Bug 1292318
| Summary: | SELinux is preventing /usr/sbin/ip from mounton access on the directory /. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Britt Houser <bhouser> | ||||
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 7.1 | CC: | bhouser, chricker, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | selinux-policy-3.13.1-80.el7 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2016-11-04 02:26:23 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1301700 | ||||||
| Attachments: |
|
||||||
Created attachment 1106714 [details]
Output of sealert
Just for t-shooting, I also upgraded to rhel7.2 packaging, but still see the violation: # rpm -qa | grep selinux libselinux-python-2.2.2-6.el7.x86_64 libselinux-2.2.2-6.el7.x86_64 libselinux-utils-2.2.2-6.el7.x86_64 selinux-policy-3.13.1-60.el7.noarch docker-selinux-1.8.2-10.el7.x86_64 selinux-policy-targeted-3.13.1-60.el7.noarch Where is "ip netns exec $pid ip link set dev mgmt-in name mgmt" placed? Thank you. The "ip netns exec $pid ip link set dev mgmt-in name mgmt" command is executed outside of the container namespace. Is that what you're asking? Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2283.html |
Description of problem: As part of adding an interface to a running container, we execute the following command: ip netns exec $pid ip link set dev mgmt-in name mgmt When that command is executed, SELinux kicks in and the following entries are see in audit.log type=AVC msg=audit(1450281422.633:9548): avc: denied { mounton } for pid=56100 comm="ip" path="/" dev="dm-1" ino=128 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir type=SYSCALL msg=audit(1450281422.633:9548): arch=x86_64 syscall=mount success=yes exit=0 a0=43c4d4 a1=4372cf a2=43838d a3=84000 items=0 ppid=56063 pid=56100 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ip exe=/usr/sbin/ip subj=system_u:system_r:ifconfig_t:s0 key=(null) Version-Release number of selected component (if applicable): # rpm -qa | grep selinux selinux-policy-targeted-3.13.1-23.el7.noarch docker-selinux-1.8.2-7.el7.x86_64 selinux-policy-3.13.1-23.el7.noarch How reproducible: Every time Steps to Reproduce: 1. Launch a container with net=none 2. Add interface pid=$(docker inspect -f '{{.State.Pid}}' `docker ps -a | grep my_container | awk '{print $1}'`) ip link add mgmt-out type veth peer name mgmt-in ip link set mgmt-out up ip link set mgmt-in netns $pid ip netns exec $pid ip link set dev mgmt-in name mgmt Actual results: type=AVC msg=audit(1450281422.633:9548): avc: denied { mounton } for pid=56100 comm="ip" path="/" dev="dm-1" ino=128 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir type=SYSCALL msg=audit(1450281422.633:9548): arch=x86_64 syscall=mount success=yes exit=0 a0=43c4d4 a1=4372cf a2=43838d a3=84000 items=0 ppid=56063 pid=56100 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ip exe=/usr/sbin/ip subj=system_u:system_r:ifconfig_t:s0 key=(null) Expected results: NO SELinux violations Additional info: