Bug 1405921
| Summary: | SELinux is preventing lxc-attach from entrypoint access on the file /usr/bin/bash | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | srakitnican <samuel.rakitnican> |
| Component: | container-selinux | Assignee: | Lokesh Mandvekar <lsm5> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 25 | CC: | adimania, admiller, amurdaca, dominick.grift, dwalsh, fkluknav, ichavero, jcajka, jchaloup, jlebon, karlthered, lsm5, lvrabec, marianne, mgrepl, michael.goehler, miminar, nalin, plautrba, pmoore, pokorra.mailinglists, riek, sagarun, ssekidde, thomas.moschny, vbatts |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | container-selinux-2.9-1.fc25 container-selinux-2.10-1.fc25 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-03-13 23:55:07 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Version-Release number of selected component (if applicable): selinux-policy-3.13.1-225.3.fc25.noarch If you change the label of lxc-attach to container_runtime_exec_t does it fix the issue? chcon -t container_runtime_exec_t /usr/bin/lxc-attach I am unable to change it, not sure why. $ ls -lZ /usr/bin/lxc-attach -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 20320 Pro 5 12:30 /usr/bin/lxc-attach $ sudo chcon -t container_runtime_exec_t /usr/bin/lxc-attach chcon: failed to change context of '/usr/bin/lxc-attach' to ‘system_u:object_r:container_runtime_exec_t:s0’: Invalid argument Because it doesn't seems to exist. $ sudo semanage fcontext -l | grep container_runtime_exec_t $ dnf -y install container-selinux Then try it. Ok, I've installed container-selinux and changed label for lxc-attach, same thing is happening, SELinux alert and error message. What AVC are you getting now? $ ls -lZ /usr/bin/lxc-attach
-rwxr-xr-x. 1 root root system_u:object_r:container_runtime_exec_t:s0 20320 Dec 5 12:30 /usr/bin/lxc-attach
$ sudo lxc-attach --name=fedora-dev
lxc-attach: attach.c: lxc_attach_run_shell: 1325 Permission denied - failed to exec shell
SELinux is preventing lxc-attach from entrypoint access on the file /usr/bin/bash.
***** Plugin restorecon (94.8 confidence) suggests ************************
If you want to fix the label.
/usr/bin/bash default label should be shell_exec_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /usr/bin/bash
***** Plugin catchall_labels (5.21 confidence) suggests *******************
If you want to allow lxc-attach to have entrypoint access on the bash file
Then you need to change the label on /usr/bin/bash
Do
# semanage fcontext -a -t FILE_TYPE '/usr/bin/bash'
where FILE_TYPE is one of the following: bin_t, shell_exec_t, usr_t.
Then execute:
restorecon -v '/usr/bin/bash'
***** Plugin catchall (1.44 confidence) suggests **************************
If you believe that lxc-attach should be allowed entrypoint access on the bash file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'lxc-attach' --raw | audit2allow -M my-lxcattach
# semodule -X 300 -i my-lxcattach.pp
Additional Information:
Source Context system_u:system_r:unconfined_service_t:s0
Target Context unconfined_u:object_r:var_lib_t:s0
Target Objects /usr/bin/bash [ file ]
Source lxc-attach
Source Path lxc-attach
Port <Unknown>
Host rawhide
Source RPM Packages
Target RPM Packages bash-4.3.43-4.fc25.x86_64
Policy RPM selinux-policy-3.13.1-225.3.fc25.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name rawhide
Platform Linux rawhide 4.8.14-300.fc25.x86_64 #1 SMP Mon
Dec 12 16:31:04 UTC 2016 x86_64 x86_64
Alert Count 14
First Seen 2016-12-19 08:37:49 CET
Last Seen 2016-12-20 16:14:54 CET
Local ID 8ef4ba24-bb86-4bb6-b006-7fc1748bf679
Raw Audit Messages
type=AVC msg=audit(1482246894.908:780): avc: denied { entrypoint } for pid=28947 comm="lxc-attach" path="/usr/bin/bash" dev="sdc4" ino=1329114 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
Hash: lxc-attach,unconfined_service_t,var_lib_t,file,entrypoint
chcon -Rt container_var_lib_t /var/lib/lxc Should fix this issue. Umm, I am seeing the same issue
type=AVC msg=audit(1482250671.868:894): avc: denied { entrypoint } for pid=31225 comm="lxc-attach" path="/usr/bin/bash" dev="sdc4" ino=1329114 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:object_r:container_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1482250671.868:895): avc: denied { entrypoint } for pid=31225 comm="lxc-attach" path="/usr/bin/bash" dev="sdc4" ino=1329114 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:object_r:container_var_lib_t:s0 tclass=file permissive=0
Looks like lxc-attach is not labeled as container_runtime_exec_t? Yes, I did restorecon on it, but it was the same with it.
