[Libguestfs] [libnbd PATCH v4 0/2] lib/utils: introduce async-signal-safe execvpe()
Laszlo Ersek
lersek at redhat.com
Wed Mar 22 12:30:28 UTC 2023
On 3/22/23 12:45, Laszlo Ersek wrote:
> On 3/22/23 12:42, Daniel P. Berrangé wrote:
>> On Wed, Mar 22, 2023 at 12:13:49PM +0100, Laszlo Ersek wrote:
>>> On 3/22/23 11:42, Laszlo Ersek wrote:
>>>
>>>> Now the "podman build -f ci/containers/alpine-edge.Dockerfile -t
>>>> libnbd-alpine-edge" command is failing with a different error
>>>> message -- the download completes, but the internal relinking etc
>>>> fails due to permission errors, which I don't understand. I've
>>>> asked Martin for comments.
>>>>
>>>> Meanwhile, your other email (= just download the prebuilt container
>>>> from gitlab) could help!
>>>
>>> Unfortunately, I got the same failure:
>>>
>>> podman run -it --rm --userns=keep-id -v .:/repo:z -w /repo \
>>> registry.gitlab.com/nbdkit/libnbd/ci-alpine-edge:latest \
>>> bash
>>>
>>>> Trying to pull registry.gitlab.com/nbdkit/libnbd/ci-alpine-edge:latest...
>>>> Getting image source signatures
>>>> Copying blob 88ecf269dec3 done
>>>> Copying blob 0ded2f83af0e done
>>>> Copying config a3b4bffb18 done
>>>> Writing manifest to image destination
>>>> Storing signatures
>>>> Error relocating /usr/lib/libreadline.so.8: RELRO protection failed: Permission denied
>>>> Error relocating /lib/ld-musl-x86_64.so.1: RELRO protection failed: Permission denied
>>>> Error relocating /usr/lib/libncursesw.so.6: RELRO protection failed: Permission denied
>>>> Error relocating /bin/bash: RELRO protection failed: Permission denied
>>
>> This looks relevant:
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=2019324
>>
>> and suggests
>>
>> restorecon -R ~/.local/share/containers/storage/overlay*
>
> Yes, I've tried that (via some other links); it does not help. (In the
> first place, I started with a nonexistent ~/.local/share/containers
> directory, so I'm unsure why I'm responsible for setting the labels on
> new contents... but anyway, I tried it and it does not help.) I'll
> check with setenforce 0 next...
This seems to be a RHEL-9.1 SELinux bug alright. The system is an
up-to-date RHEL-9.1 install.
(1) I removed the ~/.local/share/containers directory recursively, set
SELinux to Permissive mode, and repeated the above podman command. The
container was entered alright, and one AVC was logged. Sealert said:
> SELinux is preventing /bin/bash from read access on the file
> /usr/lib/libreadline.so.8.2.
>
> ***** Plugin restorecon (99.5 confidence) suggests ************************
>
> If you want to fix the label.
> /usr/lib/libreadline.so.8.2 default label should be lib_t.
> Then you can run restorecon. The access attempt may have been stopped
> due to insufficient permissions to access a parent directory in which
> case try to change the following command accordingly.
> Do
> # /sbin/restorecon -v /usr/lib/libreadline.so.8.2
>
> ***** Plugin catchall (1.49 confidence) suggests **************************
>
> If you believe that bash should be allowed read access on the
> libreadline.so.8.2 file by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # ausearch -c 'bash' --raw | audit2allow -M my-bash
> # semodule -X 300 -i my-bash.pp
>
>
> Additional Information:
> Source Context system_u:system_r:container_t:s0:c62,c364
> Target Context unconfined_u:object_r:user_home_t:s0
> Target Objects /usr/lib/libreadline.so.8.2 [ file ]
> Source bash
> Source Path /bin/bash
> Port <Unknown>
> Host <Unknown>
> Source RPM Packages bash-5.1.8-6.el9_1.x86_64
> Target RPM Packages
> SELinux Policy RPM selinux-policy-targeted-34.1.43-1.el9_1.2.noarch
> Local Policy RPM selinux-policy-targeted-34.1.43-1.el9_1.2.noarch
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Permissive
> Host Name lacos-laptop-9.usersys.redhat.com
> Platform Linux lacos-laptop-9.usersys.redhat.com
> 5.14.0-162.18.1.el9_1.x86_64 #1 SMP
> PREEMPT_DYNAMIC Thu Feb 9 04:28:41 EST 2023 x86_64
> x86_64
> Alert Count 1
> First Seen 2023-03-22 12:57:44 CET
> Last Seen 2023-03-22 12:57:44 CET
> Local ID 0db129a5-552f-49b2-b3bc-ec206978affb
>
> Raw Audit Messages
> type=AVC msg=audit(1679486264.987:145): avc: denied { read } for
> pid=2752 comm="bash" path="/usr/lib/libreadline.so.8.2" dev="dm-3"
> ino=2907654 scontext=system_u:system_r:container_t:s0:c62,c364
> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
>
>
> type=SYSCALL msg=audit(1679486264.987:145): arch=x86_64
> syscall=mprotect success=yes exit=0 a0=7f761e694000 a1=3000 a2=1
> a3=55744feb9c80 items=0 ppid=2749 pid=2752 auid=1000 uid=1000 gid=1000
> euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0
> ses=2 comm=bash exe=/bin/bash
> subj=system_u:system_r:container_t:s0:c62,c364 key=(null)ARCH=x86_64
> SYSCALL=mprotect AUID=lacos UID=lacos GID=lacos EUID=lacos SUID=lacos
> FSUID=lacos EGID=lacos SGID=lacos FSGID=lacos
>
> Hash: bash,container_t,user_home_t,file,read
Any comments about "/usr/lib/libreadline.so.8.2" having a bad label are
bogus, that file exists within the container image!
