Laszlo Ersek
2023-Mar-22 11:45 UTC
[Libguestfs] [libnbd PATCH v4 0/2] lib/utils: introduce async-signal-safe execvpe()
On 3/22/23 12:42, Daniel P. Berrang? wrote:> On Wed, Mar 22, 2023 at 12:13:49PM +0100, Laszlo Ersek wrote: >> On 3/22/23 11:42, Laszlo Ersek wrote: >> >>> Now the "podman build -f ci/containers/alpine-edge.Dockerfile -t >>> libnbd-alpine-edge" command is failing with a different error message -- >>> the download completes, but the internal relinking etc fails due to >>> permission errors, which I don't understand. I've asked Martin for comments. >>> >>> Meanwhile, your other email (= just download the prebuilt container from >>> gitlab) could help! >> >> Unfortunately, I got the same failure: >> >> podman run -it --rm --userns=keep-id -v .:/repo:z -w /repo \ >> registry.gitlab.com/nbdkit/libnbd/ci-alpine-edge:latest \ >> bash >> >>> Trying to pull registry.gitlab.com/nbdkit/libnbd/ci-alpine-edge:latest... >>> Getting image source signatures >>> Copying blob 88ecf269dec3 done >>> Copying blob 0ded2f83af0e done >>> Copying config a3b4bffb18 done >>> Writing manifest to image destination >>> Storing signatures >>> Error relocating /usr/lib/libreadline.so.8: RELRO protection failed: Permission denied >>> Error relocating /lib/ld-musl-x86_64.so.1: RELRO protection failed: Permission denied >>> Error relocating /usr/lib/libncursesw.so.6: RELRO protection failed: Permission denied >>> Error relocating /bin/bash: RELRO protection failed: Permission denied > > This looks relevant: > > https://bugzilla.redhat.com/show_bug.cgi?id=2019324 > > and suggests > > restorecon -R ~/.local/share/containers/storage/overlay*Yes, I've tried that (via some other links); it does not help. (In the first place, I started with a nonexistent ~/.local/share/containers directory, so I'm unsure why I'm responsible for setting the labels on new contents... but anyway, I tried it and it does not help.) I'll check with setenforce 0 next... Thanks! Laszlo
Laszlo Ersek
2023-Mar-22 12:30 UTC
[Libguestfs] [libnbd PATCH v4 0/2] lib/utils: introduce async-signal-safe execvpe()
On 3/22/23 12:45, Laszlo Ersek wrote:> On 3/22/23 12:42, Daniel P. Berrang? wrote: >> On Wed, Mar 22, 2023 at 12:13:49PM +0100, Laszlo Ersek wrote: >>> On 3/22/23 11:42, Laszlo Ersek wrote: >>> >>>> Now the "podman build -f ci/containers/alpine-edge.Dockerfile -t >>>> libnbd-alpine-edge" command is failing with a different error >>>> message -- the download completes, but the internal relinking etc >>>> fails due to permission errors, which I don't understand. I've >>>> asked Martin for comments. >>>> >>>> Meanwhile, your other email (= just download the prebuilt container >>>> from gitlab) could help! >>> >>> Unfortunately, I got the same failure: >>> >>> podman run -it --rm --userns=keep-id -v .:/repo:z -w /repo \ >>> registry.gitlab.com/nbdkit/libnbd/ci-alpine-edge:latest \ >>> bash >>> >>>> Trying to pull registry.gitlab.com/nbdkit/libnbd/ci-alpine-edge:latest... >>>> Getting image source signatures >>>> Copying blob 88ecf269dec3 done >>>> Copying blob 0ded2f83af0e done >>>> Copying config a3b4bffb18 done >>>> Writing manifest to image destination >>>> Storing signatures >>>> Error relocating /usr/lib/libreadline.so.8: RELRO protection failed: Permission denied >>>> Error relocating /lib/ld-musl-x86_64.so.1: RELRO protection failed: Permission denied >>>> Error relocating /usr/lib/libncursesw.so.6: RELRO protection failed: Permission denied >>>> Error relocating /bin/bash: RELRO protection failed: Permission denied >> >> This looks relevant: >> >> https://bugzilla.redhat.com/show_bug.cgi?id=2019324 >> >> and suggests >> >> restorecon -R ~/.local/share/containers/storage/overlay* > > Yes, I've tried that (via some other links); it does not help. (In the > first place, I started with a nonexistent ~/.local/share/containers > directory, so I'm unsure why I'm responsible for setting the labels on > new contents... but anyway, I tried it and it does not help.) I'll > check with setenforce 0 next...This seems to be a RHEL-9.1 SELinux bug alright. The system is an up-to-date RHEL-9.1 install. (1) I removed the ~/.local/share/containers directory recursively, set SELinux to Permissive mode, and repeated the above podman command. The container was entered alright, and one AVC was logged. Sealert said:> SELinux is preventing /bin/bash from read access on the file > /usr/lib/libreadline.so.8.2. > > ***** Plugin restorecon (99.5 confidence) suggests ************************ > > If you want to fix the label. > /usr/lib/libreadline.so.8.2 default label should be lib_t. > Then you can run restorecon. The access attempt may have been stopped > due to insufficient permissions to access a parent directory in which > case try to change the following command accordingly. > Do > # /sbin/restorecon -v /usr/lib/libreadline.so.8.2 > > ***** Plugin catchall (1.49 confidence) suggests ************************** > > If you believe that bash should be allowed read access on the > libreadline.so.8.2 file by default. > Then you should report this as a bug. > You can generate a local policy module to allow this access. > Do > allow this access for now by executing: > # ausearch -c 'bash' --raw | audit2allow -M my-bash > # semodule -X 300 -i my-bash.pp > > > Additional Information: > Source Context system_u:system_r:container_t:s0:c62,c364 > Target Context unconfined_u:object_r:user_home_t:s0 > Target Objects /usr/lib/libreadline.so.8.2 [ file ] > Source bash > Source Path /bin/bash > Port <Unknown> > Host <Unknown> > Source RPM Packages bash-5.1.8-6.el9_1.x86_64 > Target RPM Packages > SELinux Policy RPM selinux-policy-targeted-34.1.43-1.el9_1.2.noarch > Local Policy RPM selinux-policy-targeted-34.1.43-1.el9_1.2.noarch > Selinux Enabled True > Policy Type targeted > Enforcing Mode Permissive > Host Name lacos-laptop-9.usersys.redhat.com > Platform Linux lacos-laptop-9.usersys.redhat.com > 5.14.0-162.18.1.el9_1.x86_64 #1 SMP > PREEMPT_DYNAMIC Thu Feb 9 04:28:41 EST 2023 x86_64 > x86_64 > Alert Count 1 > First Seen 2023-03-22 12:57:44 CET > Last Seen 2023-03-22 12:57:44 CET > Local ID 0db129a5-552f-49b2-b3bc-ec206978affb > > Raw Audit Messages > type=AVC msg=audit(1679486264.987:145): avc: denied { read } for > pid=2752 comm="bash" path="/usr/lib/libreadline.so.8.2" dev="dm-3" > ino=2907654 scontext=system_u:system_r:container_t:s0:c62,c364 > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 > > > type=SYSCALL msg=audit(1679486264.987:145): arch=x86_64 > syscall=mprotect success=yes exit=0 a0=7f761e694000 a1=3000 a2=1 > a3=55744feb9c80 items=0 ppid=2749 pid=2752 auid=1000 uid=1000 gid=1000 > euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 > ses=2 comm=bash exe=/bin/bash > subj=system_u:system_r:container_t:s0:c62,c364 key=(null)ARCH=x86_64 > SYSCALL=mprotect AUID=lacos UID=lacos GID=lacos EUID=lacos SUID=lacos > FSUID=lacos EGID=lacos SGID=lacos FSGID=lacos > > Hash: bash,container_t,user_home_t,file,readAny comments about "/usr/lib/libreadline.so.8.2" having a bad label are bogus, that file exists within the container image! (2) I ran "restorecon -FvvR ~/.local/share/containers/", and it relabeled a whole bunch of files. Then I repeated the same podman command. The container was entered again, but an effectively identical AVC was logged again. It's easier to show the diff:> @@ -1,5 +1,5 @@ > > -found 1 alerts in /home/lacos/tmp/1 > +found 1 alerts in /home/lacos/tmp/2 > -------------------------------------------------------------------------------- > > SELinux is preventing /bin/bash from read access on the file /usr/lib/libreadline.so.8.2. > @@ -24,7 +24,7 @@ > > > Additional Information: > -Source Context system_u:system_r:container_t:s0:c62,c364 > +Source Context system_u:system_r:container_t:s0:c436,c873 > Target Context unconfined_u:object_r:user_home_t:s0 > Target Objects /usr/lib/libreadline.so.8.2 [ file ] > Source bash > @@ -44,15 +44,15 @@ > PREEMPT_DYNAMIC Thu Feb 9 04:28:41 EST 2023 x86_64 > x86_64 > Alert Count 1 > -First Seen 2023-03-22 12:57:44 CET > -Last Seen 2023-03-22 12:57:44 CET > -Local ID 0db129a5-552f-49b2-b3bc-ec206978affb > +First Seen 2023-03-22 13:01:49 CET > +Last Seen 2023-03-22 13:01:49 CET > +Local ID 2771711b-e2af-4c92-840d-36573a4fb12a > > Raw Audit Messages > -type=AVC msg=audit(1679486264.987:145): avc: denied { read } for pid=2752 comm="bash" path="/usr/lib/libreadline.so.8.2" dev="dm-3" ino=2907654 scontext=system_u:system_r:container_t:s0:c62,c364 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 > +type=AVC msg=audit(1679486509.713:167): avc: denied { read } for pid=3168 comm="bash" path="/usr/lib/libreadline.so.8.2" dev="dm-3" ino=2907654 scontext=system_u:system_r:container_t:s0:c436,c873 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 > > > -type=SYSCALL msg=audit(1679486264.987:145): arch=x86_64 syscall=mprotect success=yes exit=0 a0=7f761e694000 a1=3000 a2=1 a3=55744feb9c80 items=0 ppid=2749 pid=2752 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=2 comm=bash exe=/bin/bash subj=system_u:system_r:container_t:s0:c62,c364 key=(null)ARCH=x86_64 SYSCALL=mprotect AUID=lacos UID=lacos GID=lacos EUID=lacos SUID=lacos FSUID=lacos EGID=lacos SGID=lacos FSGID=lacos > +type=SYSCALL msg=audit(1679486509.713:167): arch=x86_64 syscall=mprotect success=yes exit=0 a0=7f6318db1000 a1=3000 a2=1 a3=562c3fdd6c80 items=0 ppid=3165 pid=3168 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=2 comm=bash exe=/bin/bash subj=system_u:system_r:container_t:s0:c436,c873 key=(null)ARCH=x86_64 SYSCALL=mprotect AUID=lacos UID=lacos GID=lacos EUID=lacos SUID=lacos FSUID=lacos EGID=lacos SGID=lacos FSGID=lacos > > Hash: bash,container_t,user_home_t,file,read >Laszlo