BugZero | Red Hat BugID RHEL-3107 - podman.socket does not start with the new selinux-...

Red Hat - Defect ID: RHEL-3107

podman.socket does not start with the new selinux-policy

Red Hat - Defect ID: RHEL-3107

podman.socket does not start with the new selinux-policy

Last updated on 9/23/2024

Overall: 5.25.2

Severity: 5.55.5

Community: 6.96.9

Lifecycle: 6.46.4

What is the BugZero Risk Score?

Vendor details

Priority: Normal
Status: Closed
Impact Category: container-selinux

Overall: 5.25.2

Severity: 5.55.5

Community: 6.96.9

Lifecycle: 6.46.4

What is the BugZero Risk Score?

Vendor details

Priority: Normal
Status: Closed
Impact Category: container-selinux

Issue

Description of problem: Cockpit's tests fail on CentOS-9-Stream with the tag repo enabled (koji) https://kojihub.stream.centos.org/kojifiles/repos/c9s-build/latest/x86_64 Version-Release number of selected component (if applicable): [root@centos-9-stream-127-0-0-2-2201 ~]# rpm -q podman aardvark-dns netavark selinux-policy podman-4.3.1-3.el9.x86_64 aardvark-dns-1.3.0-1.el9.x86_64 netavark-1.3.0-1.el9.x86_64 selinux-policy-38.1.2-1.el9.noarch How reproducible: Always Steps to Reproduce: Either launch cockpit with cockpit-podman installed or use curl curl -X GET -s -g --no-buffer --unix-socket /run/podman/podman.sock 'http://localhost/v1.12/libpod/info' That should activate podman.socket and podman.service should fail. Actual results: [ 48.648949] audit: type=1400 audit(1669978902.909:4): avc: denied { read } for pid=3767 comm="podman" name="journal" dev="tmpfs" ino=61 scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=dir permissive=0 [ 48.782451] audit: type=1400 audit(1669978903.043:5): avc: denied { quotamod } for pid=3767 comm="podman" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0 [ 48.790435] audit: type=1400 audit(1669978903.051:6): avc: denied { create } for pid=3767 comm="podman" name="netavark.lock" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0 [ 48.792099] audit: type=1400 audit(1669978903.053:7): avc: denied { write } for pid=3767 comm="podman" name="netavark.lock" dev="vda1" ino=8463665 scontext=system_u:system_r:container_runtime_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0 [ 48.831018] audit: type=1400 audit(1669978903.091:8): avc: denied { read } for pid=3778 comm="podman" name="journal" dev="tmpfs" ino=61 scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=dir permissive=0 [ 48.881706] audit: type=1400 audit(1669978903.142:9): avc: denied { quotamod } for pid=3778 comm="podman" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0 [ 48.886245] audit: type=1400 audit(1669978903.147:10): avc: denied { write } for pid=3778 comm="podman" name="netavark.lock" dev="vda1" ino=8463665 scontext=system_u:system_r:container_runtime_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0 [ 48.947136] audit: type=1400 audit(1669978903.207:11): avc: denied { read } for pid=3786 comm="podman" name="journal" dev="tmpfs" ino=61 scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=dir permissive=0 [ 49.049747] audit: type=1400 audit(1669978903.310:12): avc: denied { quotamod } for pid=3786 comm="podman" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0 [ 49.052811] audit: type=1400 audit(1669978903.313:13): avc: denied { write } for pid=3786 comm="podman" name="netavark.lock" dev="vda1" ino=8463665 scontext=system_u:system_r:container_runtime_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0 Expected results: No violations Additional info: Dec 02 06:11:23 centos-9-stream-127-0-0-2-2201 systemd[1]: Started Podman API Service. Dec 02 06:11:23 centos-9-stream-127-0-0-2-2201 podman[11815]: time="2022-12-02T06:11:23-05:00" level=info msg="/usr/bin/podman filtering at log level info" Dec 02 06:11:23 centos-9-stream-127-0-0-2-2201 podman[11815]: time="2022-12-02T06:11:23-05:00" level=info msg="Not using native diff for overlay, this may cause degraded p> Dec 02 06:11:23 centos-9-stream-127-0-0-2-2201 podman[11815]: Error: open /etc/containers/networks/netavark.lock: permission denied Dec 02 06:11:23 centos-9-stream-127-0-0-2-2201 systemd[1]: podman.service: Main process exited, code=exited, status=125/n/a Dec 02 06:11:23 centos-9-stream-127-0-0-2-2201 systemd[1]: podman.service: Failed with result 'exit-code'. Dec 02 06:11:23 centos-9-stream-127-0-0-2-2201 systemd[1]: podman.socket: Trigger limit hit, refusing further activation. Dec 02 06:11:23 centos-9-stream-127-0-0-2-2201 systemd[1]: podman.socket: Failed with result 'trigger-limit-hit'.

Release Notes

No. of Comments

Resolution

Cannot Reproduce

No bugs this month

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Red Hat - Defect ID: RHEL-3107

podman.socket does not start with the new selinux-policy

Red Hat - Defect ID: RHEL-3107

podman.socket does not start with the new selinux-policy

Last updated on 9/23/2024

Vendor details

Vendor details

Description

Issue

Release Notes

No. of Comments

Resolution

Links

Top Red Hat defects by risk score

Ready to prevent the next vendor outage?