AVCs on rhel-8

[cjeanner]

Hello,

We have detected a small amount of AVCs on a newly deployed rhel-8 with a bunch of containers:

type=AVC msg=audit(1562587793.241:215): avc:  denied  { read } for  pid=8208 comm="systemd-user-ru" name="libpod" dev="tmpfs" ino=73106 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:container_runtime_tmpfs_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1562587793.241:216): avc:  denied  { read } for  pid=8208 comm="systemd-user-ru" name="overlay-containers" dev="tmpfs" ino=73105 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:container_runtime_tmpfs_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1562587793.241:217): avc:  denied  { read } for  pid=8208 comm="systemd-user-ru" name="overlay-layers" dev="tmpfs" ino=73104 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:container_runtime_tmpfs_t:s0 tclass=dir permissive=0

We have a couple of containers bind-mounting /dev - that's probably the main issue, although we can't do otherwise since the services running in those containers do need /dev access on the host.

Do you think we can provide a patch allowing init_t to access (only "read" listed here because "permissive=0") container_runtime_tmpfs? I'm not really sure it's a good idea, but I don't know what to do in order to avoid that :/.

Cheers,

C.

[rhatdan]

I think this access should be allowed or don't audited in the selinux-policy package. This is just the systemd-user-runtime-dir trying to list content under /run.

I just allowed this in upstream. Please open a bugzilla to get this updated in RHEL 8.

[cjeanner]

Hello Dan,
Thank you for your fast answer - BZ against RHEL-8 opened: https://bugzilla.redhat.com/show_bug.cgi?id=1728246

Cheers,

C.