(2) I ran "restorecon -FvvR ~/.local/share/containers/", and it
relabeled a whole bunch of files. Then I repeated the same podman
command. The container was entered again, but an effectively identical
AVC was logged again. It's easier to show the diff:
> @@ -1,5 +1,5 @@
>
> -found 1 alerts in /home/lacos/tmp/1
> +found 1 alerts in /home/lacos/tmp/2
> --------------------------------------------------------------------------------
>
> SELinux is preventing /bin/bash from read access on the file /usr/lib/libreadline.so.8.2.
> @@ -24,7 +24,7 @@
>
>
> Additional Information:
> -Source Context system_u:system_r:container_t:s0:c62,c364
> +Source Context system_u:system_r:container_t:s0:c436,c873
> Target Context unconfined_u:object_r:user_home_t:s0
> Target Objects /usr/lib/libreadline.so.8.2 [ file ]
> Source bash
> @@ -44,15 +44,15 @@
> PREEMPT_DYNAMIC Thu Feb 9 04:28:41 EST 2023 x86_64
> x86_64
> Alert Count 1
> -First Seen 2023-03-22 12:57:44 CET
> -Last Seen 2023-03-22 12:57:44 CET
> -Local ID 0db129a5-552f-49b2-b3bc-ec206978affb
> +First Seen 2023-03-22 13:01:49 CET
> +Last Seen 2023-03-22 13:01:49 CET
> +Local ID 2771711b-e2af-4c92-840d-36573a4fb12a
>
> Raw Audit Messages
> -type=AVC msg=audit(1679486264.987:145): avc: denied { read } for pid=2752 comm="bash" path="/usr/lib/libreadline.so.8.2" dev="dm-3" ino=2907654 scontext=system_u:system_r:container_t:s0:c62,c364 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
> +type=AVC msg=audit(1679486509.713:167): avc: denied { read } for pid=3168 comm="bash" path="/usr/lib/libreadline.so.8.2" dev="dm-3" ino=2907654 scontext=system_u:system_r:container_t:s0:c436,c873 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
>
>
> -type=SYSCALL msg=audit(1679486264.987:145): arch=x86_64 syscall=mprotect success=yes exit=0 a0=7f761e694000 a1=3000 a2=1 a3=55744feb9c80 items=0 ppid=2749 pid=2752 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=2 comm=bash exe=/bin/bash subj=system_u:system_r:container_t:s0:c62,c364 key=(null)ARCH=x86_64 SYSCALL=mprotect AUID=lacos UID=lacos GID=lacos EUID=lacos SUID=lacos FSUID=lacos EGID=lacos SGID=lacos FSGID=lacos
> +type=SYSCALL msg=audit(1679486509.713:167): arch=x86_64 syscall=mprotect success=yes exit=0 a0=7f6318db1000 a1=3000 a2=1 a3=562c3fdd6c80 items=0 ppid=3165 pid=3168 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=2 comm=bash exe=/bin/bash subj=system_u:system_r:container_t:s0:c436,c873 key=(null)ARCH=x86_64 SYSCALL=mprotect AUID=lacos UID=lacos GID=lacos EUID=lacos SUID=lacos FSUID=lacos EGID=lacos SGID=lacos FSGID=lacos
>
> Hash: bash,container_t,user_home_t,file,read
>
Laszlo
More information about the Libguestfs
mailing list