Podman 4.0.0+ fails to SELinux-relabel symlinks in volumes when using the ":Z" option, resulting in "permission denied" errors (Regression, bisected) #13727
Description
Is this a BUG REPORT or FEATURE REQUEST?
/kind bug
Description
When mounting a volume containing symlinks using Podman 4.0.0+ in a SELinux-enabled system (e.g. a clean Fedora 36 Workstation beta install), specifying the :Z flag in order to relabel the files in the volume, the symlink is not relabeled (but regular files are), resulting in "permission denied" errors.
Running the same commands in a similar system, but using Podman 3.4.4 (e.g. a clean Fedora 35 Workstation install), the problem does not reproduce.
Steps to reproduce the issue
-
Install Podman 4.0.0+ in a SELinux-enabled system, e.g. a clean Fedora 36 Workstation beta install.
-
Open a terminal and set up some test files:
$ mkdir stuff && cd stuff
$ echo hello > file
$ ln -s file link
$ ls -Z
unconfined_u:object_r:user_home_t:s0 file
unconfined_u:object_r:user_home_t:s0 link- Try to mount and relabel the files into a container using a volume:
$ podman run --rm -v .:/stuff:Z busybox ls -lah /stuff
ls: /stuff/link: Permission denied
total 4K
drwxr-xr-x 1 root root 16 Mar 30 20:38 .
dr-xr-xr-x 1 root root 36 Mar 30 20:39 ..
-rw-r--r-- 1 root root 6 Mar 30 20:38 file
Describe the results you received:
I received a permission denied error when trying to access the "link" symlink but not for the "file" regular file.
Describe the results you expected:
I expected the "link" symlink to be accessible inside the container just like the "file" regular file.
Additional information you deem important (e.g. issue happens only occasionally):
The regular file is relabeled while the symlink is not relabeled:
$ ls -Z
system_u:object_r:container_file_t:s0:c177,c899 file
unconfined_u:object_r:user_home_t:s0 linkRunning with --security-opt label=disable resolves the issue, confirming it's related to SELinux:
$ podman run --rm -v .:/stuff:Z --security-opt label=disable busybox ls -lah /stuff
drwxr-xr-x 1 root root 16 Mar 30 20:38 .
dr-xr-xr-x 1 root root 36 Mar 30 20:39 ..
-rw-r--r-- 1 root root 6 Mar 30 20:38 file
lrwxrwxrwx 1 root root 4 Mar 30 20:38 link -> filestrace shows that setxattr is being used over the symlink (note that setxattr does follow symlinks):
$ strace -f podman run --rm -v .:/stuff:Z busybox ls -lah /stuff 2>&1 | grep -w link | grep setxattr
[pid 111800] setxattr("/home/podmantest/stuff/link", "security.selinux", "system_u:object_r:container_file"..., 47, 0 <unfinished ...>Compare the output above with Fedora 35 + Podman 3.4.4. The problem does not reproduce and lsetxattr is being used over the symlink:
$ mkdir stuff && cd stuff
$ echo hello > file
$ ln -s file link
$ ls -Z
unconfined_u:object_r:user_home_t:s0 file
unconfined_u:object_r:user_home_t:s0 link
$ podman run --rm -v .:/stuff:Z busybox ls -lah /stuff
drwxr-xr-x 1 root root 16 Mar 30 20:40 .
dr-xr-xr-x 1 root root 36 Mar 30 20:40 ..
-rw-r--r-- 1 root root 6 Mar 30 20:40 file
lrwxrwxrwx 1 root root 4 Mar 30 20:40 link -> file
$ ls -Z
system_u:object_r:container_file_t:s0:c35,c116 file
system_u:object_r:container_file_t:s0:c35,c116 link
$ strace -f podman run --rm -v .:/stuff:Z busybox ls -lah /stuff 2>&1 | grep -w link | grep setxattr
[pid 2214] lsetxattr("/home/podmantest/stuff/link", "security.selinux", "system_u:object_r:container_file"..., 47, 0 <unfinished ...>This change in behavior is caused by commit f564c9a (upstream opencontainers/selinux@1b18907), reverting it fixes the issue.
Note how the commit renames the original setFileLabel -> lSetFileLabel, and introduces a new setFileLabel function that does follows symlinks.
Output of podman version:
Client: Podman Engine
Version: 4.0.2
API Version: 4.0.2
Go Version: go1.18beta2
Built: Thu Mar 3 15:56:09 2022
OS/Arch: linux/amd64
Output of podman info --debug:
host:
arch: amd64
buildahVersion: 1.24.1
cgroupControllers:
- cpu
- io
- memory
- pids
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-2.1.0-2.fc36.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.1.0, commit: '
cpus: 8
distribution:
distribution: fedora
variant: workstation
version: "36"
eventLogger: journald
hostname: fedora
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 65536
uidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 65536
kernel: 5.17.1-300.fc36.x86_64
linkmode: dynamic
logDriver: journald
memFree: 7235469312
memTotal: 8329519104
networkBackend: netavark
ociRuntime:
name: crun
package: crun-1.4.4-1.fc36.x86_64
path: /usr/bin/crun
version: |-
crun version 1.4.4
commit: 6521fcc5806f20f6187eb933f9f45130c86da230
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
os: linux
remoteSocket:
path: /run/user/1000/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: true
serviceIsRemote: false
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-1.2.0-0.2.beta.0.fc36.x86_64
version: |-
slirp4netns version 1.2.0-beta.0
commit: 477db14a24ff1a3de3a705e51ca2c4c1fe3dda64
libslirp: 4.6.1
SLIRP_CONFIG_VERSION_MAX: 3
libseccomp: 2.5.3
swapFree: 8328835072
swapTotal: 8328835072
uptime: 25.05s
plugins:
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
volume:
- local
registries:
search:
- registry.fedoraproject.org
- registry.access.redhat.com
- docker.io
- quay.io
store:
configFile: /home/podmantest/.config/containers/storage.conf
containerStore:
number: 0
paused: 0
running: 0
stopped: 0
graphDriverName: overlay
graphOptions: {}
graphRoot: /home/podmantest/.local/share/containers/storage
graphStatus:
Backing Filesystem: btrfs
Native Overlay Diff: "true"
Supports d_type: "true"
Using metacopy: "false"
imageCopyTmpDir: /var/tmp
imageStore:
number: 1
runRoot: /run/user/1000/containers
volumePath: /home/podmantest/.local/share/containers/storage/volumes
version:
APIVersion: 4.0.2
Built: 1646319369
BuiltTime: Thu Mar 3 15:56:09 2022
GitCommit: ""
GoVersion: go1.18beta2
OsArch: linux/amd64
Version: 4.0.2
Package info (e.g. output of rpm -q podman or apt list podman):
podman-4.0.2-1.fc36.x86_64
Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/main/troubleshooting.md)
Yes
Additional environment details (AWS, VirtualBox, physical, etc.):
Reproduced on both local QEMU-KVM virtual machines and bare metal, running Fedora 35/36 Beta.