Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kata: running podman --runtime /path/to/kata/binary doesn't automatically apply the correct SELinux labels #9582

Closed
fidencio opened this issue Mar 2, 2021 · 2 comments · Fixed by #9598
Closed

kata: running podman --runtime /path/to/kata/binary doesn't automatically apply the correct SELinux labels #9582

fidencio opened this issue Mar 2, 2021 · 2 comments · Fixed by #9598
Assignees
@rhatdan
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@fidencio
Copy link

fidencio commented Mar 2, 2021

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

When running sudo podman --runtime /usr/bin/kata-runtime ..., on Fedora 33, the SELinux labels are not correctly applied to the qemu & virtiofsd processes, leading to the pod not starting

Steps to reproduce the issue:

  1. Ensure you have SELinux set as enforcing
  2. Install kata-runtime package on Fedora (sudo dnf install -y kata-runtime)
  3. Run sudo podman --runtime /usr/bin/kata-runtime ...

Describe the results you received:
Error: container create failed (no logs from conmon): EOF

Describe the results you expected:
Container would be created, in the same as if the command was called as: sudo podman --runtime kata ....

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

podman version 3.1.0-dev (but happens with the Fedora stock version as well).

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.19.6
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.0.21-3.fc33.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.21, commit: 0f53fb68333bdead5fe4dc5175703e22cf9882ab'
  cpus: 4
  distribution:
    distribution: fedora
    version: "33"
  eventLogger: journald
  hostname: machado
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.9.16-200.fc33.x86_64
  linkmode: dynamic
  memFree: 916963328
  memTotal: 8213188608
  ociRuntime:
    name: crun
    package: crun-0.16-3.fc33.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 0.16
      commit: eb0145e5ad4d8207e84a327248af76663d4e50dd
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    selinuxEnabled: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.8-1.fc33.x86_64
    version: |-
      slirp4netns version 1.1.8
      commit: d361001f495417b880f20329121e3aa431a8f90f
      libslirp: 4.3.1
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.0
  swapFree: 12410413056
  swapTotal: 12459171840
  uptime: 2h 7m 47.65s (Approximately 0.08 days)
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - registry.centos.org
  - docker.io
store:
  configFile: /home/fidencio/.config/containers/storage.conf
  containerStore:
    number: 14
    paused: 0
    running: 0
    stopped: 14
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-1.3.0-1.fc33.x86_64
      Version: |-
        fusermount3 version: 3.9.3
        fuse-overlayfs: version 1.3
        FUSE library version 3.9.3
        using FUSE kernel interface version 7.31
  graphRoot: /home/fidencio/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 3
  runRoot: /tmp/1000
  volumePath: /home/fidencio/.local/share/containers/storage/volumes
version:
  APIVersion: 3.0.0
  Built: 1614721138
  BuiltTime: Tue Mar  2 22:38:58 2021
  GitCommit: ""
  GoVersion: go1.15.6
  OsArch: linux/amd64
  Version: 3.1.0-dev

Package info (e.g. output of rpm -q podman or apt list podman):

podman-3.1.0-0.64.dev.git426178a.fc33.x86_64

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide?

Yes

Additional environment details (AWS, VirtualBox, physical, etc.):
@openshift-ci-robot openshift-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Mar 2, 2021
@fidencio fidencio mentioned this issue Mar 2, 2021
Closed
@fidencio
Copy link
Author

fidencio commented Mar 3, 2021

Discussions on #9584 show that this is the intended behaviour. It was good at least to have this statement. :-)

@fidencio fidencio closed this as completed Mar 3, 2021
@rhatdan
Copy link
Member

rhatdan commented Mar 3, 2021

I think I have a better fix for this.

@rhatdan rhatdan reopened this Mar 3, 2021
@rhatdan rhatdan self-assigned this Mar 3, 2021
@rhatdan rhatdan mentioned this issue Mar 3, 2021
Merged
rhatdan added a commit to rhatdan/podman that referenced this issue Mar 3, 2021
@rhatdan
Check for supportsKVM based on basename of the runtime
252aec1 
Fixes: containers#9582

This PR also adds tests to make sure SELinux labels match the runtime,
or if init is specified works with the correct label.

Add tests for selinux kvm/init labels

Signed-off-by: Daniel J Walsh <[email protected]>
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 22, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@rhatdan rhatdan

Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
3 participants
@fidencio @rhatdan @openshift-ci-robot