$ ls -lZ /usr/bin/lxc-attach
-rwxr-xr-x. 1 root root system_u:object_r:container_runtime_exec_t:s0 20320 Pro 5 12:30 /usr/bin/lxc-attach
$ ls -ldZ /var/lib/lxc
drwxr-xr-x. 3 root root system_u:object_r:container_var_lib_t:s0 4096 Pro 5 12:30 /var/lib/lxc
type=AVC msg=audit(1482254207.040:942): avc: denied { entrypoint } for pid=32709 comm="lxc-attach" path="/usr/bin/bash" dev="sdc4" ino=1329114 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:object_r:container_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1482254207.040:943): avc: denied { entrypoint } for pid=32709 comm="lxc-attach" path="/usr/bin/bash" dev="sdc4" ino=1329114 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:object_r:container_var_lib_t:s0 tclass=file permissive=0
What does the unit file look like? Is there something about an unconfined_service_t in the unit file? How did the original container get started? This looks like we would label the original container lxc-start as container_runtime_exec_t also. I am adding labels for all /usr/bin/lxc-* code to container_runtime_exec_t, which should cause all of the container processes to be container_runtime_t. No unconfined_service_t. You would need to stop and start the container again. Sorry I don't understand, which unit file are you referring to? If systemd unit file it is standard unmodified file from Fedora repository. I have found that "[lxc monitor]" runs under unconfined_service_t $ ps -Z 2038 LABEL PID TTY STAT TIME COMMAND system_u:system_r:unconfined_service_t:s0 2038 ? Ss 0:00 [lxc monitor] /var/lib/lxc fedora-dev $ for proc in $(sudo find /proc/ -context *unconfined_service_t* | cut -f1-3 -d / | sort -u); do cat $proc/cmdline; echo; done find: getfilecon failed: ‘/proc/3606/task/3669/fdinfo/134’: No such file or directory [lxc monitor] /var/lib/lxc fedora-dev /sbin/init /usr/lib/systemd/systemd-journald /usr/lib/systemd/systemd-logind /usr/bin/dbus-daemon--system--address=systemd:--nofork--nopidfile--systemd-activation--syslog-only /usr/sbin/rsyslogd-n /sbin/agetty--nocleartty3linux /sbin/agetty--noclear--keep-baudconsole115200,38400,9600vt220 /sbin/agetty--nocleartty4linux /sbin/agetty--noclear--keep-baudpts/1115200,38400,9600vt220 /sbin/agetty--noclear--keep-baudpts/0115200,38400,9600vt220 /sbin/agetty--nocleartty2linux /sbin/agetty--noclear--keep-baudpts/3115200,38400,9600vt220 /sbin/agetty--noclear--keep-baudpts/2115200,38400,9600vt220 /sbin/agetty--nocleartty1linux /usr/sbin/sshd /sbin/dhclient-Hfedora-dev-1-q-lf/var/lib/dhclient/dhclient--eth0.lease-pf/var/run/dhclient-eth0.pideth0 Yes I am running it this entire time as a service from lxc.service. Ok, following worked. $ sudo chcon -t container_runtime_exec_t /usr/bin/lxc-* This shoudl be fixed in docker package. (In reply to Lukas Vrabec from comment #17) > This shoudl be fixed in docker package. I don't have a "docker" package installed, shouldn't lxc work without docker? You need to install container-selinux. Which is being separated out into a separate package. lxc should probbaly require this package going forward. I have the same issue on CentOS 7. I've tried the following: - installed container-selinux - set container_runtime_exec_t on /usr/bin/lxc-* - set container_var_lib_t on /var/lib/lxc (recursive) But I still get unconfined_service_t for containers started by lxc.service # ps -efZ | grep lxc system_u:system_r:unconfined_service_t:s0 root 2982 1 0 13:08 ? 