v3.2: AVC with volumes

[edsantiago]

Test 030-run.bats:podman run - check workdir is failing in podman-3.2.0-0.2.rc3.fc34 under podman and podman-remote, root and rootless. It's an AVC. I don't know why CI didn't catch it.

$ mkdir /tmp/mypodman
$ echo hi >/tmp/mypodman/file
$ ./bin/podman run --rm -v /tmp/mypodman:/mypodman alpine cat /mypodman/file
cat: can't open '/mypodman/file': Permission denied

AVC is:

type=AVC msg=audit(1622571374.261:211727): avc:  denied  { open } for  pid=2099144 comm="cat" path="/mypodman/file" dev="tmpfs" ino=1491929 scontext=system_u:system_r:container_t:s0:c380,c660 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0

Easily reproduced on master @ cbffddd

container-selinux-2.162.1-3.fc34.noarch and also -2.162.2-1.fc34

[mheon]

@rhatdan PTAL

[edsantiago]

It works with :Z, as expected. This is a regression, because it's causing the following test to fail:

podman/test/system/030-run.bats

Lines 602 to 604 in cbffddd

	# Workdir does not exist on the image but is volume mounted.
	run_podman run --rm --workdir /IamNotOnTheImage -v $testdir:/IamNotOnTheImage $IMAGE cat content
	is "$output" "$randomcontent" "cat random content"

That test dates to 2021-01-21. I don't know why the test doesn't use :Z or why it ever worked without it. Perhaps something special about --workdir?

[edsantiago]

This is also manifesting in a lot of the 500-networking.bats tests, which use -v (without :Z) to mount a file for the http server to serve.

[edsantiago]

Problem is selinux-policy-34.9-1.fc34. Everything works fine with 34.8-1.fc34.

Although this is not podman's fault, it's something we will need to deal with.

[rhatdan]

This definitely looks like a valid error, and I have no idea why this worked in the past. We should definitely not allow users to mount random content into SELinux containers and have it work. Might be that the test systems previously did not have SELinux enabled, or had this /tmp/mypodman labeled correctly. I don't see this as a bug in podman, but with an error in the test.

[edsantiago]

Some of these tests have exists and worked since 2020-01-16 (over a year). They worked until now, and broke with selinux-policy-34.9. I don't know why they worked or why they broke now. I'm just saying that we have a problem.

Adding :Z to tests may be a good thing to do moving forward; but if the new selinux-policy is the desired one, and if it will propagate to other Fedoras/RHEL, we will need to scramble to fix all podman tests, in all active branches, including RHEL ones (if this policy will push to RHEL). Otherwise, gating tests will fail.

[rhatdan]

I think we fixed a security bug where podman containers were able to read user_tmp_t, so I think this is a good breakage, and we should fix the tests.

[rhatdan]

sesearch -A -s container_t -t user_tmp_t -c file -p read
allow domain tmpfile:file { append getattr ioctl lock read };

Perhaps the older version had open access, which would be a bug.

[rhatdan]

rpm -q --changelog selinux-policy

• Thu May 27 2021 Zdenek Pytela [email protected] - 34.9-1

• Add kerberos object filetrans for nsswitchdomain
• Allow fail2ban watch various log files
• Add logging_watch_audit_log_files() and logging_watch_audit_log_dirs()
• Remove further modules recently removed from refpolicy
• Remove modules not shipped and not present in refpolicy
  - Revert "Add permission open to files_read_inherited_tmp_files() interface"
• Revert "Allow pcp_pmlogger_t to use setrlimit BZ(1708951)"
• Revert "Dontaudit logrotate to setrlimit itself. rhbz#1309604"
• Revert "Allow cockpit_ws_t domain to set limits BZ(1701703)"
• Dontaudit setrlimit for domains that exec systemctl
• Allow kdump_t net_admin capability
• Allow nsswitch_domain read init pid lnk_files
• Label /dev/trng with random_device_t
• Label /run/systemd/default-hostname with hostname_etc_t
• Add default file context specification for dnf log files
• Label /dev/zram[0-9]+ block device files with fixed_disk_device_t
• Label /dev/udmabuf character device with dma_device_t
• Label /dev/dma_heap/* char devices with dma_device_t
• Label /dev/acpi_thermal_rel char device with acpi_device_t