-
|
Hi. I'm trying to run a service in RHEL 8.5 with SELinux enforcing security. I'm facing now an issue where I get the following info: If I try to add this rule to SELinux using udica, I get the folllwing error: Can you please help me setup permissions for { lock } or { execute} or read and write permissions to /proc/meminfo? Thank you |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 8 replies
-
|
@rhatdan PTAL |
Beta Was this translation helpful? Give feedback.
-
|
Could you please show the AVC messages? |
Beta Was this translation helpful? Give feedback.
-
|
@wrabcak FYI |
Beta Was this translation helpful? Give feedback.
-
|
@rhatdan Thank you very much for the answer. There are many messages but similar to these two: avc: denied { lock } for pid=3844 comm="dotnet" path="/proc/meminfo" dev="proc" ino=4026532024 scontext=system_u:system_r:engine_udica.process:s0:c161,c662 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0 avc: denied { execute } for pid=3844 comm="dotnet" path="/dev/zero" dev="devtmpfs" ino=1030 scontext=system_u:system_r:engine_udica.process:s0:c161,c662 tcontext=system_u:object_r:zero_device_t:s0 tclass=chr_file permissive=0 This is one of the entire SYSCALL |
Beta Was this translation helpful? Give feedback.
-
|
Looks like a simple change to container-selinux would allow this access without requiring udica I belive. Could you attempt to run this container with container_t and see if it generates the same AVCs? |
Beta Was this translation helpful? Give feedback.
-
|
https://github.com/containers/container-selinux/releases/tag/v2.187.0 |
Beta Was this translation helpful? Give feedback.
-
|
When I run the container without using udica and without container-selinux, only with container_t I get the following message. type=AVC msg=audit(1653485153.165:992): avc: denied { write } for pid=19776 comm="dotnet" name="Scans" dev="nvme0n1p2" ino=28181155 scontext=system_u:system_r:container_t:s0:c89,c560 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=0 I was able to overcome the issue with the volumes mount and the port for communication with ActiveMQ by using Udica. |
Beta Was this translation helpful? Give feedback.
-
|
This looks like you are volume mounting content from the home dir into a container without doing :Z on the volume mount? |
Beta Was this translation helpful? Give feedback.
-
|
I'm running with :Z and this solution fixed the issue of the volume without using udica. Now I'm having only the issue with: type=AVC msg=audit(1653490294.588:2951): avc: denied { execute } for pid=20694 comm="dotnet" path="/dev/zero" dev="devtmpfs" ino=1030 scontext=system_u:system_r:container_t:s0:c238,c525 tcontext=system_u:object_r:zero_device_t:s0 tclass=chr_file permissive=0 If I try now to add the rule by using can you help? |
Beta Was this translation helpful? Give feedback.
-
|
The AVC will be fixed once you download a newer container-selinux. container-selinux-2.187.0-1.fc36 grep container_t /var/log/audit/audit.log | audit2allow -M my-dotnet ` |
Beta Was this translation helpful? Give feedback.
-
|
This solution worked!!! |
Beta Was this translation helpful? Give feedback.
-
|
@vmojzis please take a look. |
Beta Was this translation helpful? Give feedback.
When I run the container without using udica and without container-selinux, only with container_t I get the following message.
type=AVC msg=audit(1653485153.165:992): avc: denied { write } for pid=19776 comm="dotnet" name="Scans" dev="nvme0n1p2" ino=28181155 scontext=system_u:system_r:container_t:s0:c89,c560 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=0
I was able to overcome the issue with the volumes mount and the port for communication with ActiveMQ by using Udica.
I'm just having issues with the 'dotnet' permission for path="/dev/zero" and path="/proc/meminfo".
Can this be done using only udica?
Or using only container-selinux?