Bug 1353626
| Summary: | broken yum install in spc_t on 7.2.5: avc denied { transition } spc_t -> rpm_script_t | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Colin Walters <walters> |
| Component: | atomic | Assignee: | Lokesh Mandvekar <lsm5> |
| Status: | CLOSED ERRATA | QA Contact: | atomic-bugs <atomic-bugs> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.2 | CC: | ajia, lsm5 |
| Target Milestone: | rc | Keywords: | Extras |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-04 09:06:31 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I think what's happening here is that, ordinarily:
# docker run --rm -ti centos bash
# yum -y install /usr/sbin/getenforce
# getenforce
Disabled
However, inside a SPC, we mount /host, which ends up pulling in /host/sys/fs/selinux into the visible namespace,
# atomic run centos/tools
# getenforce
Enforcing
And looking at strace I can see this:
statfs("/sys/fs/selinux", {f_type="SYSFS_MAGIC", f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0
statfs("/selinux", 0x7ffc189c8d70) = -1 ENOENT (No such file or directory)
brk(0) = 0x198a000
brk(0x19ab000) = 0x19ab000
open("/proc/filesystems", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f74d3979000
read(3, "nodev\tsysfs\nnodev\trootfs\nnodev\tb"..., 1024) = 392
stat("/etc/sysconfig/64bit_strstr_via_64bit_strstr_sse2_unaligned", 0x7ffc189c8c50) = -1 ENOENT (No such file or directory)
close(3) = 0
munmap(0x7f74d3979000, 4096) = 0
open("/proc/mounts", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f74d3979000
read(3, "rootfs / rootfs rw 0 0\n/dev/mapp"..., 1024) = 1024
read(3, "group/cpuacct,cpu cgroup rw,nosu"..., 1024) = 1024
read(3, "ae83bedbab09933f6832b7000372 /ho"..., 1024) = 1024
read(3, "host/var/lib/docker/devicemapper"..., 1024) = 1024
read(3, "er/mnt/43471a878cf339022b82f9e53"..., 1024) = 1024
read(3, "2b7000372/rootfs/sys/fs/cgroup/b"..., 1024) = 1024
read(3, "latime,attr2,inode64,noquota 0 0"..., 1024) = 1024
read(3, "atime,xattr,release_agent=/usr/l"..., 1024) = 1024
read(3, "inuxfs rw,relatime 0 0\ndebugfs /"..., 1024) = 1024
statfs("/host/sys/fs/selinux", {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0
statfs("/host/sys/fs/selinux", {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0
stat("/host/sys/fs/selinux", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
close(3) = 0
You can see how libselinux worked out to look at /host/sys/fs/selinux presumably because it's looking for a selinuxfs mount anywhere it can find in /proc/mounts.
We can fix the issue, but this could be a potential problem. In that we don't want labeling and load_policy to work within a container. For example if you are running a rhel6 system and you update selinux-policy package we don't want this to update the policy on the host, even though this is an SPC. # docker run -it --rm --name tools1 -v /sys/fs/selinux:/sys/fs/selinux:ro --privileged --ipc=host --net=host --pid=host -e HOST=/host -e NAME=tools -e IMAGE=centos/tools -v /run:/run -v /var/log:/var/log -v /etc/localtime:/etc/localtime -v /:/host centos/tools # getenforce Disabled So mounting in /sys/fs/selinux as ro fixes the problem. I will add this to --spc https://github.com/projectatomic/atomic/pull/455 Fixed in atomic-1.11. the -v /sys/fs/selinux:/sys/fs/selinux:ro has been added into atomic-1.12.2-2.el7.x86_64, and I can successfully run centos/tools image, so moving the bug to VERIFIED status.
[root@hp-dl360g9-04 /]# atomic run centos/tools
Using default tag: latest
Trying to pull repository docker.io/centos/tools ...
latest: Pulling from docker.io/centos/tools
3d8673bd162a: Pull complete
fe5ec1faff9a: Pull complete
355a87ce8b4b: Pull complete
038c4c85b886: Pull complete
Digest: sha256:969858ac9feb2dbef50f0c8a12306aa1512ef7b23c98e11aecbb02f3191784c5
Status: Downloaded newer image for docker.io/centos/tools:latest
docker run -it --name tools --privileged --ipc=host --net=host --pid=host -e HOST=/host -e NAME=tools -e IMAGE=centos/tools -v /sys/fs/selinux:/sys/fs/selinux:ro -v /run:/run -v /var/log:/var/log -v /etc/localtime:/etc/localtime -v /:/host centos/tools
This container uses privileged security switches:
INFO: --ipc=host
Processes in this container can see and possibly interact with all semaphores and shared memory segments on the host as well as disables SELinux within the container.
INFO: --net=host
Processes in this container can listen to ports (and possibly rawip traffic) on the host's network.
INFO: --pid=host
Processes in this container can see and interact with all processes on the host and disables SELinux within the container.
INFO: --privileged
This container runs without separation and should be considered the same as root on your system.
For more information on these switches and their security implications, consult the manpage for 'docker run'.
[root@hp-dl360g9-04 /]# getenforce
Disabled
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2628.html |
# atomic host status TIMESTAMP (UTC) VERSION ID OSNAME REFSPEC * 2016-06-18 15:21:12 7.2.5 9bfe1fb650 rhel-atomic-host rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard # rpm -q docker-latest docker docker-latest-1.10.3-44.el7.x86_64 docker-1.10.3-44.el7.x86_64 # atomic run centos/tools root@host-172-16-171-63 /]# yum -y install trousers ... Running transaction error: %pre(trousers-0.3.13-1.el7.x86_64) scriptlet failed, exit status 127 Error in PREIN scriptlet in rpm package trousers-0.3.13-1.el7.x86_64 Verifying : trousers-0.3.13-1.el7.x86_64 1/1 Failed: trousers.x86_64 0:0.3.13-1.el7 On the host I see: Jul 07 15:15:16 host-172-16-171-63 kernel: type=1400 audit(1467904516.377:28034): avc: denied { transition } for pid=31609 comm="yum" path="/usr/bin/bash" dev="dm-4" ino=201328663 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process