search

osbuild / bootc-image-builder

A container for deploying bootable container images.
https://osbuild.org
Apache License 2.0
120 stars 51 forks source link

New selinux denial #645

Open mvo5 opened 2 weeks ago

mvo5 commented 2 weeks ago

During the "bib" build we have a new selinux denial that needs investigation.

So far we know:

type=AVC msg=audit(1726075609.598:896): avc:  denied  { nnp_transition nosuid_transition } for  pid=18439 comm="bootc" scontext=system_u:system_r:install_t:s0:c264,c849 tcontext=system_u:system_r:container_runtime_t:s0:c264,c849 tclass=process2 permissive=0

more logs from testing farm:

 Sep 05 19:27:18 51ef0fbb-0ee8-42ec-a7c2-b9bd14b3d37b.testing-farm naughty_mendel[13501]: mount/boot-efi (org.osbuild.fat): mounting /dev/loop0p2 -> /store/tmp/buildroot-tmp-do0ia1hw/mounts/boot/efi
E         Sep 05 19:27:19 51ef0fbb-0ee8-42ec-a7c2-b9bd14b3d37b.testing-farm naughty_mendel[13501]: Mount transient overlayfs for /etc/containers
E         Sep 05 19:27:19 51ef0fbb-0ee8-42ec-a7c2-b9bd14b3d37b.testing-farm naughty_mendel[13501]: Creating bind mount for run/osbuild/containers
E         Sep 05 19:27:19 51ef0fbb-0ee8-42ec-a7c2-b9bd14b3d37b.testing-farm naughty_mendel[13501]: Host kernel does not have SELinux support, but target enables it by default; this is less well tested.  See https://github.com/containers/bootc/issues/419
E         Sep 05 19:27:20 51ef0fbb-0ee8-42ec-a7c2-b9bd14b3d37b.testing-farm naughty_mendel[13501]: Installing image: docker://quay.io/centos-bootc/centos-bootc:stream9
E         Sep 05 19:27:20 51ef0fbb-0ee8-42ec-a7c2-b9bd14b3d37b.testing-farm naughty_mendel[13501]: Initializing ostree layout
E         Sep 05 19:27:20 51ef0fbb-0ee8-42ec-a7c2-b9bd14b3d37b.testing-farm naughty_mendel[13501]: Initializing sysroot
E         Sep 05 19:27:20 51ef0fbb-0ee8-42ec-a7c2-b9bd14b3d37b.testing-farm naughty_mendel[13501]: ostree/deploy/default initialized as OSTree stateroot
E         Sep 05 19:27:20 51ef0fbb-0ee8-42ec-a7c2-b9bd14b3d37b.testing-farm audit[14665]: AVC avc:  denied  { nnp_transition nosuid_transition } for  pid=14665 comm="bootc" scontext=system_u:system_r:install_t:s0:c258,c744 tcontext=system_u:system_r:container_runtime_t:s0:c258,c744 tclass=process2 permissive=0
E         Sep 05 19:27:20 51ef0fbb-0ee8-42ec-a7c2-b9bd14b3d37b.testing-farm audit: SELINUX_ERR op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:install_t:s0:c258,c744 newcontext=system_u:system_r:container_runtime_t:s0:c258,c744
E         Sep 05 19:27:21 51ef0fbb-0ee8-42ec-a7c2-b9bd14b3d37b.testing-farm naughty_mendel[13501]: REPOSITORY  TAG         IMAGE ID    CREATED     SIZE
E         Sep 05 19:27:21 51ef0fbb-0ee8-42ec-a7c2-b9bd14b3d37b.testing-farm naughty_mendel[13501]: layers already present: 0; layers needed: 66 (903.0 MB)
E         Sep 05 19:28:05 51ef0fbb-0ee8-42ec-a7c2-b9bd14b3d37b.testing-farm naughty_mendel[13501]: Fetched layers: 861.16 MiB in 44 seconds (19.78 MiB/s)
E         Sep 05 19:28:38 51ef0fbb-0ee8-42ec-a7c2-b9bd14b3d37b.testing-farm naughty_mendel[13501]: Deploying container image...done
E         Sep 05 19:28:39 51ef0fbb-0ee8-42ec-a7c2-b9bd14b3d37b.testing-farm naughty_mendel[13501]: Running bootupctl to install bootloader
cgwalters commented 2 weeks ago

Also looks like potential fallout from https://github.com/containers/bootc/commit/0527ca96202633625f79dfe06277b96cfb522000 (xref https://github.com/osbuild/bootc-image-builder/issues/639#issuecomment-2338273655 )

Although, I'm not seeing this here. I guess the mainly relevant thing becomes the version of the host system doing the install - commonly I'm testing with podman-machine which host is f40.

But yes, I think this is one we need to get the selinux maintainers to allow. Can you get the version of the host system selinux policy here and then we can file a bug?