Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade to F31: SELinux denials with container_t trying to access spc_t #4361

Closed
space88man opened this issue Oct 29, 2019 · 7 comments
Closed
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@space88man
Copy link

space88man commented Oct 29, 2019

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

After upgrading from Fedora 30 to Fedora 31, I am getting SELinux denials when container_t is trying to acess spc_t data. This doesn't prevent the container from functioning, though.

Any ideas where all this spc_t access is coming from?

Steps to reproduce the issue:

  1. Upgrade from Fedora 30 to Fedora 31

  2. Create a CentOS 8 container with /sbin/init as entrypoint

  3. Do moderately complicated stuff like:

    • run dnf inside the container: install glibc-langpack-en, erlang, rabbitmq-server
    • create network:none containers and manually configure networking with veths or nsenter
    • stop and start services inside the container
    • stop and start the container multiple times with podman

Describe the results you received:
Lots of SELinux denials mesages when container_t tries to access spc_t data.
Everything still works(!) and the container runs without any issues even when enforcing is on.

Describe the results you expected:
Clean ausearch -m avc output.

Additional information you deem important (e.g. issue happens only occasionally):
Need below to silence SELinux.

require {
        type container_t;
        type spc_t;
        class process { signal sigstop signull };
        class dir { getattr search read };
        class file { getattr read open };
        class lnk_file { read };
}

#============= container_t ==============
allow container_t spc_t:file { getattr read open };
allow container_t spc_t:lnk_file { read };
allow container_t spc_t:dir { getattr search read };
allow container_t spc_t:process { signal sigstop signull };

Output of podman version:

Version:            1.6.1
RemoteAPI Version:  1
Go Version:         go1.13
OS/Arch:            linux/amd64

Output of podman info --debug:

debug:            
  compiler: gc                                                                  
  git commit: ""
  go version: go1.13              
  podman version: 1.6.1   
host:        
  BuildahVersion: 1.11.2
  CgroupVersion: v2                   
  Conmon:                                                                       
    package: conmon-2.0.1-1.fc31.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.1, commit: 5e0eadedda9508810235ab878174dca1183f4013'
  Distribution:
    distribution: fedora
    version: "31"
  MemFree: 5142310912
  MemTotal: 67356446720
  OCIRuntime:
    package: crun-0.10.2-1.fc31.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 0.10.2
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  SwapFree: 0
  SwapTotal: 0
  arch: amd64
  cpus: 16
  eventlogger: journald
  hostname: podman.localdomain
  kernel: 5.3.6-300.fc31.x86_64
  os: linux
  rootless: false
  uptime: 198h 32m 52.94s (Approximately 8.25 days)
registries:
  blocked: null
  insecure: null
  search:
  - docker.io
  - registry.fedoraproject.org
  - quay.io
  - registry.access.redhat.com
  - registry.centos.org
store:
  ConfigFile: /etc/containers/storage.conf
  ContainerStore:
    number: 5
  GraphDriverName: btrfs
  GraphOptions: {}
  GraphRoot: /var/lib/containers/storage
  GraphStatus:
    Build Version: 'Btrfs v5.2.1 '
    Library Version: "102"
  ImageStore:
    number: 6
  RunRoot: /var/run/containers/storage
  VolumePath: /var/lib/containers/storage/volumes

Package info (e.g. output of rpm -q podman or apt list podman):

podman-1.6.1-2.fc31.x86_64

Additional environment details (AWS, VirtualBox, physical, etc.):
Upgraded baremetal from F30 to F31. Sample AVC messages:

type=AVC msg=audit(1572333420.626:5639): avc:  denied  { sigstop } for  pid=1878297 comm="systemd-shutdow" scontext=system_u:system_r:container_t:s0:c464,c961 tcontext=unconfined_u:system_r:spc_t:s0 tclass=process permissive=1

type=AVC msg=audit(1572333625.063:5823): avc:  denied  { search } for  pid=1908140 comm="systemd" name="79" dev="proc" ino=10367374 scontext=system_u:system_r:container_t:s0:c809,c847 tcontext=unconfined_u:system_r:spc_t:s0 tclass=dir permissive=1

type=AVC msg=audit(1572336859.488:6807): avc:  denied  { getattr } for  pid=1930986 comm="ps" path="/proc/25" dev="proc" ino=10464139 scontext=system_u:system_r:container_t:s0:c705,c867 tcontext=unconfined_u:system_r:spc_t:s0 tclass=dir permissive=0

type=AVC msg=audit(1572337178.369:6846): avc:  denied  { search } for  pid=1933453 comm="ps" name="25" dev="proc" ino=10464139 scontext=system_u:system_r:container_t:s0:c705,c867 tcontext=unconfined_u:system_r:spc_t:s0 tclass=dir permissive=0
@openshift-ci-robot openshift-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Oct 29, 2019
@vrothberg
Copy link
Member

@rhatdan PTAL

@space88man
Copy link
Author

space88man commented Oct 29, 2019

I can trigger this on fresh Fedora 31. CentOS 8 systemd root container, running rabbitmq-server.

From outside the container

podman exec rabbitmq_2 systemctl stop rabbitmq-server

See AVCs:

---
time->Tue Oct 29 18:49:36 2019
type=AVC msg=audit(1572346176.045:1478): avc:  denied  { getattr } for  pid=240507 comm="ps" path="/proc/653" dev="proc" ino=5635971 scontext=system_u:system_r:container_t:s0:c28,c560 tcontext=unconfined_u:system_r:spc_t:s0 tclass=dir permissive=0
----
time->Tue Oct 29 18:49:37 2019
type=AVC msg=audit(1572346177.058:1479): avc:  denied  { getattr } for  pid=240508 comm="ps" path="/proc/653" dev="proc" ino=5635971 scontext=system_u:system_r:container_t:s0:c28,c560 tcontext=unconfined_u:system_r:spc_t:s0 tclass=dir permissive=0
----
time->Tue Oct 29 18:49:38 2019
type=AVC msg=audit(1572346178.066:1480): avc:  denied  { getattr } for  pid=240509 comm="ps" path="/proc/653" dev="proc" ino=5635971 scontext=system_u:system_r:container_t:s0:c28,c560 tcontext=unconfined_u:system_r:spc_t:s0 tclass=dir permissive=0
----
time->Tue Oct 29 18:49:39 2019
type=AVC msg=audit(1572346179.074:1482): avc:  denied  { getattr } for  pid=240516 comm="ps" path="/proc/653" dev="proc" ino=5635971 scontext=system_u:system_r:container_t:s0:c28,c560 tcontext=unconfined_u:system_r:spc_t:s0 tclass=dir permissive=0

The command still works, though.

@space88man
Copy link
Author

space88man commented Oct 29, 2019

Reproducer on a fresh Fedora 31:

CON=$(buildah from centos:8)
buildah run $CON dnf install -y glibc-langpack-en
buildah run $CON dnf install -y https://github.com/rabbitmq/erlang-rpm/releases/download/v22.1.5/erlang-22.1.5-1.el8.x86_64.rpm
buildah run $CON dnf install -y https://github.com/rabbitmq/rabbitmq-server/releases/download/v3.7.20/rabbitmq-server-3.7.20-1.el8.noarch.rpm

buildah run $CON systemctl enable rabbitmq-server.service

buildah commit $CON rabbitmq:test


podman run -it --rm --name rabbit_1 --entrypoint /sbin/init rabbitmq:test

On the host run podman exec rabbit_1 systemctl stop rabbitmq-server.

See

----
time->Tue Oct 29 19:11:07 2019
type=AVC msg=audit(1572347467.326:1909): avc:  denied  { getattr } for  pid=247158 comm="ps" path="/proc/423" dev="proc" ino=5691516 scontext=system_u:system_r:container_t:s0:c519,c604 tcontext=unconfined_u:system_r:spc_t:s0 tclass=dir permissive=0
----
time->Tue Oct 29 19:11:08 2019
type=AVC msg=audit(1572347468.339:1910): avc:  denied  { getattr } for  pid=247159 comm="ps" path="/proc/423" dev="proc" ino=5691516 scontext=system_u:system_r:container_t:s0:c519,c604 tcontext=unconfined_u:system_r:spc_t:s0 tclass=dir permissive=0
----
time->Tue Oct 29 19:11:09 2019
type=AVC msg=audit(1572347469.347:1911): avc:  denied  { getattr } for  pid=247160 comm="ps" path="/proc/423" dev="proc" ino=5691516 scontext=system_u:system_r:container_t:s0:c519,c604 tcontext=unconfined_u:system_r:spc_t:s0 tclass=dir permissive=0
----
time->Tue Oct 29 19:11:10 2019
type=AVC msg=audit(1572347470.365:1913): avc:  denied  { getattr } for  pid=247167 comm="ps" path="/proc/423" dev="proc" ino=5691516 scontext=system_u:system_r:container_t:s0:c519,c604 tcontext=unconfined_u:system_r:spc_t:s0 tclass=dir permissive=0
----
time->Tue Oct 29 19:11:11 2019
type=AVC msg=audit(1572347471.376:1914): avc:  denied  { getattr } for  pid=247170 comm="ps" path="/proc/423" dev="proc" ino=5691516 scontext=system_u:system_r:container_t:s0:c519,c604 tcontext=unconfined_u:system_r:spc_t:s0 tclass=dir permissive=0

@rhatdan
Copy link
Member

rhatdan commented Oct 29, 2019

Do you know what process is running as spc_t?

ps -eZ | grep spc_t

@space88man
Copy link
Author

space88man commented Oct 29, 2019

@rhatdan it is the externally exec'ed program

# podman exec rabbit_1 ps -eZ 
LABEL                               PID TTY          TIME CMD
system_u:system_r:container_t:s0:c519,c604 1 ?   00:00:00 systemd
system_u:system_r:container_t:s0:c519,c604 16 ?  00:00:00 systemd-journal
system_u:system_r:container_t:s0:c519,c604 22 ?  00:00:00 dbus-daemon
system_u:system_r:container_t:s0:c519,c604 2286 ? 00:00:18 beam.smp
system_u:system_r:container_t:s0:c519,c604 2494 ? 00:00:00 epmd
system_u:system_r:container_t:s0:c519,c604 2644 ? 00:00:00 erl_child_setup
system_u:system_r:container_t:s0:c519,c604 2669 ? 00:00:00 inet_gethost
system_u:system_r:container_t:s0:c519,c604 2670 ? 00:00:00 inet_gethost
unconfined_u:system_r:spc_t:s0    10491 ?        00:00:00 ps

@rhatdan
Copy link
Member

rhatdan commented Oct 29, 2019

That is a bug.

@rhatdan
Copy link
Member

rhatdan commented Oct 30, 2019

PR has merged that should fix this.

@rhatdan rhatdan closed this as completed Oct 30, 2019
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 23, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Development

No branches or pull requests

4 participants