00:00:00 /usr/bin/lxc-autostart -g onboot, # for proc in $(sudo find /proc/ -context *unconfined_service_t* | cut -f1-3 -d / | sort -u); do tr '\0' ' ' <$proc/cmdline; echo; done /usr/bin/lxc-autostart -g onboot, /sbin/init /usr/lib/systemd/systemd-journald /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation /usr/lib/systemd/systemd-logind /usr/sbin/rsyslogd -n /sbin/agetty --noclear --keep-baud console 115200 38400 9600 vt220 /usr/sbin/sshd /sbin/dhclient -H centos_lxc_01 -1 -q -lf /var/lib/dhclient/dhclient--eth0.lease -pf /var/run/dhclient-eth0.pid eth0 Does your service unit run lxc-autostart directly or is it executing some other command. The transition right now is for systemd running as init_t executing something labeled as bin_t will run unconfined_service_t. If it executes something labeled container_runtime_exec_t it will run it as container_runtime_t. The service runs /usr/libexec/lxc/lxc-autostart-helper, which is a sysvinit script labeled bin_t. Changing the label of the shell script doesn't help. Changing it to initrc_exec_t or container_runtime_exec_t doesn't help? My fault. The label of /usr/libexec/lxc/lxc-autostart-helper is reset to bin_t on reboot. After a reboot to enforce selinux: # chcon -t container_runtime_exec_t /usr/libexec/lxc/lxc-autostart-helper # systemctl restart lxc # ps -eZ | grep lxc-autostart system_u:system_r:container_runtime_t:s0 3488 ? 00:00:00 lxc-autostart semanage fcontext -a -t container_runtime_exec_t /usr/libexec/lxc/lxc-autostart-helper restorecon -R -v container_runtime_exec_t /usr/libexec/lxc/lxc-autostart-helper Should tell the system to not set it back to bin_t. I just set this up as the default labeling for content in this directory in the container-selinux repo. container-selinux-2.9-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-018d2c13f7 container-selinux-2.9-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-018d2c13f7 I've installed container-selinux-2.9-1.fc25 and did "touch /.autorelabel && reboot". I still have issues attaching to a running container with lxc-attach.
Seems the issue is now that process from lxc.service is labeled as unconfined_service_t.
SELinux is preventing lxc-attach from entrypoint access on the file /usr/bin/bash.
***** Plugin restorecon (99.5 confidence) suggests ************************
If you want to fix the label.
/usr/bin/bash default label should be shell_exec_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /usr/bin/bash
***** Plugin catchall (1.49 confidence) suggests **************************
If you believe that lxc-attach should be allowed entrypoint access on the bash file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'lxc-attach' --raw | audit2allow -M my-lxcattach
# semodule -X 300 -i my-lxcattach.pp
Additional Information:
Source Context system_u:system_r:unconfined_service_t:s0
Target Context unconfined_u:object_r:container_var_lib_t:s0
Target Objects /usr/bin/bash [ file ]
Source lxc-attach
Source Path lxc-attach
Port <Unknown>
Host host
Source RPM Packages
Target RPM Packages bash-4.3.43-4.fc25.x86_64
Policy RPM selinux-policy-3.13.1-225.11.fc25.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name host
Platform Linux host 4.9.12-200.fc25.x86_64 #1 SMP
Thu Feb 23 19:31:49 UTC 2017 x86_64 x86_64
Alert Count 1
First Seen 2017-03-01 10:35:04 CET
Last Seen 2017-03-01 10:35:04 CET
Local ID 797269fc-0887-40a5-a5f5-92eddc72148a
Raw Audit Messages
type=AVC msg=audit(1488360904.991:258): avc: denied { entrypoint } for pid=3407 comm="lxc-attach" path="/usr/bin/bash" dev="sda2" ino=941481 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:object_r:container_var_lib_t:s0 tclass=file permissive=0
Hash: lxc-attach,unconfined_service_t,container_var_lib_t,file,entrypoint
$ ps -auxZ | grep lxc
system_u:system_r:unconfined_service_t:s0 root 1968 0.0 0.0 24496 2732 ? Ss 10:32 0:00 [lxc monitor] /var/lib/lxc fedora-dev
$ ls -Z /usr/bin/lxc*
system_u:object_r:container_runtime_exec_t:s0 /usr/bin/lxc-attach
system_u:object_r:container_runtime_exec_t:s0 /usr/bin/lxc-autostart
system_u:object_r:container_runtime_exec_t:s0 /usr/bin/lxc-cgroup
