Defined-By: systemd
Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel

A start job for unit [email protected] has begun execution.

The job identifier is 3921.
Dec 22 06:10:14 localhost.localdomain (systemd)[2359]: pam_unix(systemd-user:session): session opened for user containe>
Dec 22 06:10:14 localhost.localdomain systemd[1]: [email protected]: Main process exited, code=killed, status=11/SEGV
Subject: Unit process exited

Where 1001 is UID or GID of container user. As you can see, the problem still exist. By the way, all packages already up to date.

$ uname -r
6.6.7-200.fc39.x86_64

Edit

I realized that the latest package isn't actually latest

# dnf info container-selinux
Last metadata expiration check: 0:44:37 ago on Fri 22 Dec 2023 05:32:41 AM WIB.
Installed Packages
Name         : container-selinux
Epoch        : 2
Version      : 2.226.0
Release      : 1.fc39
Architecture : noarch
Size         : 67 k
Source       : container-selinux-2.226.0-1.fc39.src.rpm
Repository   : @System
From repo    : updates
Summary      : SELinux policies for container runtimes
URL          : https://github.com/containers/container-selinux
License      : GPL-2.0-only
Description  : SELinux policy modules for use with container runtimes.

Is it still on rawhide?

from container-selinux.

rhatdan commented on August 17, 2024

What are the latest AVC messages you are seeing?

from container-selinux.

Thor-x86 commented on August 17, 2024

# systemctl start user@1001
Job for [email protected] failed because a fatal signal was delivered to the control process.
See "systemctl status [email protected]" and "journalctl -xeu [email protected]" for details.

# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent
<no matches>

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

That's odd... perhaps this is entirely systemd bug? I also tried to logged in container user then ran this

$ systemctl --user status
-bash: systemctl: command not found

And then go back to admin user to ran this

# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent
<no matches>

I have no idea why previous AVC messages suddenly gone after I re-installed the fedora and upgrade to latest stable. Despite of that, the auditd still working properly

# systemctl status auditd
● auditd.service - Security Auditing Service
     Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; preset: enabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: active (running) since Sat 2023-12-23 04:03:52 WIB; 4min 17s ago
       Docs: man:auditd(8)
             https://github.com/linux-audit/audit-documentation
    Process: 812 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
    Process: 821 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
   Main PID: 814 (auditd)
      Tasks: 4 (limit: 2227)
     Memory: 5.2M
        CPU: 248ms
     CGroup: /system.slice/auditd.service
             ├─814 /sbin/auditd
             └─816 /usr/sbin/sedispatch

Dec 23 04:03:51 localhost systemd[1]: Starting auditd.service - Security Auditing Service...
Dec 23 04:03:51 localhost auditd[814]: audit dispatcher initialized with q_depth=2000 and 1 active plugins
Dec 23 04:03:51 localhost auditd[814]: Init complete, auditd 3.1.2 listening for events (startup state enable)
Dec 23 04:03:52 localhost augenrules[821]: /sbin/augenrules: No change
Dec 23 04:03:52 localhost augenrules[833]: No rules
Dec 23 04:03:52 localhost systemd[1]: Started auditd.service - Security Auditing Service.

from container-selinux.

rhatdan commented on August 17, 2024

Dontaudit rules are hiding the denial.

sudo semodule -DB

Now you should see the AVCs

sudo semodule -B

To run the dontaudit rules back on.

from container-selinux.

Thor-x86 commented on August 17, 2024

# semodule -DB

# systemctl start user@1001
Job for [email protected] failed because a fatal signal was delivered to the control process.
See "systemctl status [email protected]" and "journalctl -xeu [email protected]" for details.

# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent
----
time->Thu Dec 28 19:19:08 2023
type=AVC msg=audit(1703765948.461:184): avc:  denied  { net_admin } for  pid=1177 comm="systemd-user-ru" capability=12  scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=capability permissive=0
----
time->Thu Dec 28 19:19:08 2023
type=AVC msg=audit(1703765948.461:185): avc:  denied  { net_admin } for  pid=1177 comm="systemd-user-ru" capability=12  scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=capability permissive=0
----
time->Thu Dec 28 19:19:08 2023
type=AVC msg=audit(1703765948.504:187): avc:  denied  { read } for  pid=1179 comm="(systemd)" name="shadow" dev="dm-0" ino=16927531 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=0
----
time->Thu Dec 28 19:19:08 2023
type=AVC msg=audit(1703765948.526:188): avc:  denied  { siginh } for  pid=1180 comm="unix_chkpwd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:chkpwd_t:s0 tclass=process permissive=0
----
time->Thu Dec 28 19:19:08 2023
type=AVC msg=audit(1703765948.540:194): avc:  denied  { read write } for  pid=1179 comm="systemd" path="socket:[2942]" dev="sockfs" ino=2942 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
----
time->Thu Dec 28 19:19:08 2023
type=AVC msg=audit(1703765948.540:195): avc:  denied  { read write } for  pid=1179 comm="systemd" path="socket:[2942]" dev="sockfs" ino=2942 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
----
time->Thu Dec 28 19:19:08 2023
type=AVC msg=audit(1703765948.540:196): avc:  denied  { siginh } for  pid=1179 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tclass=process permissive=0
----
time->Thu Dec 28 19:19:08 2023
type=AVC msg=audit(1703765948.540:197): avc:  denied  { map } for  pid=1179 comm="systemd" path="/usr/lib/systemd/systemd" dev="dm-0" ino=17114599 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=0

Great! It's starting to show something. For curiosity reason, I tried same command in permissive mode to get more denial information.

