7:30 a.m.
On 3/22/23 12:45, Laszlo Ersek wrote:
On 3/22/23 12:42, Daniel P. Berrangé wrote:
> On Wed, Mar 22, 2023 at 12:13:49PM +0100, Laszlo Ersek wrote:
>> On 3/22/23 11:42, Laszlo Ersek wrote:
>>
>>> Now the "podman build -f ci/containers/alpine-edge.Dockerfile -t
>>> libnbd-alpine-edge" command is failing with a different error
>>> message -- the download completes, but the internal relinking etc
>>> fails due to permission errors, which I don't understand. I've
>>> asked Martin for comments.
>>>
>>> Meanwhile, your other email (= just download the prebuilt container
>>> from gitlab) could help!
>>
>> Unfortunately, I got the same failure:
>>
>> podman run -it --rm --userns=keep-id -v .:/repo:z -w /repo \
>> registry.gitlab.com/nbdkit/libnbd/ci-alpine-edge:latest \
>> bash
>>
>>> Trying to pull registry.gitlab.com/nbdkit/libnbd/ci-alpine-edge:latest...
>>> Getting image source signatures
>>> Copying blob 88ecf269dec3 done
>>> Copying blob 0ded2f83af0e done
>>> Copying config a3b4bffb18 done
>>> Writing manifest to image destination
>>> Storing signatures
>>> Error relocating /usr/lib/libreadline.so.8: RELRO protection failed:
Permission denied
>>> Error relocating /lib/ld-musl-x86_64.so.1: RELRO protection failed:
Permission denied
>>> Error relocating /usr/lib/libncursesw.so.6: RELRO protection failed:
Permission denied
>>> Error relocating /bin/bash: RELRO protection failed: Permission denied
>
> This looks relevant:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=2019324
>
> and suggests
>
> restorecon -R ~/.local/share/containers/storage/overlay*
Yes, I've tried that (via some other links); it does not help. (In the
first place, I started with a nonexistent ~/.local/share/containers
directory, so I'm unsure why I'm responsible for setting the labels on
new contents... but anyway, I tried it and it does not help.) I'll
check with setenforce 0 next...
This seems to be a RHEL-9.1 SELinux bug alright. The system is an
up-to-date RHEL-9.1 install.
(1) I removed the ~/.local/share/containers directory recursively, set
SELinux to Permissive mode, and repeated the above podman command. The
container was entered alright, and one AVC was logged. Sealert said:
SELinux is preventing /bin/bash from read access on the file
/usr/lib/libreadline.so.8.2.
***** Plugin restorecon (99.5 confidence) suggests ************************
If you want to fix the label.
/usr/lib/libreadline.so.8.2 default label should be lib_t.
Then you can run restorecon. The access attempt may have been stopped
due to insufficient permissions to access a parent directory in which
case try to change the following command accordingly.
Do
# /sbin/restorecon -v /usr/lib/libreadline.so.8.2
***** Plugin catchall (1.49 confidence) suggests **************************
If you believe that bash should be allowed read access on the
libreadline.so.8.2 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'bash' --raw | audit2allow -M my-bash
# semodule -X 300 -i my-bash.pp
Additional Information:
Source Context system_u:system_r:container_t:s0:c62,c364
Target Context unconfined_u:object_r:user_home_t:s0
Target Objects /usr/lib/libreadline.so.8.2 [ file ]
Source bash
Source Path /bin/bash
Port <Unknown>
Host <Unknown>
Source RPM Packages bash-5.1.8-6.el9_1.x86_64
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-34.1.43-1.el9_1.2.noarch
Local Policy RPM selinux-policy-targeted-34.1.43-1.el9_1.2.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name lacos-laptop-9.usersys.redhat.com
Platform Linux lacos-laptop-9.usersys.redhat.com
5.14.0-162.18.1.el9_1.x86_64 #1 SMP
PREEMPT_DYNAMIC Thu Feb 9 04:28:41 EST 2023 x86_64
x86_64
Alert Count 1
First Seen 2023-03-22 12:57:44 CET
Last Seen 2023-03-22 12:57:44 CET
Local ID 0db129a5-552f-49b2-b3bc-ec206978affb
Raw Audit Messages
type=AVC msg=audit(1679486264.987:145): avc: denied { read } for
pid=2752 comm="bash" path="/usr/lib/libreadline.so.8.2"
dev="dm-3"
ino=2907654 scontext=system_u:system_r:container_t:s0:c62,c364
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1679486264.987:145): arch=x86_64
syscall=mprotect success=yes exit=0 a0=7f761e694000 a1=3000 a2=1
a3=55744feb9c80 items=0 ppid=2749 pid=2752 auid=1000 uid=1000 gid=1000
euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0
ses=2 comm=bash exe=/bin/bash
subj=system_u:system_r:container_t:s0:c62,c364 key=(null)ARCH=x86_64
SYSCALL=mprotect AUID=lacos UID=lacos GID=lacos EUID=lacos SUID=lacos
FSUID=lacos EGID=lacos SGID=lacos FSGID=lacos
Hash: bash,container_t,user_home_t,file,read
Any comments about "/usr/lib/libreadline.so.8.2" having a bad label are
bogus, that file exists within the container image!