system_u:object_r:container_runtime_exec_t:s0 /usr/bin/lxc-checkconfig
system_u:object_r:container_runtime_exec_t:s0 /usr/bin/lxc-checkpoint
system_u:object_r:container_runtime_exec_t:s0 /usr/bin/lxc-config
system_u:object_r:container_runtime_exec_t:s0 /usr/bin/lxc-console
system_u:object_r:container_runtime_exec_t:s0 /usr/bin/lxc-copy
system_u:object_r:container_runtime_exec_t:s0 /usr/bin/lxc-create
system_u:object_r:container_runtime_exec_t:s0 /usr/bin/lxc-destroy
system_u:object_r:container_runtime_exec_t:s0 /usr/bin/lxc-device
system_u:object_r:container_runtime_exec_t:s0 /usr/bin/lxc-execute
system_u:object_r:container_runtime_exec_t:s0 /usr/bin/lxc-freeze
system_u:object_r:container_runtime_exec_t:s0 /usr/bin/lxc-info
system_u:object_r:container_runtime_exec_t:s0 /usr/bin/lxc-ls
system_u:object_r:container_runtime_exec_t:s0 /usr/bin/lxc-monitor
system_u:object_r:container_runtime_exec_t:s0 /usr/bin/lxc-snapshot
system_u:object_r:container_runtime_exec_t:s0 /usr/bin/lxc-start
system_u:object_r:container_runtime_exec_t:s0 /usr/bin/lxc-stop
system_u:object_r:container_runtime_exec_t:s0 /usr/bin/lxc-top
system_u:object_r:container_runtime_exec_t:s0 /usr/bin/lxc-unfreeze
system_u:object_r:container_runtime_exec_t:s0 /usr/bin/lxc-unshare
system_u:object_r:container_runtime_exec_t:s0 /usr/bin/lxc-usernsexec
system_u:object_r:container_runtime_exec_t:s0 /usr/bin/lxc-wait
ls -lZ /usr/libexec/lxc/* $ ls -lZ /usr/libexec/lxc/* -rwxr-xr-x. 1 root root unconfined_u:object_r:bin_t:s0 521 Sij 29 13:20 /usr/libexec/lxc/lxc-apparmor-load -rwxr-xr-x. 1 root root unconfined_u:object_r:bin_t:s0 2969 Sij 29 13:20 /usr/libexec/lxc/lxc-containers -rwxr-xr-x. 1 root root unconfined_u:object_r:bin_t:s0 19672 Sij 29 13:20 /usr/libexec/lxc/lxc-monitord -rwxr-xr-x. 1 root root unconfined_u:object_r:bin_t:s0 6357 Sij 29 13:20 /usr/libexec/lxc/lxc-net -rwsr-xr-x. 1 root root unconfined_u:object_r:bin_t:s0 40408 Sij 29 13:20 /usr/libexec/lxc/lxc-user-nic /usr/libexec/lxc/hooks: total 12 -rwxr-xr-x. 1 root root unconfined_u:object_r:bin_t:s0 11240 Sij 29 13:20 unmount-namespace container-selinux-2.9-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. matchpathcon /usr/libexec/lxc/* /usr/libexec/lxc/hooks system_u:object_r:bin_t:s0 /usr/libexec/lxc/lxc-apparmor-load system_u:object_r:container_runtime_exec_t:s0 /usr/libexec/lxc/lxc-containers system_u:object_r:container_runtime_exec_t:s0 /usr/libexec/lxc/lxc-monitord system_u:object_r:container_runtime_exec_t:s0 /usr/libexec/lxc/lxc-net system_u:object_r:container_runtime_exec_t:s0 /usr/libexec/lxc/lxc-user-nic system_u:object_r:container_runtime_exec_t:s0 # rpm -q container-selinux container-selinux-2.9-1.fc26.noarch It seems F25 package is slightly different? $ matchpathcon /usr/libexec/lxc/* /usr/libexec/lxc/hooks system_u:object_r:bin_t:s0 /usr/libexec/lxc/lxc-apparmor-load system_u:object_r:bin_t:s0 /usr/libexec/lxc/lxc-containers system_u:object_r:bin_t:s0 /usr/libexec/lxc/lxc-monitord system_u:object_r:bin_t:s0 /usr/libexec/lxc/lxc-net system_u:object_r:bin_t:s0 /usr/libexec/lxc/lxc-user-nic system_u:object_r:bin_t:s0 could you make sure it was installed successfully? dnf reinstall container-selinux Sure, I did that but it seems there was no effect, matchpathcon /usr/libexec/lxc/* shows the same result as before. I take a look at upstream container-selinux project, and could not find any security context information for /usr/libexec/lxc.* on commit that 2:9.1-1 branch for F25 is based on: https://github.com/projectatomic/container-selinux/blob/08bb6e0a1a63b1312c88c2e201b58aeb0ffd5467/container.fc F26 branch however, seems to have correct commit https://github.com/projectatomic/container-selinux/blob/8f8caa66c11f8657ebf8ae50d7221ee3a97ac7d3/container.fc Yup sorry it looks like I need a new version.