# setenforce 0

# systemctl start user@1001

# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.642:225): avc:  denied  { net_admin } for  pid=1225 comm="systemd-user-ru" capability=12  scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=capability permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.682:227): avc:  denied  { read } for  pid=1227 comm="(systemd)" name="shadow" dev="dm-0" ino=16927531 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.682:228): avc:  denied  { open } for  pid=1227 comm="(systemd)" path="/etc/shadow" dev="dm-0" ino=16927531 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.692:234): avc:  denied  { read write } for  pid=1227 comm="systemd" path="socket:[10401]" dev="sockfs" ino=10401 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.692:235): avc:  denied  { siginh } for  pid=1227 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tclass=process permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.692:236): avc:  denied  { map } for  pid=1227 comm="systemd" path="/usr/lib/systemd/systemd" dev="dm-0" ino=17114599 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.692:237): avc:  denied  { read } for  pid=1227 comm="systemd" path="/usr/lib/systemd/systemd" dev="dm-0" ino=17114599 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.692:238): avc:  denied  { execute } for  pid=1227 comm="systemd" path="/usr/lib/systemd/systemd" dev="dm-0" ino=17114599 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.698:239): avc:  denied  { map } for  pid=1227 comm="systemd" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.702:240): avc:  denied  { search } for  pid=1227 comm="systemd" name="1" dev="proc" ino=49 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.702:241): avc:  denied  { read } for  pid=1227 comm="systemd" name="cmdline" dev="proc" ino=4026532019 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.702:242): avc:  denied  { open } for  pid=1227 comm="systemd" path="/proc/cmdline" dev="proc" ino=4026532019 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.702:243): avc:  denied  { getattr } for  pid=1227 comm="systemd" path="/proc/cmdline" dev="proc" ino=4026532019 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.707:244): avc:  denied  { read } for  pid=1227 comm="systemd" name="cgroup" dev="proc" ino=104 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.707:245): avc:  denied  { open } for  pid=1227 comm="systemd" path="/proc/1/cgroup" dev="proc" ino=104 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.707:246): avc:  denied  { getattr } for  pid=1227 comm="systemd" path="/proc/1/cgroup" dev="proc" ino=104 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.707:247): avc:  denied  { ioctl } for  pid=1227 comm="systemd" path="/proc/1/cgroup" dev="proc" ino=104 ioctlcmd=0x5401 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.718:248): avc:  denied  { prog_load } for  pid=1227 comm="systemd" scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tclass=bpf permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.731:249): avc:  denied  { ioctl } for  pid=1227 comm="systemd" path="/proc/cpuinfo" dev="proc" ino=4026532021 ioctlcmd=0x5401 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.744:250): avc:  denied  { read } for  pid=1227 comm="systemd" name="mount" dev="tmpfs" ino=326 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=dir permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.745:251): avc:  denied  { getattr } for  pid=1227 comm="systemd" path="/dev/dm-0" dev="devtmpfs" ino=392 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.745:252): avc:  denied  { search } for  pid=1227 comm="systemd" name="udev" dev="tmpfs" ino=52 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=dir permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.745:253): avc:  denied  { read } for  pid=1227 comm="systemd" name="b253:0" dev="tmpfs" ino=804 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.745:254): avc:  denied  { open } for  pid=1227 comm="systemd" path="/run/udev/data/b253:0" dev="tmpfs" ino=804 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.745:255): avc:  denied  { getattr } for  pid=1227 comm="systemd" path="/run/udev/data/b253:0" dev="tmpfs" ino=804 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.746:256): avc:  denied  { getattr } for  pid=1227 comm="systemd" path="/usr/lib/systemd/user" dev="dm-0" ino=25166753 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.747:257): avc:  denied  { search } for  pid=1227 comm="systemd" name="user" dev="dm-0" ino=25166753 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.748:258): avc:  denied  { getattr } for  pid=1227 comm="systemd" path="/usr/lib/systemd/user/dbus-broker.service" dev="dm-0" ino=25207411 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_unit_file_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.748:259): avc:  denied  { read } for  pid=1227 comm="systemd" name="user" dev="dm-0" ino=25166753 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.748:260): avc:  denied  { open } for  pid=1227 comm="systemd" path="/usr/lib/systemd/user" dev="dm-0" ino=25166753 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.748:261): avc:  denied  { getattr } for  pid=1227 comm="systemd" path="/usr/lib/systemd/user/session.slice" dev="dm-0" ino=25524631 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.754:262): avc:  denied  { read } for  pid=1227 comm="systemd" name="10-oomd-per-slice-defaults.conf" dev="dm-0" ino=8685363 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.754:263): avc:  denied  { open } for  pid=1227 comm="systemd" path="/usr/lib/systemd/user/slice.d/10-oomd-per-slice-defaults.conf" dev="dm-0" ino=8685363 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.754:264): avc:  denied  { ioctl } for  pid=1227 comm="systemd" path="/usr/lib/systemd/user/slice.d/10-oomd-per-slice-defaults.conf" dev="dm-0" ino=8685363 ioctlcmd=0x5401 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.757:265): avc:  denied  { read } for  pid=1227 comm="systemd" name="systemd" dev="tmpfs" ino=111 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=dir permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.757:266): avc:  denied  { open } for  pid=1227 comm="systemd" path="/run/udev/tags/systemd" dev="tmpfs" ino=111 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=dir permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.757:267): avc:  denied  { getattr } for  pid=1227 comm="systemd" path="/run/udev/tags/systemd" dev="tmpfs" ino=111 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=dir permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.773:268): avc:  denied  { getattr } for  pid=1227 comm="systemd" path="/dev/sr0" dev="devtmpfs" ino=341 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.776:269): avc:  denied  { getattr } for  pid=1227 comm="systemd" path="/dev/ptp0" dev="devtmpfs" ino=540 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.873:270): avc:  denied  { read } for  pid=1227 comm="systemd" name="net" dev="proc" ino=4026531845 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_net_t:s0 tclass=lnk_file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.874:271): avc:  denied  { read } for  pid=1227 comm="systemd" name="dbus-broker.service" dev="dm-0" ino=25207411 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_unit_file_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.874:272): avc:  denied  { open } for  pid=1227 comm="systemd" path="/usr/lib/systemd/user/dbus-broker.service" dev="dm-0" ino=25207411 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_unit_file_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.874:273): avc:  denied  { ioctl } for  pid=1227 comm="systemd" path="/usr/lib/systemd/user/dbus-broker.service" dev="dm-0" ino=25207411 ioctlcmd=0x5401 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_unit_file_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.888:274): avc:  denied  { search } for  pid=1227 comm="systemd" name="1" dev="proc" ino=49 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.892:275): avc:  denied  { compute_create } for  pid=1227 comm="systemd" scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=security permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.895:276): avc:  denied  { getattr } for  pid=1240 comm="(ystemctl)" path="/usr/bin/systemctl" dev="dm-0" ino=25524430 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.896:277): avc:  denied  { execute } for  pid=1240 comm="(ystemctl)" name="systemctl" dev="dm-0" ino=25524430 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.896:278): avc:  denied  { read open } for  pid=1240 comm="(ystemctl)" path="/usr/bin/systemctl" dev="dm-0" ino=25524430 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.896:279): avc:  denied  { execute_no_trans } for  pid=1240 comm="(ystemctl)" path="/usr/bin/systemctl" dev="dm-0" ino=25524430 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.897:280): avc:  denied  { map } for  pid=1240 comm="systemctl" path="/usr/bin/systemctl" dev="dm-0" ino=25524430 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.898:281): avc:  denied  { getattr } for  pid=1241 comm="(tmpfiles)" path="/usr/bin/systemd-tmpfiles" dev="dm-0" ino=25524530 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_tmpfiles_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.898:282): avc:  denied  { execute } for  pid=1241 comm="(tmpfiles)" name="systemd-tmpfiles" dev="dm-0" ino=25524530 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_tmpfiles_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.898:283): avc:  denied  { read open } for  pid=1241 comm="(tmpfiles)" path="/usr/bin/systemd-tmpfiles" dev="dm-0" ino=25524530 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_tmpfiles_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.898:284): avc:  denied  { execute_no_trans } for  pid=1241 comm="(tmpfiles)" path="/usr/bin/systemd-tmpfiles" dev="dm-0" ino=25524530 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_tmpfiles_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.899:285): avc:  denied  { map } for  pid=1241 comm="systemd-tmpfile" path="/usr/bin/systemd-tmpfiles" dev="dm-0" ino=25524530 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_tmpfiles_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.904:286): avc:  denied  { read } for  pid=1240 comm="systemctl" name="root" dev="proc" ino=92 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=lnk_file permissive=1

