AVC denied for unconfined_service_t transition to container_t

[bagasse]

This issue seems similar to #61, but with newer versions of components

type=AVC msg=audit(1592923828.874:31296): avc:  denied  { transition } for  pid=23060 comm="runc:[2:INIT]" path="/usr/bin/container-entrypoint" dev="vdc" ino=5429068 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:container_t:s0:c832,c955 tclass=process permissive=0

rpm -q runc
runc-1.0.0-67.rc10.el7_8.x86_64

rpm -q podman
podman-1.6.4-16.el7_8.x86_64

rpm -q container-selinux
container-selinux-2.119.1-1.c57a6f9.el7.noarch

cat /etc/redhat-release 
CentOS Linux release 7.8.2003 (Core)

audit2allow output:

#============= unconfined_service_t ==============

#!!!! The file '/usr/bin/container-entrypoint' is mislabeled on your system.  
#!!!! Fix with $ restorecon -R -v /usr/bin/container-entrypoint
allow unconfined_service_t container_t:process transition;

[rhatdan]

chcon -t container_runtime_exec_t /usr/bin/container-entrypoint
I think will fix your problem. Is the container-entrypoint doing a runcon within it?

[rhatdan]

RHEL7 is not getting updates any longer, so it is not likely this will ever be fixed. Moving to RHEL8 is what I would suggest, or carry the patch that you have or do what I suggest above.

[bagasse]

Thanks for your answer. /usr/bin/container-entrypoint is a simple bash script inside the container image, that is used as container entry-point, that, in the end do an exec of passed command. So your first suggestion don't work.

I didn't find any reference of any kind of allow unconfined_service_t container_t:process transition; transition in the repo, so this will still be also relevant on RHEL8 ?

[rhatdan]

What is the script that you are using to launch runc?

[bagasse]

Podman is lauched by IBM Workload Scheduler job manager which run in system_u:system_r:unconfined_service_t:s0 context (service managed by systemd). This service launch job commands , and now we start to deliver these jobs via containers. It worked fine with docker (due to the client/server model) but now that we are migrating to podman it break. The IWS service try to launch a podman run command wrapped in a bash script via a sudo rule (to load some podman options and environment for the container, limit access to podman options and make sudo rules management easier)

User twsuser may run the following commands on mymachine:
    (root) NOPASSWD: /opt/mycompany/bin/container-run-cmd *

cat /opt/mycompany/bin/container-run-cmd
#!/bin/bash
# Usage: container-run-cmd job_name [command [options]]
CONTAINER_JOB_NAME=$1
shift

# shellcheck disable=SC1090
. "/etc/${CONTAINER_JOB_NAME}/container.env"
# shellcheck disable=SC2068,SC2086
exec /bin/podman run ${CONTAINER_OPTIONS} --name "${CONTAINER_SERVICE}-$(uuidgen)" "${CONTAINER_IMAGE_NAME}:${CONTAINER_IMAGE_TAG}" $@

[mohd-akram]

I'm getting this issue in CentOS Stream 9:

$ sudo podman run --rm docker.io/bitnami/mongodb:6.0; echo $?
127