Closed varad-ahirwadkar closed 1 year ago
/cc @Prajyot-Parab @yussufsh
@varad-ahirwadkar have you tested this change with RHEL 8? also if this is a limitation with RHEL 9, is there any doc reference to take a look at.
Yes it is working with RHEL 8. With RHEL 9, crun is not working so updated to RHEL 9.1.
I did not find any doc with this limitation, but selinux prevents access for all unprivileged containers with enforcing mode. With privileged container or selinux permissive mode able to create containers.
local-registry container:
# sealert -l 606b9df0-ae7b-4f5e-b05f-52ccc1e31ba1
SELinux is preventing /bin/registry from create access on the tcp_socket port None.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that registry should be allowed create access on the port None tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'registry' --raw | audit2allow -M my-registry
# semodule -X 300 -i my-registry.pp
Additional Information:
Source Context system_u:system_r:container_t:s0:c114,c681
Target Context system_u:system_r:container_t:s0:c114,c681
Target Objects port None [ tcp_socket ]
Source registry
Source Path /bin/registry
Port <Unknown>
Host ocp4alll633.pok.stglabs.ibm.com
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-34.1.43-1.el9_1.2.noarch
Local Policy RPM selinux-policy-targeted-34.1.43-1.el9_1.2.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name ocp4alll633.pok.stglabs.ibm.com
Platform Linux ocp4alll633.pok.stglabs.ibm.com
5.14.0-162.18.1.el9_1.ppc64le #1 SMP Thu Feb 9
04:10:54 EST 2023 ppc64le ppc64le
Alert Count 1
First Seen 2023-03-09 00:23:15 EST
Last Seen 2023-03-09 00:23:15 EST
Local ID 606b9df0-ae7b-4f5e-b05f-52ccc1e31ba1
Raw Audit Messages
type=AVC msg=audit(1678339395.455:1435): avc: denied { create } for pid=19957 comm="registry" scontext=system_u:system_r:container_t:s0:c114,c681 tcontext=system_u:system_r:container_t:s0:c114,c681 tclass=tcp_socket permissive=0
type=SYSCALL msg=audit(1678339395.455:1435): arch=ppc64le syscall=socket success=no exit=EACCES a0=2 a1=80801 a2=0 a3=0 items=0 ppid=19955 pid=19957 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=9 comm=registry exe=/bin/registry subj=system_u:system_r:container_t:s0:c114,c681 key=(null)
Hash: registry,container_t,container_t,tcp_socket,create
nginx container
SELinux is preventing /usr/sbin/nginx from using the chown capability.
busybox with echo
SELinux is preventing /bin/echo from 'read, write' accesses on the chr_file /dev/pts/0.
@varad-ahirwadkar Running containers with privileged
mode is not recommended in general, did you explore on any other workarounds.
Yes other workaround is to set selinux mode to permissive.
I am closing this PR because the issue not seen on RHEL 9.2.
For RHEL 9, selinux prevents access for running local-registry container in unprivileged mode.