podman: SELinux volume permission issues when playing kube file (rootless)

/kind bug

Description

As mentioned in https://github.com/containers/podman/issues/8710 I have been having issues playing a kube file that I generated with podman. The problem seems to persist (I’m not 100% sure it’s still the same issue). Now on v3.0.0 I have permission issues with the volumes.

Steps to reproduce the issue:

SELinux is set to “enforcing”.

Scenario A: running everything manually:

podman pod create pod -n testpod
create a simple Dockerfile that writes into a file on a mounted volume:

FROM docker.io/centos:centos8
USER root
CMD while true; do echo $(date) >> /testdir/testfile && sleep 3 ; done

build it then run the container in the pod: podman run -d --rm --name testcontainer --pod testpod -v $(pwd)/testdir:/testdir:Z testimage
let’s look at the testfile:

 tail $(pwd)/testdir/testfile
Mon Feb 15 13:04:13 UTC 2021
Mon Feb 15 13:04:16 UTC 2021
Mon Feb 15 13:04:19 UTC 2021
Mon Feb 15 13:04:22 UTC 2021
Mon Feb 15 13:04:25 UTC 2021
Mon Feb 15 13:04:28 UTC 2021

So far so good.

Remove the testfile: rm -f $(pwd)/testdir/testfile

Scenario B: using podman generate:

podman pod create pod -n testpod
create a simple Dockerfile:

FROM docker.io/centos:centos8
USER root
CMD while true; do echo $(date) >> /testdir/testfile && sleep 3 ; done

build it then run the container in the pod: podman run -d --rm --name testcontainer --pod testpod -v $(pwd)/testdir:/testdir:Z testimage
generate a YAML file while the container is running: podman generate kube <pod id> > kube.yaml
the kube.yaml file looks like this:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: "2021-02-15T12:40:29Z"
  labels:
    app: testpod
  name: testpod
spec:
  containers:
  - command:
    - /bin/sh
    - -c
    - while true; do echo $(date) >> /testdir/testfile && sleep 3 ; done
    env:
    - name: PATH
      value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    - name: TERM
      value: xterm
    - name: container
      value: podman
    image: localhost/testimage:latest
    name: testcontainer
    resources: {}
    securityContext:
      allowPrivilegeEscalation: true
      capabilities:
        drop:
        - CAP_MKNOD
        - CAP_NET_RAW
        - CAP_AUDIT_WRITE
      privileged: false
      readOnlyRootFilesystem: false
      seLinuxOptions: {}
    volumeMounts:
    - mountPath: /testdir
      name: home-podman-testdir
    workingDir: /
  dnsConfig: {}
  restartPolicy: Never
  volumes:
  - hostPath:
      path: /home/podman/testdir
      type: Directory
    name: home-podman-testdir
status: {}

Play it: podman play kube kube.yaml
Check the testfile:

tail -f $(pwd)/testdir/testfile
tail: cannot open '/home/podman/testdir/testfile' for reading: No such file or directory

Let’s see the logs:

podman logs testpod-testcontainer
/bin/sh: /testdir/testfile: Permission denied
/bin/sh: /testdir/testfile: Permission denied
/bin/sh: /testdir/testfile: Permission denied
/bin/sh: /testdir/testfile: Permission denied
/bin/sh: /testdir/testfile: Permission denied

Scenario B works when SELinux is set to pemissive mode.

Describe the results you received: I would expect the container to write into the testfile in both Scenario A and B also with SELinux set to enforcing mode.

Describe the results you expected:

I get “permission denied” error message.

Additional information you deem important (e.g. issue happens only occasionally): This issue happens since updating from 2.1.1 to 3.0.0. I had to skip 2.2.1 due to the issue mentioned above.

Output of podman version:

podman version
WARN[0000] Failed to add podman to systemd sandbox cgroup: exec: "dbus-launch": executable file not found in $PATH
Version:      3.0.0
API Version:  3.0.0
Go Version:   go1.14.12
Built:        Sun Feb 14 18:48:35 2021
OS/Arch:      linux/amd64

