Bug 1461488

Summary:	AVC denial on runc with user namespace
Product:	Red Hat Enterprise Linux 7	Reporter:	Qian Cai <qcai>
Component:	selinux-policy	Assignee:	Lukas Vrabec <lvrabec>
Status:	CLOSED ERRATA	QA Contact:	Milos Malik <mmalik>
Severity:	high	Docs Contact:
Priority:	high
Version:	7.4-Alt	CC:	dwalsh, lvrabec, mgrepl, mmalik, plautrba, pvrabec, qcai, ssekidde
Target Milestone:	rc	Keywords:	Extras
Target Release:	---
Hardware:	ppc64le
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2017-08-01 15:28:52 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Qian Cai 2017-06-14 14:58:48 UTC

Description of problem:
Trying to run runc with user namespace failed.

# runc run root
nsenter: failed to unshare namespaces: Operation not permitted
container_linux.go:262: starting container process caused "process_linux.go:247: running exec setns process for init caused \"exit status 34\""

# ausearch -m AVC
----
time->Wed Jun 14 10:33:20 2017
type=PROCTITLE msg=audit(1497450800.110:461): proctitle=2F70726F632F73656C662F65786500696E6974
type=SYSCALL msg=audit(1497450800.110:461): arch=c0000015 syscall=282 success=no exit=-1 a0=7c020000 a1=10377a10 a2=0 a3=0 items=0 ppid=24779 pid=24788 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=19 comm="runc:[1:CHILD]" exe="/usr/bin/runc" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1497450800.110:461): avc:  denied  { sys_admin } for  pid=24788 comm="runc:[1:CHILD]" capability=21  scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0

# audit2allow -a


#============= unconfined_t ==============
allow unconfined_t self:cap_userns sys_admin;

I suppose that selinux policy need to deal with those new caps from the 4.10 kernel, cap_userns and cap2_userns.

Version-Release number of selected component (if applicable):
Pegas-7.4-20170425.0
kernel-4.10.0-11.el7.ppc64le
libselinux-utils-2.5-11.el7.ppc64le
libselinux-python-2.5-11.el7.ppc64le
libselinux-2.5-11.el7.ppc64le
selinux-policy-3.13.1-144.el7.noarch
selinux-policy-targeted-3.13.1-144.el7.noarch
container-selinux-2.12-2.gite7096ce.el7.noarch

How reproducible:
always

Steps to Reproduce:
1. Set up runc with user namespace like,
https://fedorapeople.org/cgit/caiqian/public_git/runctst.git/tree/runctst.py#n707

Actual results:
Have AVC denial.

Expected results:
No AVC denial.

Additional info:
This works fine in RHEL 7.4.

Comment 1 Daniel Walsh 2017-06-14 15:04:04 UTC

This is an SELinux policy issue.  Unconfined_t should have access to all user namespace capabilties.

Comment 2 Daniel Walsh 2017-06-14 15:04:40 UTC

Lukas this one is critical to fix.

Comment 3 Qian Cai 2017-06-14 15:06:06 UTC

FYI, more stuff has been denied right now.

# audit2allow -a


#============= unconfined_t ==============
allow unconfined_t self:cap_userns { dac_override dac_read_search setgid setpcap setuid sys_admin sys_ptrace sys_resource };

Comment 5 Milos Malik 2017-06-14 16:50:44 UTC

Could you attach the list of all AVCs in raw form, which are triggered by your scenario?

# ausearch -m avc -m user_avc -i -ts today

Comment 6 Qian Cai 2017-06-14 20:11:44 UTC

# ausearch -m avc -m user_avc -i -ts today
----
type=USER_AVC msg=audit(06/14/2017 12:50:51.730:98) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(06/14/2017 12:50:51.730:99) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=3)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=PROCTITLE msg=audit(06/14/2017 16:09:58.996:155) : proctitle=/proc/self/exe init 
type=SYSCALL msg=audit(06/14/2017 16:09:58.996:155) : arch=ppc64le syscall=unshare success=no exit=EPERM(Operation not permitted) a0=CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET a1=0x10377a10 a2=0x0 a3=0x0 items=0 ppid=4781 pid=4790 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=runc:[1:CHILD] exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/14/2017 16:09:58.996:155) : avc:  denied  { sys_admin } for  pid=4790 comm=runc:[1:CHILD] capability=sys_admin  scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0

