search

containers / podman

Podman: A tool for managing OCI containers and pods.
https://podman.io
Apache License 2.0
22.97k stars 2.34k forks source link

container-selinux still preventing socket creation #2888

Closed thoraxe closed 5 years ago

thoraxe commented 5 years ago

/kind bug

Description When running a container with supervisord, SELinux prevents socket creation.

Steps to reproduce the issue:

  1. podman run -it --rm -e OC_VERSION=4.0 -p 10081:10081 -p 10080:10080 quay.io/openshiftlabs/workshop-terminal:2.6.2

Describe the results you received: type=AVC msg=audit(1554902629.437:1830): avc: denied { create } for pid=14464 comm="supervisord" name="supervisor.sock.1" scontext=system_u:system_r:container_t:s0:c281,c1019 tcontext=system_u:object_r:fusefs_t:s0 tclass=sock_file permissive=0

Describe the results you expected: Container should run.

Additional information you deem important (e.g. issue happens only occasionally): https://gist.github.com/thoraxe/43026e3cca41f0ee30fe25bf3028e4bc

container-selinux-2.94-1.git1e99f1d.fc29.noarch

Output of podman version:

Version:            1.1.2
RemoteAPI Version:  1
Go Version:         go1.11.5
Git Commit:         a95a49d3038462d033f84ac314ec8a3064a99cff
Built:              Tue Mar  5 13:10:31 2019
OS/Arch:            linux/amd64

Output of podman info --debug:

debug:
  compiler: gc
  git commit: a95a49d3038462d033f84ac314ec8a3064a99cff
  go version: go1.11.5
  podman version: 1.1.2
host:
  BuildahVersion: 1.7.1
  Conmon:
    package: podman-1.1.2-1.git0ad9b6b.fc29.x86_64
    path: /usr/libexec/podman/conmon
    version: 'conmon version 1.12.0-dev, commit: a95a49d3038462d033f84ac314ec8a3064a99cff'
  Distribution:
    distribution: fedora
    version: "29"
  MemFree: 784580608
  MemTotal: 20434522112
  OCIRuntime:
    package: runc-1.0.0-68.dev.git6635b4f.fc29.x86_64
    path: /usr/bin/runc
    version: |-
      runc version 1.0.0-rc6+dev
      commit: ef9132178ccc3d2775d4fb51f1e431f30cac1398-dirty
      spec: 1.0.1-dev
  SwapFree: 16912740352
  SwapTotal: 17181962240
  arch: amd64
  cpus: 4
  hostname: t460.festive.local
  kernel: 4.20.16-200.fc29.x86_64
  os: linux
  rootless: true
  uptime: 112h 59m 42.1s (Approximately 4.67 days)
insecure registries:
  registries:
  - 172.30.0.0/16
registries:
  registries:
  - docker.io
  - registry.fedoraproject.org
  - registry.access.redhat.com
store:
  ConfigFile: /home/thoraxe/.config/containers/storage.conf
  ContainerStore:
    number: 3
  GraphDriverName: overlay
  GraphOptions:
  - overlay.mount_program=/usr/bin/fuse-overlayfs
  GraphRoot: /home/thoraxe/.local/share/containers/storage
  GraphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  ImageStore:
    number: 16
  RunRoot: /run/user/1000
  VolumePath: /home/thoraxe/.local/share/containers/storage/volumes

Additional environment details (AWS, VirtualBox, physical, etc.): F29 on a Lenovo T460s

mheon commented 5 years ago

@rhatdan PTAL

rhatdan commented 5 years ago

audit2allow -i /tmp/t

============= container_t ==============

!!!! This avc is allowed in the current policy

allow container_t fusefs_t:sock_file create; [dwalsh@localhost 2019]$ rpm -q container-selinux container-selinux-2.95-1.gite3ebc68.fc30.noarch

Please yum -y update --enablerepo updates-testing container-selinux

If this solves your issue, please give good karma. https://bodhi.fedoraproject.org/updates/FEDORA-2019-9e36ddd5a5

thoraxe commented 5 years ago

@rhatdan works.