(2) I ran "restorecon -FvvR ~/.local/share/containers/", and it
relabeled a whole bunch of files. Then I repeated the same podman
command. The container was entered again, but an effectively identical
AVC was logged again. It's easier to show the diff:
@@ -1,5 +1,5 @@
-found 1 alerts in /home/lacos/tmp/1
+found 1 alerts in /home/lacos/tmp/2
--------------------------------------------------------------------------------
SELinux is preventing /bin/bash from read access on the file
/usr/lib/libreadline.so.8.2.
@@ -24,7 +24,7 @@
Additional Information:
-Source Context system_u:system_r:container_t:s0:c62,c364
+Source Context system_u:system_r:container_t:s0:c436,c873
Target Context unconfined_u:object_r:user_home_t:s0
Target Objects /usr/lib/libreadline.so.8.2 [ file ]
Source bash
@@ -44,15 +44,15 @@
PREEMPT_DYNAMIC Thu Feb 9 04:28:41 EST 2023 x86_64
x86_64
Alert Count 1
-First Seen 2023-03-22 12:57:44 CET
-Last Seen 2023-03-22 12:57:44 CET
-Local ID 0db129a5-552f-49b2-b3bc-ec206978affb
+First Seen 2023-03-22 13:01:49 CET
+Last Seen 2023-03-22 13:01:49 CET
+Local ID 2771711b-e2af-4c92-840d-36573a4fb12a
Raw Audit Messages
-type=AVC msg=audit(1679486264.987:145): avc: denied { read } for pid=2752
comm="bash" path="/usr/lib/libreadline.so.8.2" dev="dm-3"
ino=2907654 scontext=system_u:system_r:container_t:s0:c62,c364
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
+type=AVC msg=audit(1679486509.713:167): avc: denied { read } for pid=3168
comm="bash" path="/usr/lib/libreadline.so.8.2" dev="dm-3"
ino=2907654 scontext=system_u:system_r:container_t:s0:c436,c873
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
-type=SYSCALL msg=audit(1679486264.987:145): arch=x86_64 syscall=mprotect success=yes
exit=0 a0=7f761e694000 a1=3000 a2=1 a3=55744feb9c80 items=0 ppid=2749 pid=2752 auid=1000
uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0
ses=2 comm=bash exe=/bin/bash subj=system_u:system_r:container_t:s0:c62,c364
key=(null)ARCH=x86_64 SYSCALL=mprotect AUID=lacos UID=lacos GID=lacos EUID=lacos
SUID=lacos FSUID=lacos EGID=lacos SGID=lacos FSGID=lacos
+type=SYSCALL msg=audit(1679486509.713:167): arch=x86_64 syscall=mprotect success=yes
exit=0 a0=7f6318db1000 a1=3000 a2=1 a3=562c3fdd6c80 items=0 ppid=3165 pid=3168 auid=1000
uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0
ses=2 comm=bash exe=/bin/bash subj=system_u:system_r:container_t:s0:c436,c873
key=(null)ARCH=x86_64 SYSCALL=mprotect AUID=lacos UID=lacos GID=lacos EUID=lacos
SUID=lacos FSUID=lacos EGID=lacos SGID=lacos FSGID=lacos
Hash: bash,container_t,user_home_t,file,read
Laszlo