Comment 7 Qian Cai 2017-06-14 20:14:47 UTC

----
type=USER_AVC msg=audit(06/14/2017 16:13:22.751:180) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=PROCTITLE msg=audit(06/14/2017 16:13:24.871:181) : proctitle=/proc/self/exe init 
type=SYSCALL msg=audit(06/14/2017 16:13:24.871:181) : arch=ppc64le syscall=unshare success=yes exit=0 a0=CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET a1=0x10377a10 a2=0x0 a3=0x0 items=0 ppid=5754 pid=5763 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=runc:[1:CHILD] exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/14/2017 16:13:24.871:181) : avc:  denied  { sys_admin } for  pid=5763 comm=runc:[1:CHILD] capability=sys_admin  scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 
----
type=PROCTITLE msg=audit(06/14/2017 16:13:25.901:182) : proctitle=/proc/self/exe init 
type=SYSCALL msg=audit(06/14/2017 16:13:25.901:182) : arch=ppc64le syscall=setuid success=yes exit=0 a0=root a1=0x0 a2=0x1b0 a3=0x0 items=0 ppid=5754 pid=5764 auid=root uid=test gid=root euid=test suid=test fsuid=test egid=root sgid=root fsgid=root tty=(none) ses=1 comm=runc:[2:INIT] exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/14/2017 16:13:25.901:182) : avc:  denied  { setuid } for  pid=5764 comm=runc:[2:INIT] capability=setuid  scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 
----
type=PROCTITLE msg=audit(06/14/2017 16:13:25.901:183) : proctitle=/proc/self/exe init 
type=SYSCALL msg=audit(06/14/2017 16:13:25.901:183) : arch=ppc64le syscall=setgid success=yes exit=0 a0=root a1=0x0 a2=0x0 a3=0x0 items=0 ppid=5754 pid=5764 auid=root uid=test gid=test euid=test suid=test fsuid=test egid=test sgid=test fsgid=test tty=(none) ses=1 comm=runc:[2:INIT] exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/14/2017 16:13:25.901:183) : avc:  denied  { setgid } for  pid=5764 comm=runc:[2:INIT] capability=setgid  scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 
----
type=PROCTITLE msg=audit(06/14/2017 16:13:25.901:184) : proctitle=runc run -b /etc root 
type=SYSCALL msg=audit(06/14/2017 16:13:25.901:184) : arch=ppc64le syscall=readlinkat success=yes exit=12 a0=0xffffffffffffff9c a1=0xc420164080 a2=0xc42017c000 a3=0x80 items=0 ppid=4836 pid=5754 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=runc exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/14/2017 16:13:25.901:184) : avc:  denied  { sys_ptrace } for  pid=5754 comm=runc capability=sys_ptrace  scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 
----
type=PROCTITLE msg=audit(06/14/2017 16:13:25.921:185) : proctitle=/proc/self/exe init 
type=SYSCALL msg=audit(06/14/2017 16:13:25.921:185) : arch=ppc64le syscall=mkdirat success=yes exit=0 a0=0xffffffffffffff9c a1=0xc420132630 a2=0755 a3=0x0 items=0 ppid=5754 pid=5764 auid=root uid=test gid=test euid=test suid=test fsuid=test egid=test sgid=test fsgid=test tty=(none) ses=1 comm=runc:[2:INIT] exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/14/2017 16:13:25.921:185) : avc:  denied  { dac_override } for  pid=5764 comm=runc:[2:INIT] capability=dac_override  scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 
----
type=PROCTITLE msg=audit(06/14/2017 16:13:26.051:186) : proctitle=runc run -b /etc root 
type=SYSCALL msg=audit(06/14/2017 16:13:26.051:186) : arch=ppc64le syscall=prlimit64 success=yes exit=0 a0=0x1684 a1=0x7 a2=0xc4200ce380 a3=0xc4200ce380 items=0 ppid=4836 pid=5754 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=runc exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/14/2017 16:13:26.051:186) : avc:  denied  { sys_resource } for  pid=5754 comm=runc capability=sys_resource  scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 
----
type=PROCTITLE msg=audit(06/14/2017 16:13:26.051:187) : proctitle=/proc/self/exe init 
type=SYSCALL msg=audit(06/14/2017 16:13:26.051:187) : arch=ppc64le syscall=openat success=yes exit=6 a0=0xffffffffffffff9c a1=0xc42012f190 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=0 ppid=5754 pid=5764 auid=root uid=test gid=test euid=test suid=test fsuid=test egid=test sgid=test fsgid=test tty=(none) ses=1 comm=runc:[2:INIT] exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/14/2017 16:13:26.051:187) : avc:  denied  { dac_read_search } for  pid=5764 comm=runc:[2:INIT] capability=dac_read_search  scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 
----
type=PROCTITLE msg=audit(06/14/2017 16:13:26.051:188) : proctitle=/proc/self/exe init 
type=SYSCALL msg=audit(06/14/2017 16:13:26.051:188) : arch=ppc64le syscall=prctl success=yes exit=0 a0=PR_CAPBSET_DROP a1=chown a2=0x0 a3=0x0 items=0 ppid=5754 pid=5764 auid=root uid=test gid=test euid=test suid=test fsuid=test egid=test sgid=test fsgid=test tty=(none) ses=1 comm=runc:[2:INIT] exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/14/2017 16:13:26.051:188) : avc:  denied  { setpcap } for  pid=5764 comm=runc:[2:INIT] capability=setpcap  scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1

Comment 10 errata-xmlrpc 2017-08-01 15:28:52 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861