Output of podman info --debug:

podman info --debug
WARN[0000] Failed to add podman to systemd sandbox cgroup: exec: "dbus-launch": executable file not found in $PATH
host:
  arch: amd64
  buildahVersion: 1.19.2
  cgroupManager: cgroupfs
  cgroupVersion: v1
  conmon:
    package: conmon-2.0.26-2.el8.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.26, commit: 8833a1127dabe0d76c18cc8f894ac48b62dfbda9'
  cpus: 4
  distribution:
    distribution: '"centos"'
    version: "8"
  eventLogger: journald
  hostname: ***********
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 795
      size: 1
    - container_id: 1
      host_id: 100000
      size: 10001
    uidmap:
    - container_id: 0
      host_id: 988
      size: 1
    - container_id: 1
      host_id: 100000
      size: 10001
  kernel: 4.18.0-240.10.1.el8_3.x86_64
  linkmode: dynamic
  memFree: 5099360256
  memTotal: 8346828800
  ociRuntime:
    name: crun
    package: crun-0.16-1.el8.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 0.16
      commit: eb0145e5ad4d8207e84a327248af76663d4e50dd
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    path: /tmp/podman-run-988/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    selinuxEnabled: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.8-3.el8.x86_64
    version: |-
      slirp4netns version 1.1.8
      commit: d361001f495417b880f20329121e3aa431a8f90f
      libslirp: 4.3.1
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.4.3
  swapFree: 1931997184
  swapTotal: 2147479552
  uptime: 459h 44m 21.07s (Approximately 19.12 days)
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - registry.centos.org
  - docker.io
store:
  configFile: /home/podman/.config/containers/storage.conf
  containerStore:
    number: 2
    paused: 0
    running: 2
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-1.4.0-1.el8.x86_64
      Version: |-
        fusermount3 version: 3.2.1
        fuse-overlayfs: version 1.4
        FUSE library version 3.2.1
        using FUSE kernel interface version 7.26
  graphRoot: /home/podman/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 10
  runRoot: /tmp/podman-run-988/containers
  volumePath: /home/podman/.local/share/containers/storage/volumes
version:
  APIVersion: 3.0.0
  Built: 1613324915
  BuiltTime: Sun Feb 14 18:48:35 2021
  GitCommit: ""
  GoVersion: go1.14.12
  OsArch: linux/amd64
  Version: 3.0.0

Package info (e.g. output of rpm -q podman or apt list podman):

podman-3.0.0-2.el8.x86_64
container-selinux-2.145.0-1.el8.noarch

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide?

Yes

About this issue

Original URL
State: closed
Created 3 years ago
Comments: 15 (5 by maintainers)

Commits related to this issue

Support automatic labeling of kube volumes Fixes: https://github.com/containers/podman/issues/9371 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> — committed to rhatdan/podman by rhatdan 3 years ago
Support automatic labeling of kube volumes Allow users to specify options on the volume mount path. This will trigger relabels of user specifies :z,:Z Also will handle User Relabels if the user speci... — committed to rhatdan/podman by rhatdan 3 years ago
Support automatic labeling of kube volumes Allow users to specify options on the volume mount path. This will trigger relabels of user specifies :z,:Z Also will handle User Relabels if the user speci... — committed to rhatdan/podman by rhatdan 3 years ago
Support automatic labeling of kube volumes Allow users to specify options on the volume mount path. This will trigger relabels of user specifies :z,:Z Also will handle User Relabels if the user speci... — committed to rhatdan/podman by rhatdan 3 years ago
Support automatic labeling of kube volumes Allow users to specify options on the volume mount path. This will trigger relabels of user specifies :z,:Z Also will handle User Relabels if the user speci... — committed to rhatdan/podman by rhatdan 3 years ago
Support automatic labeling of kube volumes Allow users to specify options on the volume mount path. This will trigger relabels of user specifies :z,:Z Also will handle User Relabels if the user speci... — committed to Procyhon/podman by rhatdan 3 years ago

Most upvoted comments

Before I create a new bug after some investigation I have found that the PR which closed this issue: #10339 never made it to the 3.2 branch, which is why the bug still persists for those of us not running from source.

The PR went into the master branch which no longer exists. Another commit was made the day before to main 4cc19f9 which looks like the same fix. So the fix is available, just not in the 3.2 branch.

Rather than being a totally new bug I think this one was just closed too early due to some confusion during the migration from master to main? If commit 4cc19f9 could now be released please I think we’ll be able to see if the bug was really fixed. If you think this warrants a new issue though I am happy to create it.

Ian2020 on Jul 7, 2021

I’m having the same issue described above. When I add the ‘z’ to the mountPath on the yaml, it just treats it as a part of the path.

lsunsi on Mar 29, 2021