Issue

Description of problem: (I don't know what component to file this for; please adjust as needed.) When downloading a container image that the libnbd project uses in CI on gitlab.com, the container cannot be entered with SELinux enforcing. Version-Release number of selected component (if applicable): podman: 4.2.0-11.el9_1 selinux: 3.4-3.el9 container-selinux: 2.189.0-1.el9 selinux-policy: 34.1.43-1.el9_1.2 How reproducible: Always. Steps to Reproduce: cd $HOME podman system reset -f rm -rf .local/share/containers mkdir x cd x podman run -it --rm --userns=keep-id -v .:/repo:z -w /repo \ registry.gitlab.com/nbdkit/libnbd/ci-alpine-edge:latest \ bash Actual results: > Trying to pull registry.gitlab.com/nbdkit/libnbd/ci-alpine-edge:latest... > Getting image source signatures > Copying blob 0ded2f83af0e done > Copying blob 88ecf269dec3 done > Copying config a3b4bffb18 done > Writing manifest to image destination > Storing signatures > Error relocating /usr/lib/libreadline.so.8: RELRO protection failed: Permission denied > Error relocating /lib/ld-musl-x86_64.so.1: RELRO protection failed: Permission denied > Error relocating /usr/lib/libncursesw.so.6: RELRO protection failed: Permission denied > Error relocating /bin/bash: RELRO protection failed: Permission denied Expected results: > Trying to pull registry.gitlab.com/nbdkit/libnbd/ci-alpine-edge:latest... > Getting image source signatures > Copying blob 0ded2f83af0e done > Copying blob 88ecf269dec3 done > Copying config a3b4bffb18 done > Writing manifest to image destination > Storing signatures > bash-5.2$ Additional info: (1) The "id" command outputs: > uid=1000(lacos) gid=1000(lacos) > groups=1000(lacos),10(wheel),18(dialout),135(mock),975(libvirt),1001(lmda) > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 (2) The expected result is achievable when setting SELinux to permissive. (3) With SELinux permissive, a single AVC is generated. "sealert -a" reports: > SELinux is preventing /bin/bash from read access on the file > /usr/lib/libreadline.so.8.2. > > ***** Plugin restorecon (99.5 confidence) suggests ************************ > > If you want to fix the label. > /usr/lib/libreadline.so.8.2 default label should be lib_t. > Then you can run restorecon. The access attempt may have been stopped > due to insufficient permissions to access a parent directory in which > case try to change the following command accordingly. > Do > # /sbin/restorecon -v /usr/lib/libreadline.so.8.2 > > ***** Plugin catchall (1.49 confidence) suggests ************************** > > If you believe that bash should be allowed read access on the > libreadline.so.8.2 file by default. > Then you should report this as a bug. > You can generate a local policy module to allow this access. > Do > allow this access for now by executing: > # ausearch -c 'bash' --raw | audit2allow -M my-bash > # semodule -X 300 -i my-bash.pp > > > Additional Information: > Source Context system_u:system_r:container_t:s0:c62,c364 > Target Context unconfined_u:object_r:user_home_t:s0 > Target Objects /usr/lib/libreadline.so.8.2 [ file ] > Source bash > Source Path /bin/bash > Port <Unknown> > Host <Unknown> > Source RPM Packages bash-5.1.8-6.el9_1.x86_64 > Target RPM Packages > SELinux Policy RPM selinux-policy-targeted-34.1.43-1.el9_1.2.noarch > Local Policy RPM selinux-policy-targeted-34.1.43-1.el9_1.2.noarch > Selinux Enabled True > Policy Type targeted > Enforcing Mode Permissive > Host Name lacos-laptop-9.usersys.redhat.com > Platform Linux lacos-laptop-9.usersys.redhat.com > 5.14.0-162.18.1.el9_1.x86_64 #1 SMP > PREEMPT_DYNAMIC Thu Feb 9 04:28:41 EST 2023 x86_64 > x86_64 > Alert Count 1 > First Seen 2023-03-22 12:57:44 CET > Last Seen 2023-03-22 12:57:44 CET > Local ID 0db129a5-552f-49b2-b3bc-ec206978affb > > Raw Audit Messages > type=AVC msg=audit(1679486264.987:145): avc: denied { read } for > pid=2752 comm="bash" path="/usr/lib/libreadline.so.8.2" dev="dm-3" > ino=2907654 scontext=system_u:system_r:container_t:s0:c62,c364 > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 > > > type=SYSCALL msg=audit(1679486264.987:145): arch=x86_64 > syscall=mprotect success=yes exit=0 a0=7f761e694000 a1=3000 a2=1 > a3=55744feb9c80 items=0 ppid=2749 pid=2752 auid=1000 uid=1000 gid=1000 > euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 > ses=2 comm=bash exe=/bin/bash > subj=system_u:system_r:container_t:s0:c62,c364 key=(null)ARCH=x86_64 > SYSCALL=mprotect AUID=lacos UID=lacos GID=lacos EUID=lacos SUID=lacos > FSUID=lacos EGID=lacos SGID=lacos FSGID=lacos > > Hash: bash,container_t,user_home_t,file,read Note that any complaints about "/usr/lib/libreadline.so.8.2" having wrong labels are presumably bogus, given that this file exists within the container. (4) After the described failure, I tried restorecon -FvvR ~/.local/share/containers restorecon -FvvR ~/x This relabels a big bunch of files, but then the same "podman" command fails the same way. The new AVC is effectively identical to the previous one; here's the diff between the "sealert -a" outputs: > @@ -24,7 +24,7 @@ > > > Additional Information: > -Source Context system_u:system_r:container_t:s0:c62,c364 > +Source Context system_u:system_r:container_t:s0:c436,c873 > Target Context unconfined_u:object_r:user_home_t:s0 > Target Objects /usr/lib/libreadline.so.8.2 [ file ] > Source bash > @@ -44,15 +44,15 @@ > PREEMPT_DYNAMIC Thu Feb 9 04:28:41 EST 2023 x86_64 > x86_64 > Alert Count 1 > -First Seen 2023-03-22 12:57:44 CET > -Last Seen 2023-03-22 12:57:44 CET > -Local ID 0db129a5-552f-49b2-b3bc-ec206978affb > +First Seen 2023-03-22 13:01:49 CET > +Last Seen 2023-03-22 13:01:49 CET > +Local ID 2771711b-e2af-4c92-840d-36573a4fb12a > > Raw Audit Messages > -type=AVC msg=audit(1679486264.987:145): avc: denied { read } for pid=2752 comm="bash" path="/usr/lib/libreadline.so.8.2" dev="dm-3" ino=2907654 scontext=system_u:system_r:container_t:s0:c62,c364 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 > +type=AVC msg=audit(1679486509.713:167): avc: denied { read } for pid=3168 comm="bash" path="/usr/lib/libreadline.so.8.2" dev="dm-3" ino=2907654 scontext=system_u:system_r:container_t:s0:c436,c873 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 > > > -type=SYSCALL msg=audit(1679486264.987:145): arch=x86_64 syscall=mprotect success=yes exit=0 a0=7f761e694000 a1=3000 a2=1 a3=55744feb9c80 items=0 ppid=2749 pid=2752 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=2 comm=bash exe=/bin/bash subj=system_u:system_r:container_t:s0:c62,c364 key=(null)ARCH=x86_64 SYSCALL=mprotect AUID=lacos UID=lacos GID=lacos EUID=lacos SUID=lacos FSUID=lacos EGID=lacos SGID=lacos FSGID=lacos > +type=SYSCALL msg=audit(1679486509.713:167): arch=x86_64 syscall=mprotect success=yes exit=0 a0=7f6318db1000 a1=3000 a2=1 a3=562c3fdd6c80 items=0 ppid=3165 pid=3168 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=2 comm=bash exe=/bin/bash subj=system_u:system_r:container_t:s0:c436,c873 key=(null)ARCH=x86_64 SYSCALL=mprotect AUID=lacos UID=lacos GID=lacos EUID=lacos SUID=lacos FSUID=lacos EGID=lacos SGID=lacos FSGID=lacos > > Hash: bash,container_t,user_home_t,file,read (5) This is similar to bug 1969996 and bug 2019324, but the instructions described there don't work here.

Release Notes

No. of Comments

Resolution

Not a Bug