search

containers / container-selinux

SELinux policy files for Container Runtimes
GNU General Public License v2.0
253 stars 91 forks source link

"transition" denied on entrypoint with podman 1.0 #61

Closed cjeanner closed 5 years ago

cjeanner commented 5 years ago

Hello,

We're currently testing podman 1.0, and hit the following issue:

type=AVC msg=audit(1547545930.107:1449): avc:  denied  { transition } for  pid=69772 comm="runc:[2:INIT]" path="/usr/local/bin/dumb-init" dev="vda1" ino=2232295 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:container_t:s0:c12,c116 tclass=process permissive=0

Some details: this dumb-init is embedded in the container (meaning, no volume involved). It has the following flags:

-rwxr-xr-x. root root system_u:object_r:container_file_t:s0:c724,c908 /usr/local/bin/dumb-init

And if we pass this AVC into audit2allow, we get the following output:

#============= unconfined_service_t ==============

#!!!! The file '/usr/local/bin/dumb-init' is mislabeled on your system.  
#!!!! Fix with $ restorecon -R -v /usr/local/bin/dumb-init
allow unconfined_service_t container_t:process transition;

We didn't get this issue with previous podman versions.

Any hint on what to do? I don't know this "transition" being denied, sooo.. any help would be nice :).

Thanks!

C.

rhatdan commented 5 years ago

What policy are you testing this with?

$ cat > /tmp/t
type=AVC msg=audit(1547545930.107:1449): avc:  denied  { transition } for  pid=69772 comm="runc:[2:INIT]" path="/usr/local/bin/dumb-init" dev="vda1" ino=2232295 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:container_t:s0:c12,c116 tclass=process permissive=0
$ audit2allow  -i /tmp/t

#============= unconfined_service_t ==============
#!!!! This avc is allowed in the current policy
allow unconfined_service_t container_t:process transition;

rpm -q container-selinux container-selinux-2.77-1.git2c57a17.fc29.noarch

EmilienM commented 5 years ago

@rhatdan we are testing with container-selinux-2.73-3.el8+1838+91f7e486.noarch we'll try again with container-selinux-2.77-1.git2c57a17.fc29.noarch

EmilienM commented 5 years ago

worked with container-selinux-2.77-1.git2c57a17.fc29.noarch

cjeanner commented 5 years ago

Closing this issue since it was due to an old package. Thanks!