Bug 1399924

Summary: Container get panic error when run with selinux label=role:object_r
Product: OpenShift Container Platform Reporter: DeShuai Ma <dma>
Component: ContainersAssignee: Mrunal Patel <mpatel>
Status: CLOSED WONTFIX QA Contact: DeShuai Ma <dma>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.4.0CC: amurdaca, aos-bugs, dwalsh, jhonce, jokerman, lsm5, mmccomas
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-10 18:02:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description DeShuai Ma 2016-11-30 05:56:44 UTC 
Description of problem:
Start container with label=role:object_r on rhel7.2, container failed with panic error.

Version-Release number of selected component (if applicable):
os version: rhel7.2
[root@ip-172-18-6-200 ~]# rpm -qa|grep docker
docker-common-1.12.3-8.el7.x86_64
docker-1.12.3-8.el7.x86_64
docker-rhel-push-plugin-1.12.3-8.el7.x86_64
[root@ip-172-18-6-200 ~]# 
[root@ip-172-18-6-200 ~]# rpm -qa|grep selinux
libselinux-utils-2.5-6.el7.x86_64
selinux-policy-targeted-3.13.1-102.el7_3.4.noarch
libselinux-devel-2.5-6.el7.x86_64
libselinux-2.5-6.el7.x86_64
selinux-policy-3.13.1-102.el7_3.4.noarch
libselinux-python-2.5-6.el7.x86_64
container-selinux-1.12.3-8.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. [root@ip-172-18-6-200 ~]# docker run -it --security-opt label=role:object_r --entrypoint=/bin/bash docker.io/ocpqe/hello-pod:latest
panic: standard_init_linux.go:175: exec user process caused "permission denied" [recovered]
	panic: standard_init_linux.go:175: exec user process caused "permission denied"

goroutine 1 [running, locked to thread]:
panic(0x7ec7c0, 0xc820134bd0)
	/usr/lib/golang/src/runtime/panic.go:481 +0x3e6
github.com/urfave/cli.HandleAction.func1(0xc8201092e8)
	/builddir/build/BUILD/docker-0e5a8b1aca91821971e556fef2fb0e50fcca5470/runc-aa860715c2e8ff4ab736a0168907ea975bf28f0e/Godeps/_workspace/src/github.com/urfave/cli/app.go:478 +0x38e
panic(0x7ec7c0, 0xc820134bd0)
	/usr/lib/golang/src/runtime/panic.go:443 +0x4e9
github.com/opencontainers/runc/libcontainer.(*LinuxFactory).StartInitialization.func1(0xc820108bf8, 0xc82001a0a8, 0xc820108d08)
	/builddir/build/BUILD/docker-0e5a8b1aca91821971e556fef2fb0e50fcca5470/runc-aa860715c2e8ff4ab736a0168907ea975bf28f0e/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/factory_linux.go:259 +0x136
github.com/opencontainers/runc/libcontainer.(*LinuxFactory).StartInitialization(0xc820058820, 0x7f8ba15c4548, 0xc820134bd0)
	/builddir/build/BUILD/docker-0e5a8b1aca91821971e556fef2fb0e50fcca5470/runc-aa860715c2e8ff4ab736a0168907ea975bf28f0e/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/factory_linux.go:277 +0x5b1
main.glob.func8(0xc820076780, 0x0, 0x0)
	/builddir/build/BUILD/docker-0e5a8b1aca91821971e556fef2fb0e50fcca5470/runc-aa860715c2e8ff4ab736a0168907ea975bf28f0e/main_unix.go:26 +0x68
reflect.Value.call(0x750ee0, 0x902d00, 0x13, 0x848d08, 0x4, 0xc820109268, 0x1, 0x1, 0x0, 0x0, ...)
	/usr/lib/golang/src/reflect/value.go:435 +0x120d
reflect.Value.Call(0x750ee0, 0x902d00, 0x13, 0xc820109268, 0x1, 0x1, 0x0, 0x0, 0x0)
	/usr/lib/golang/src/reflect/value.go:303 +0xb1
github.com/urfave/cli.HandleAction(0x750ee0, 0x902d00, 0xc820076780, 0x0, 0x0)
	/builddir/build/BUILD/docker-0e5a8b1aca91821971e556fef2fb0e50fcca5470/runc-aa860715c2e8ff4ab736a0168907ea975bf28f0e/Godeps/_workspace/src/github.com/urfave/cli/app.go:487 +0x2ee
github.com/urfave/cli.Command.Run(0x84bbb0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8e1d40, 0x51, 0x0, ...)
	/builddir/build/BUILD/docker-0e5a8b1aca91821971e556fef2fb0e50fcca5470/runc-aa860715c2e8ff4ab736a0168907ea975bf28f0e/Godeps/_workspace/src/github.com/urfave/cli/command.go:191 +0xfec
github.com/urfave/cli.(*App).Run(0xc820001680, 0xc82000a100, 0x2, 0x2, 0x0, 0x0)
	/builddir/build/BUILD/docker-0e5a8b1aca91821971e556fef2fb0e50fcca5470/runc-aa860715c2e8ff4ab736a0168907ea975bf28f0e/Godeps/_workspace/src/github.com/urfave/cli/app.go:240 +0xaa4
main.main()
	/builddir/build/BUILD/docker-0e5a8b1aca91821971e556fef2fb0e50fcca5470/runc-aa860715c2e8ff4ab736a0168907ea975bf28f0e/main.go:137 +0xe24

Actual results:

Expected results:

Additional info:
Comment 2 Daniel Walsh 2016-12-02 12:59:16 UTC 
object_r is not a valid role, but we should ont panic.
Comment 3 Daniel Walsh 2016-12-02 13:02:03 UTC 
object_r is only used as a place holder for file contexts.

seinfo -r

Roles: 14
   auditadm_r
   dbadm_r
   guest_r
   staff_r
   user_r
   logadm_r
   object_r
   secadm_r
   sysadm_r
   system_r
   webadm_r
   xguest_r
   nx_server_r
   unconfined_r

All other roles can be used for processes. But the combination of a SELinux user, role, type, level all have to be valid.

Most of the time system services run with the system_r roles.

Most other roles are used for user roles.  Basically a logged in user role.
Comment 5 Daniel Walsh 2016-12-02 22:05:32 UTC 
You caused me to write a blog.

http://danwalsh.livejournal.com/75683.html
Comment 6 Daniel Walsh 2016-12-02 22:06:09 UTC 
This looks like runc gets an error and crashes.
Comment 7 Mrunal Patel 2016-12-02 22:14:47 UTC 
What validation should we do? object_r is also included in the output of seinfo -r.
Comment 8 DeShuai Ma 2016-12-03 08:31:55 UTC 
(In reply to Daniel Walsh from comment #5)
> You caused me to write a blog.
> 
> http://danwalsh.livejournal.com/75683.html

Thanks for your blog.
Comment 9 Daniel Walsh 2016-12-05 15:20:09 UTC 
Mrunal I don't think we should do any Valdation, the call got a permission denied, but runc needs to handle this cleanly not crash.

You can probably get the same thing by passing in invalid types, levels, and SELinux Users.
Comment 10 Jhon Honce 2016-12-05 20:37:06 UTC 
Since the panic is coming from golang, is this worth using recover() to catch the panic?
Comment 11 Jhon Honce 2017-02-10 18:02:48 UTC 
panic is generated from golang standard library.