podman: Cannot ssh to container for operation permitted on /proc/self/loginuid

/kind bug

Regression

Description

I have a container with SSH running inside. I have added AUDIT_WRITE capability to the container. After updating podman to mainline, unable to SSH to the container.

Steps to reproduce the issue:

1. Add “AUDIT_WRITE” to the default_capabilities list in /usr/share/containers/containers.conf file

2. Put SELinux in Permissive mode

3. Start a container with public IP address and run sshd inside

4. Login to the container using the public IP address

Describe the results you received: SSH connection breaks as soon after credentials is verified and PAM tries to open session.

/var/log/secure log

Jan 25 20:12:17 myhost sshd[278]: Accepted password for myuser from 1x.yy.aa.bb port 51250 ssh2
Jan 25 20:12:17 myhost sshd[278]: pam_loginuid(sshd:session): Error writing /proc/self/loginuid: Operation not permitted
Jan 25 20:12:17 myhost sshd[278]: pam_loginuid(sshd:session): set_loginuid failed
Jan 25 20:12:17 myhost sshd[278]: pam_unix(sshd:session): session opened for user myuser by (uid=0)
Jan 25 20:12:17 myhost sshd[278]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session
Jan 25 20:12:17 myhost sshd[280]: Received disconnect 1x.yy.aa.bb port 51250:11: disconnected by user
Jan 25 20:12:17 myhost sshd[280]: Disconnected from 1x.yy.aa.bb port 51250

SSH server logs when run in debug mode

debug1: userauth-request for user myuser service ssh-connection method password [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: PAM: password authentication accepted for myuser
debug1: do_pam_account: called
Accepted password for appadmin from 1x.yy.aa.bb port 51228 ssh2
debug1: monitor_child_preauth: myuser has been authenticated by privileged process
debug1: monitor_read_log: child log fd closed
debug1: temporarily_use_uid: 1000/100 (e=0/0)
debug1: ssh_gssapi_storecreds: Not a GSSAPI mechanism
debug1: restore_uid: 0/0
debug1: SELinux support disabled
debug1: PAM: establishing credentials
PAM: pam_open_session(): Cannot make/remove an entry for the specified session
User child is on pid 311
debug1: PAM: establishing credentials
debug1: permanently_set_uid: 1000/100
debug1: rekey after 4294967296 blocks
debug1: rekey after 4294967296 blocks
debug1: ssh_packet_set_postauth: called
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch
debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_global_request: rtype no-more-sessions@openssh.com want_reply 0
debug1: server_input_channel_req: channel 0 request pty-req reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_new: session 0
debug1: SELinux support disabled
debug1: session_pty_req: session 0 alloc /dev/pts/2
debug1: server_input_channel_req: channel 0 request env reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req env
debug1: server_input_channel_req: channel 0 request shell reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
Starting session: shell on pts/2 for myuser from 1x.yy.aa.bb port 51228 id 0
debug1: Setting controlling tty using TIOCSCTTY.
debug1: Received SIGCHLD.
debug1: session_by_pid: pid 312
debug1: session_exit_message: session 0 channel 0 pid 312
debug1: session_exit_message: release channel 0
debug1: session_by_tty: session 0 tty /dev/pts/2
debug1: session_pty_cleanup: session 0 release /dev/pts/2
Received disconnect from 1x.yy.aa.bb port 51228:11: disconnected by user
Disconnected from 1x.yy.aa.bb port 51228
debug1: do_cleanup
debug1: do_cleanup
debug1: PAM: cleanup
debug1: PAM: deleting credentials

Describe the results you expected: SSH connection should work.

Additional information you deem important (e.g. issue happens only occasionally): Always Output of podman version:

Client:       Podman Engine
Version:      4.0.0-dev
API Version:  4.0.0-dev
Go Version:   go1.17.5
Git Commit:   be722e59eca6cf4b8f9249825e044930d6534f74
Built:        Mon Jan 24 12:57:44 2022
OS/Arch:      linux/amd64

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.24.0-dev
  cgroupControllers:
  - cpuset
  - cpu
  - cpuacct
  - blkio
  - memory
  - devices
  - freezer
  - net_cls
  - perf_event
  - net_prio
  - hugetlb
  - pids
  - rdma
  cgroupManager: systemd
  cgroupVersion: v1
  conmon:
    package: conmon-2.0.29-1.module+el8.5.0+12582+56d94c81.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.29, commit: 0f5bee61b18d4581668e5bf18b910cda3cff5081'
  cpus: 8
  distribution:
    distribution: '"rhel"'
    version: "8.5"
  eventLogger: file
  hostname: myhost
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 4.18.0-348.12.2.el8_5.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 14842597376
  memTotal: 33511686144
  networkBackend: cni
  ociRuntime:
    name: runc
    package: runc-1.0.2-1.module+el8.5.0+12582+56d94c81.x86_64
    path: /usr/bin/runc
    version: |-
      runc version 1.0.2
      spec: 1.0.2-dev
      go: go1.16.7
      libseccomp: 2.5.2
  os: linux
  remoteSocket:
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_AUDIT_WRITE,CAP_NET_RAW,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.8-1.module+el8.5.0+12582+56d94c81.x86_64
    version: |-
      slirp4netns version 1.1.8
      commit: d361001f495417b880f20329121e3aa431a8f90f
      libslirp: 4.4.0
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.2
  swapFree: 20002631680
  swapTotal: 20002631680
  uptime: 152h 25m 6s (Approximately 6.33 days)
plugins:
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
  - filevol
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - registry.centos.org
  - docker.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 4
    paused: 0
    running: 2
    stopped: 2
  graphDriverName: overlay
  graphOptions:
    overlay.mountopt: nodev,metacopy=on
  graphRoot: /var/lib/containers/storage
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "true"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 5
  runRoot: /run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 4.0.0-dev
  Built: 1643057864
  BuiltTime: Mon Jan 24 12:57:44 2022
  GitCommit: be722e59eca6cf4b8f9249825e044930d6534f74
  GoVersion: go1.17.5
  OsArch: linux/amd64
  Version: 4.0.0-dev

Package info (e.g. output of rpm -q podman or apt list podman):

Local podman build from mainline

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/main/troubleshooting.md)

Yes

Additional environment details (AWS, VirtualBox, physical, etc.): RHEL 8.5 VM