commit 46648d73b05fa0d0a5ba1b35be27a8417b6d46c5
Author: Daniel J Walsh <dwalsh>
Date: Fri Feb 24 10:25:08 2017 -0500
Label files under /usr/libexec/lxc as container_runtime_exec_t
commit 08bb6e0a1a63b1312c88c2e201b58aeb0ffd5467
Author: Daniel J Walsh <dwalsh>
Date: Sun Feb 12 10:48:39 2017 -0500
bUMP TO V2.9
Building container-selinux-2.10... container-selinux-2.10-1.fc25, seems to work fine, thanks. container-selinux-2.10-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-02001fefbc container-selinux-2.10-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-02001fefbc container-selinux-2.10-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. container-selinux-2.10-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: Attaching to a lxc container located under /var/lib/lxc/ is not possible. SELinux is preventing lxc-attach from entrypoint access on the file /usr/bin/bash. ***** Plugin restorecon (94.8 confidence) suggests ************************ If you want to fix the label. /usr/bin/bash default label should be shell_exec_t. Then you can run restorecon. Do # /sbin/restorecon -v /usr/bin/bash ***** Plugin catchall_labels (5.21 confidence) suggests ******************* If you want to allow lxc-attach to have entrypoint access on the bash file Then you need to change the label on /usr/bin/bash Do # semanage fcontext -a -t FILE_TYPE '/usr/bin/bash' where FILE_TYPE is one of the following: bin_t, shell_exec_t, usr_t. Then execute: restorecon -v '/usr/bin/bash' ***** Plugin catchall (1.44 confidence) suggests ************************** If you believe that lxc-attach should be allowed entrypoint access on the bash file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'lxc-attach' --raw | audit2allow -M my-lxcattach # semodule -X 300 -i my-lxcattach.pp Additional Information: Source Context system_u:system_r:unconfined_service_t:s0 Target Context unconfined_u:object_r:var_lib_t:s0 Target Objects /usr/bin/bash [ file ] Source lxc-attach Source Path lxc-attach Port <Unknown> Host rawhide Source RPM Packages Target RPM Packages bash-4.3.43-4.fc25.x86_64 Policy RPM selinux-policy-3.13.1-225.3.fc25.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name rawhide Platform Linux rawhide 4.8.13-300.fc25.x86_64 #1 SMP Fri Dec 9 14:52:00 UTC 2016 x86_64 x86_64 Alert Count 3 First Seen 2016-12-19 08:37:49 CET Last Seen 2016-12-19 08:42:19 CET Local ID 8ef4ba24-bb86-4bb6-b006-7fc1748bf679 Raw Audit Messages type=AVC msg=audit(1482133339.979:1258): avc: denied { entrypoint } for pid=17506 comm="lxc-attach" path="/usr/bin/bash" dev="sdc4" ino=1329114 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 Hash: lxc-attach,unconfined_service_t,var_lib_t,file,entrypoint Version-Release number of selected component (if applicable): How reproducible: lxc-attach --name=<container-name> Actual results: lxc-attach: attach.c: lxc_attach_run_shell: 1325 Permission denied - failed to exec shell Expected results: For command lxc-attach to be able to attach to a container by default. Additional info: Command restorecon -Rv /var/lib/lxc/ did not fix the issue.