search

grafana / loki

Like Prometheus, but for logs.
https://grafana.com/loki
GNU Affero General Public License v3.0
24.09k stars 3.47k forks source link

Rootless SELinux errors #11382

Open Voidthe opened 12 months ago

Voidthe commented 12 months ago

Describe the bug When attempting to sh into the container you will get an SELinux error If you setenforce 0 then this issue is not present and the container will start regularly

To Reproduce Steps to reproduce the behavior:

  1. podman unshare chown to the mounted volume
  2. Start Loki with volume mounted and entrypoint set to sh
  3. Receive errors

Expected behavior Get a shell inside the container

Environment:

Screenshots, Promtail config, or terminal output Podman command: /usr/bin/podman run --replace -it --entrypoint sh --name loki --publish 3020:3100 --volume /var/lib/containers/svc_podman/loki/config/:/etc/loki/:z,rw --env config.file=/etc/loki/local-config.yml --env log-config-reverse-order=true --env config.expand-env=true docker.io/grafana/loki:main Result: 

Error relocating /lib/ld-musl-x86_64.so.1: RELRO protection failed: No error information
Error relocating /bin/sh: RELRO protection failed: No error information

SELinux Error:



If you want to fix the label. 
/bin/busybox default label should be ld_so_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /bin/busybox

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that busybox should be allowed read access on the busybox file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sh' --raw | audit2allow -M my-sh
# semodule -X 300 -i my-sh.pp

Additional Information:
Source Context                system_u:system_r:container_t:s0:c87,c972
Target Context                unconfined_u:object_r:container_var_lib_t:s0
Target Objects                /bin/busybox [ file ]
Source                        sh
Source Path                   /bin/busybox
Port                          <Unknown>
Host                          snipodm01.infrdev.spicy.cloud
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.3-128.el8.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-128.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     snipodm01.infrdev.spicy.cloud
Platform                      Linux snipodm01.infrdev.spicy.cloud
                              4.18.0-513.9.1.el8_9.x86_64 #1 SMP Thu Nov 16
                              10:29:04 EST 2023 x86_64 x86_64
Alert Count                   2
First Seen                    2023-12-04 20:39:58 UTC
Last Seen                     2023-12-04 20:39:58 UTC
Local ID                      bb6f718b-34f2-42ef-b3cb-a0a035194912

Raw Audit Messages
type=AVC msg=audit(1701722398.484:4573): avc:  denied  { read } for  pid=23540 comm="sh" path="/bin/busybox" dev="dm-0" ino=33554574 scontext=system_u:system_r:container_t:s0:c87,c972 tcontext=unconfined_u:object_r:container_var_lib_t:s0 tclass=file permissive=0

type=SYSCALL msg=audit(1701722398.484:4573): arch=x86_64 syscall=mprotect success=no exit=EACCES a0=555f2d7f0000 a1=4000 a2=1 a3=7f32375ff940 items=0 ppid=23530 pid=23540 auid=1000 uid=175536 gid=175536 euid=175536 suid=175536 fsuid=175536 egid=175536 sgid=175536 fsgid=175536 tty=pts0 ses=7 comm=sh exe=/bin/busybox subj=system_u:system_r:container_t:s0:c87,c972 key=(null)

Hash: sh,container_t,container_var_lib_t,file,read```
Voidthe commented 12 months ago

Upon review it was because I forgot to run podman system reset

brixzen commented 1 month ago

Hi @Voidthe, I have same problem, it solved just when add --privileged when creating container, podman command will be like this : podman run --replace --privileged -it --entrypoint sh --name loki --publish 3020:3100 --volume /var/lib/containers/svc_podman/loki/config/:/etc/loki/:z,rw --env config.file=/etc/loki/local-config.yml --env log-config-reverse-order=true --env config.expand-env=true docker.io/grafana/loki:main