EDIT

I just figured out what happened after stored the last logs above as systemd_denials.log then executed audit2allow -i systemd_denials.log -o systemd_fix.te. Here's what the content ofsystemd_fix.te:

#============= container_user_t ==============
allow container_user_t clock_device_t:chr_file getattr;
allow container_user_t dbusd_unit_file_t:file { getattr ioctl open read };
allow container_user_t fixed_disk_device_t:blk_file getattr;

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow container_user_t init_exec_t:file map;
allow container_user_t init_exec_t:file { execute read };
allow container_user_t init_t:dir search;
allow container_user_t init_t:file { getattr ioctl open read };
allow container_user_t init_t:lnk_file read;
allow container_user_t init_t:unix_stream_socket { read write };
allow container_user_t mount_var_run_t:dir read;
allow container_user_t proc_net_t:lnk_file read;
allow container_user_t proc_t:file { getattr ioctl open read };
allow container_user_t removable_device_t:blk_file getattr;

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow container_user_t security_t:file map;
allow container_user_t security_t:security compute_create;
allow container_user_t self:bpf prog_load;
allow container_user_t systemd_systemctl_exec_t:file { execute execute_no_trans getattr open read };

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow container_user_t systemd_systemctl_exec_t:file map;
allow container_user_t systemd_tmpfiles_exec_t:file { execute execute_no_trans getattr open read };

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow container_user_t systemd_tmpfiles_exec_t:file map;
allow container_user_t systemd_unit_file_t:dir { getattr open read search };
allow container_user_t systemd_unit_file_t:file { getattr ioctl open read };
allow container_user_t udev_var_run_t:dir { getattr open read search };
allow container_user_t udev_var_run_t:file { getattr open read };

#============= init_t ==============
allow init_t container_user_t:process siginh;
allow init_t shadow_t:file { open read };

#============= systemd_logind_t ==============
allow systemd_logind_t self:capability net_admin;

Running sudo setsebool -P domain_can_mmap_files=true still won't fix the problem. I think we have to modify the policy manually.

from container-selinux.

systemd crashes while attempting to start under container_user_r role about container-selinux HOT 11 OPEN

Comments (11)

Update

Update 2

Edit

EDIT

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent