Bug 1403254

Summary: Running systemd in container produces AVC denial about writing to max_dgram_qlen
Product: Red Hat Enterprise Linux 7 Reporter: Jan Pazdziora <jpazdziora>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact: Mirek Jahoda <mjahoda>
Priority: high    
Version: 7.3CC: adimania, admiller, amurdaca, dominick.grift, dwalsh, extras-qa, ichavero, jcajka, jchaloup, jpazdziora, lsm5, lvrabec, marianne, mgrepl, miminar, mjahoda, mmalik, nalin, plautrba, pvrabec, riek, ssekidde, vbatts
Target Milestone: rcKeywords: Regression, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-117.el7 Doc Type: Bug Fix
Doc Text:
Due to missing policy rules, SELinux denied running systemd in a container. The rules to allow containers to write to "unix_sysctls" and to use file descriptors leaked to them from parent processes were added, and the SELinux denials no longer occur.
 Story Points: ---
Clone Of: 1373746
: 1408126 (view as bug list) Environment:
Last Closed: 2017-08-01 15:17:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1373746    
Bug Blocks: 1408126    

Comment 1 Jan Pazdziora 2016-12-09 14:13:19 UTC 
It looks like the bug is now in RHEL 7.3(.1) as well. Running

# docker run --rm -ti -e container=docker -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /run --tmpfs /tmp fedora:24 /usr/sbin/init

produces AVC denials

type=AVC msg=audit(1481292675.651:396): avc:  denied  { write } for  pid=8350 comm="systemd" name="core_pattern" dev="proc" ino=146479 scontext=system_u:system_r:svirt_lxc_net_t:s0:c662,c859 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file
type=AVC msg=audit(1481292675.654:397): avc:  denied  { write } for  pid=8350 comm="systemd" name="max_dgram_qlen" dev="proc" ino=145343 scontext=system_u:system_r:svirt_lxc_net_t:s0:c662,c859 tcontext=system_u:object_r:sysctl_net_unix_t:s0 tclass=file

This is with

docker-1.10.3-59.el7.x86_64
selinux-policy-3.13.1-102.el7.noarch
container-selinux-1.10.3-59.el7.x86_64
Comment 4 Daniel Walsh 2016-12-09 15:05:07 UTC 
Looks like I added a commit to virt.te to take care of this back in Augues.

commit 1014781f4b6f08bef0a1ffda852d3bcd97ea506b
Author: Dan Walsh <dwalsh>
Date:   Mon Aug 22 10:06:39 2016 -0400

    Fixes for containers
    
    Allow containers to attempt to write to unix_sysctls.
    Allow cotainers to use the FD's leaked to them from parent
    processes.


Are you sure you have the latest policy installed?

The dontaudit of usermodehelper happened back in March.

8c42cec0f7 virt.te                         (Dan Walsh          2016-03-07 10:50:07 -0500 1360) kernel_dontaudit_write_usermodehelper_state(svirt_sandbox_domain)

Lukas what version of virt.te do we have for rhel7.3?\
Comment 13 errata-xmlrpc 2017-08-01 15:17:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861