View Issue Details

IDProjectCategoryView StatusLast Update
0018302administrationpolicypublic2021-09-11 16:52
Reporterthompsop Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
OSCentos 8 
Summary0018302: SELinux is preventing ip from read access on the file labeled container_runtime_t
DescriptionRunning pihole in rootless docker. Commands inside the pihole process create this error message.
selinux-policy-3.14.3-67.el8_4.1.noarch
snapd-selinux-2.51.7-1.el8.noarch
selinux-policy-targeted-3.14.3-67.el8_4.1.noarch
podman-docker-3.2.3-0.10.module+el8.4.0+643+525e162a.noarch
Steps To ReproduceRun pihole in a docker container. Services appear to run correctly but this message is produced regularly.
added selinux recommendations to /etc/selinux/local and problem persists.
module my-ip 1.0;

require {
        type container_runtime_t;
        type container_t;
        class file read;
}

#============= container_t ==============

#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
# mlsconstrain file { ioctl read lock execute execute_no_trans } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED

# Possible cause is the source user (system_u) and target user (unconfined_u) are different.
# Possible cause is the source level (s0:c38,c747) and target level (s0-s0:c0.c1023) are different.
mlsconstrain file { write setattr append unlink link rename } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain file { create relabelto } ((h1 dom h2 -Fail-) and (l2 eq h2 -Fail-) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
allow container_t container_runtime_t:file read;

Additional InformationSELinux is preventing ip from read access on the file labeled container_runtime_t.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that ip should be allowed read access on file labeled container_runtime_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ip' --raw | audit2allow -M my-ip
# semodule -X 300 -i my-ip.pp


Additional Information:
Source Context system_u:system_r:container_t:s0:c41,c841
Target Context unconfined_u:system_r:container_runtime_t:s0-s0:c0
                              .c1023
Target Objects Unknown [ file ]
Source ip
Source Path ip
Port <Unknown>
Host lol1093.com
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.3-67.el8_4.1.noarch
Local Policy RPM selinux-policy-targeted-3.14.3-67.el8_4.1.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name lol1093.com
Platform Linux lol1093.com 4.18.0-305.17.1.el8_4.x86_64 #1
                              SMP Wed Sep 8 16:42:05 UTC 2021 x86_64 x86_64
Alert Count 123
First Seen 2021-09-11 09:51:01 CDT
Last Seen 2021-09-11 11:48:00 CDT
Local ID aa686c6d-1099-4d41-b16a-6b2c54c0aff4

Raw Audit Messages
type=AVC msg=audit(1631378880.928:73509): avc: denied { read } for pid=1092424 comm="ip" dev="nsfs" ino=4026532322 scontext=system_u:system_r:container_t:s0:c41,c841 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=file permissive=0


type=SYSCALL msg=audit(1631378880.928:73509): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=5559486e78e4 a2=0 a3=0 items=0 ppid=1092423 pid=1092424 auid=1005 uid=1005 gid=1005 euid=1005 suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=6935 comm=ip exe=/bin/ip subj=system_u:system_r:container_t:s0:c41,c841 key=(null)

Hash: ip,container_t,container_runtime_t,file,read
Tagsseli

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2021-09-11 16:52 thompsop New Issue
2021-09-11 16:52 thompsop Tag Attached: seli