Bug 1461488
| Summary: | AVC denial on runc with user namespace | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Qian Cai <qcai> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.4-Alt | CC: | dwalsh, lvrabec, mgrepl, mmalik, plautrba, pvrabec, qcai, ssekidde |
| Target Milestone: | rc | Keywords: | Extras |
| Target Release: | --- | ||
| Hardware: | ppc64le | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-01 15:28:52 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This is an SELinux policy issue. Unconfined_t should have access to all user namespace capabilties. Lukas this one is critical to fix. FYI, more stuff has been denied right now.
# audit2allow -a
#============= unconfined_t ==============
allow unconfined_t self:cap_userns { dac_override dac_read_search setgid setpcap setuid sys_admin sys_ptrace sys_resource };
Could you attach the list of all AVCs in raw form, which are triggered by your scenario? # ausearch -m avc -m user_avc -i -ts today # ausearch -m avc -m user_avc -i -ts today
----
type=USER_AVC msg=audit(06/14/2017 12:50:51.730:98) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=2) exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'
----
type=USER_AVC msg=audit(06/14/2017 12:50:51.730:99) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=3) exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'
----
type=PROCTITLE msg=audit(06/14/2017 16:09:58.996:155) : proctitle=/proc/self/exe init
type=SYSCALL msg=audit(06/14/2017 16:09:58.996:155) : arch=ppc64le syscall=unshare success=no exit=EPERM(Operation not permitted) a0=CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET a1=0x10377a10 a2=0x0 a3=0x0 items=0 ppid=4781 pid=4790 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=runc:[1:CHILD] exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(06/14/2017 16:09:58.996:155) : avc: denied { sys_admin } for pid=4790 comm=runc:[1:CHILD] capability=sys_admin scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0
----
type=USER_AVC msg=audit(06/14/2017 16:13:22.751:180) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'
----
type=PROCTITLE msg=audit(06/14/2017 16:13:24.871:181) : proctitle=/proc/self/exe init
type=SYSCALL msg=audit(06/14/2017 16:13:24.871:181) : arch=ppc64le syscall=unshare success=yes exit=0 a0=CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET a1=0x10377a10 a2=0x0 a3=0x0 items=0 ppid=5754 pid=5763 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=runc:[1:CHILD] exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(06/14/2017 16:13:24.871:181) : avc: denied { sys_admin } for pid=5763 comm=runc:[1:CHILD] capability=sys_admin scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
----
type=PROCTITLE msg=audit(06/14/2017 16:13:25.901:182) : proctitle=/proc/self/exe init
type=SYSCALL msg=audit(06/14/2017 16:13:25.901:182) : arch=ppc64le syscall=setuid success=yes exit=0 a0=root a1=0x0 a2=0x1b0 a3=0x0 items=0 ppid=5754 pid=5764 auid=root uid=test gid=root euid=test suid=test fsuid=test egid=root sgid=root fsgid=root tty=(none) ses=1 comm=runc:[2:INIT] exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(06/14/2017 16:13:25.901:182) : avc: denied { setuid } for pid=5764 comm=runc:[2:INIT] capability=setuid scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
----
type=PROCTITLE msg=audit(06/14/2017 16:13:25.901:183) : proctitle=/proc/self/exe init
type=SYSCALL msg=audit(06/14/2017 16:13:25.901:183) : arch=ppc64le syscall=setgid success=yes exit=0 a0=root a1=0x0 a2=0x0 a3=0x0 items=0 ppid=5754 pid=5764 auid=root uid=test gid=test euid=test suid=test fsuid=test egid=test sgid=test fsgid=test tty=(none) ses=1 comm=runc:[2:INIT] exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(06/14/2017 16:13:25.901:183) : avc: denied { setgid } for pid=5764 comm=runc:[2:INIT] capability=setgid scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
----
type=PROCTITLE msg=audit(06/14/2017 16:13:25.901:184) : proctitle=runc run -b /etc root
type=SYSCALL msg=audit(06/14/2017 16:13:25.901:184) : arch=ppc64le syscall=readlinkat success=yes exit=12 a0=0xffffffffffffff9c a1=0xc420164080 a2=0xc42017c000 a3=0x80 items=0 ppid=4836 pid=5754 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=runc exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(06/14/2017 16:13:25.901:184) : avc: denied { sys_ptrace } for pid=5754 comm=runc capability=sys_ptrace scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
----
type=PROCTITLE msg=audit(06/14/2017 16:13:25.921:185) : proctitle=/proc/self/exe init
type=SYSCALL msg=audit(06/14/2017 16:13:25.921:185) : arch=ppc64le syscall=mkdirat success=yes exit=0 a0=0xffffffffffffff9c a1=0xc420132630 a2=0755 a3=0x0 items=0 ppid=5754 pid=5764 auid=root uid=test gid=test euid=test suid=test fsuid=test egid=test sgid=test fsgid=test tty=(none) ses=1 comm=runc:[2:INIT] exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(06/14/2017 16:13:25.921:185) : avc: denied { dac_override } for pid=5764 comm=runc:[2:INIT] capability=dac_override scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
----
type=PROCTITLE msg=audit(06/14/2017 16:13:26.051:186) : proctitle=runc run -b /etc root
type=SYSCALL msg=audit(06/14/2017 16:13:26.051:186) : arch=ppc64le syscall=prlimit64 success=yes exit=0 a0=0x1684 a1=0x7 a2=0xc4200ce380 a3=0xc4200ce380 items=0 ppid=4836 pid=5754 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=runc exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(06/14/2017 16:13:26.051:186) : avc: denied { sys_resource } for pid=5754 comm=runc capability=sys_resource scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
----
type=PROCTITLE msg=audit(06/14/2017 16:13:26.051:187) : proctitle=/proc/self/exe init
type=SYSCALL msg=audit(06/14/2017 16:13:26.051:187) : arch=ppc64le syscall=openat success=yes exit=6 a0=0xffffffffffffff9c a1=0xc42012f190 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=0 ppid=5754 pid=5764 auid=root uid=test gid=test euid=test suid=test fsuid=test egid=test sgid=test fsgid=test tty=(none) ses=1 comm=runc:[2:INIT] exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(06/14/2017 16:13:26.051:187) : avc: denied { dac_read_search } for pid=5764 comm=runc:[2:INIT] capability=dac_read_search scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
----
type=PROCTITLE msg=audit(06/14/2017 16:13:26.051:188) : proctitle=/proc/self/exe init
type=SYSCALL msg=audit(06/14/2017 16:13:26.051:188) : arch=ppc64le syscall=prctl success=yes exit=0 a0=PR_CAPBSET_DROP a1=chown a2=0x0 a3=0x0 items=0 ppid=5754 pid=5764 auid=root uid=test gid=test euid=test suid=test fsuid=test egid=test sgid=test fsgid=test tty=(none) ses=1 comm=runc:[2:INIT] exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(06/14/2017 16:13:26.051:188) : avc: denied { setpcap } for pid=5764 comm=runc:[2:INIT] capability=setpcap scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1861 |
Description of problem: Trying to run runc with user namespace failed. # runc run root nsenter: failed to unshare namespaces: Operation not permitted container_linux.go:262: starting container process caused "process_linux.go:247: running exec setns process for init caused \"exit status 34\"" # ausearch -m AVC ---- time->Wed Jun 14 10:33:20 2017 type=PROCTITLE msg=audit(1497450800.110:461): proctitle=2F70726F632F73656C662F65786500696E6974 type=SYSCALL msg=audit(1497450800.110:461): arch=c0000015 syscall=282 success=no exit=-1 a0=7c020000 a1=10377a10 a2=0 a3=0 items=0 ppid=24779 pid=24788 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=19 comm="runc:[1:CHILD]" exe="/usr/bin/runc" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1497450800.110:461): avc: denied { sys_admin } for pid=24788 comm="runc:[1:CHILD]" capability=21 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0 # audit2allow -a #============= unconfined_t ============== allow unconfined_t self:cap_userns sys_admin; I suppose that selinux policy need to deal with those new caps from the 4.10 kernel, cap_userns and cap2_userns. Version-Release number of selected component (if applicable): Pegas-7.4-20170425.0 kernel-4.10.0-11.el7.ppc64le libselinux-utils-2.5-11.el7.ppc64le libselinux-python-2.5-11.el7.ppc64le libselinux-2.5-11.el7.ppc64le selinux-policy-3.13.1-144.el7.noarch selinux-policy-targeted-3.13.1-144.el7.noarch container-selinux-2.12-2.gite7096ce.el7.noarch How reproducible: always Steps to Reproduce: 1. Set up runc with user namespace like, https://fedorapeople.org/cgit/caiqian/public_git/runctst.git/tree/runctst.py#n707 Actual results: Have AVC denial. Expected results: No AVC denial. Additional info: This works fine in RHEL 7.4.