Bug 1461488
Summary: | AVC denial on runc with user namespace | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Qian Cai <qcai> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.4-Alt | CC: | dwalsh, lvrabec, mgrepl, mmalik, plautrba, pvrabec, qcai, ssekidde |
Target Milestone: | rc | Keywords: | Extras |
Target Release: | --- | ||
Hardware: | ppc64le | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-01 15:28:52 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Qian Cai
2017-06-14 14:58:48 UTC
This is an SELinux policy issue. Unconfined_t should have access to all user namespace capabilties. Lukas this one is critical to fix. FYI, more stuff has been denied right now. # audit2allow -a #============= unconfined_t ============== allow unconfined_t self:cap_userns { dac_override dac_read_search setgid setpcap setuid sys_admin sys_ptrace sys_resource }; Could you attach the list of all AVCs in raw form, which are triggered by your scenario? # ausearch -m avc -m user_avc -i -ts today # ausearch -m avc -m user_avc -i -ts today ---- type=USER_AVC msg=audit(06/14/2017 12:50:51.730:98) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=2) exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(06/14/2017 12:50:51.730:99) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=3) exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=PROCTITLE msg=audit(06/14/2017 16:09:58.996:155) : proctitle=/proc/self/exe init type=SYSCALL msg=audit(06/14/2017 16:09:58.996:155) : arch=ppc64le syscall=unshare success=no exit=EPERM(Operation not permitted) a0=CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET a1=0x10377a10 a2=0x0 a3=0x0 items=0 ppid=4781 pid=4790 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=runc:[1:CHILD] exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/14/2017 16:09:58.996:155) : avc: denied { sys_admin } for pid=4790 comm=runc:[1:CHILD] capability=sys_admin scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0 ---- type=USER_AVC msg=audit(06/14/2017 16:13:22.751:180) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=PROCTITLE msg=audit(06/14/2017 16:13:24.871:181) : proctitle=/proc/self/exe init type=SYSCALL msg=audit(06/14/2017 16:13:24.871:181) : arch=ppc64le syscall=unshare success=yes exit=0 a0=CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET a1=0x10377a10 a2=0x0 a3=0x0 items=0 ppid=5754 pid=5763 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=runc:[1:CHILD] exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/14/2017 16:13:24.871:181) : avc: denied { sys_admin } for pid=5763 comm=runc:[1:CHILD] capability=sys_admin scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 ---- type=PROCTITLE msg=audit(06/14/2017 16:13:25.901:182) : proctitle=/proc/self/exe init type=SYSCALL msg=audit(06/14/2017 16:13:25.901:182) : arch=ppc64le syscall=setuid success=yes exit=0 a0=root a1=0x0 a2=0x1b0 a3=0x0 items=0 ppid=5754 pid=5764 auid=root uid=test gid=root euid=test suid=test fsuid=test egid=root sgid=root fsgid=root tty=(none) ses=1 comm=runc:[2:INIT] exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/14/2017 16:13:25.901:182) : avc: denied { setuid } for pid=5764 comm=runc:[2:INIT] capability=setuid scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 ---- type=PROCTITLE msg=audit(06/14/2017 16:13:25.901:183) : proctitle=/proc/self/exe init type=SYSCALL msg=audit(06/14/2017 16:13:25.901:183) : arch=ppc64le syscall=setgid success=yes exit=0 a0=root a1=0x0 a2=0x0 a3=0x0 items=0 ppid=5754 pid=5764 auid=root uid=test gid=test euid=test suid=test fsuid=test egid=test sgid=test fsgid=test tty=(none) ses=1 comm=runc:[2:INIT] exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/14/2017 16:13:25.901:183) : avc: denied { setgid } for pid=5764 comm=runc:[2:INIT] capability=setgid scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 ---- type=PROCTITLE msg=audit(06/14/2017 16:13:25.901:184) : proctitle=runc run -b /etc root type=SYSCALL msg=audit(06/14/2017 16:13:25.901:184) : arch=ppc64le syscall=readlinkat success=yes exit=12 a0=0xffffffffffffff9c a1=0xc420164080 a2=0xc42017c000 a3=0x80 items=0 ppid=4836 pid=5754 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=runc exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/14/2017 16:13:25.901:184) : avc: denied { sys_ptrace } for pid=5754 comm=runc capability=sys_ptrace scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 ---- type=PROCTITLE msg=audit(06/14/2017 16:13:25.921:185) : proctitle=/proc/self/exe init type=SYSCALL msg=audit(06/14/2017 16:13:25.921:185) : arch=ppc64le syscall=mkdirat success=yes exit=0 a0=0xffffffffffffff9c a1=0xc420132630 a2=0755 a3=0x0 items=0 ppid=5754 pid=5764 auid=root uid=test gid=test euid=test suid=test fsuid=test egid=test sgid=test fsgid=test tty=(none) ses=1 comm=runc:[2:INIT] exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/14/2017 16:13:25.921:185) : avc: denied { dac_override } for pid=5764 comm=runc:[2:INIT] capability=dac_override scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 ---- type=PROCTITLE msg=audit(06/14/2017 16:13:26.051:186) : proctitle=runc run -b /etc root type=SYSCALL msg=audit(06/14/2017 16:13:26.051:186) : arch=ppc64le syscall=prlimit64 success=yes exit=0 a0=0x1684 a1=0x7 a2=0xc4200ce380 a3=0xc4200ce380 items=0 ppid=4836 pid=5754 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=runc exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/14/2017 16:13:26.051:186) : avc: denied { sys_resource } for pid=5754 comm=runc capability=sys_resource scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 ---- type=PROCTITLE msg=audit(06/14/2017 16:13:26.051:187) : proctitle=/proc/self/exe init type=SYSCALL msg=audit(06/14/2017 16:13:26.051:187) : arch=ppc64le syscall=openat success=yes exit=6 a0=0xffffffffffffff9c a1=0xc42012f190 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=0 ppid=5754 pid=5764 auid=root uid=test gid=test euid=test suid=test fsuid=test egid=test sgid=test fsgid=test tty=(none) ses=1 comm=runc:[2:INIT] exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/14/2017 16:13:26.051:187) : avc: denied { dac_read_search } for pid=5764 comm=runc:[2:INIT] capability=dac_read_search scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 ---- type=PROCTITLE msg=audit(06/14/2017 16:13:26.051:188) : proctitle=/proc/self/exe init type=SYSCALL msg=audit(06/14/2017 16:13:26.051:188) : arch=ppc64le syscall=prctl success=yes exit=0 a0=PR_CAPBSET_DROP a1=chown a2=0x0 a3=0x0 items=0 ppid=5754 pid=5764 auid=root uid=test gid=test euid=test suid=test fsuid=test egid=test sgid=test fsgid=test tty=(none) ses=1 comm=runc:[2:INIT] exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/14/2017 16:13:26.051:188) : avc: denied { setpcap } for pid=5764 comm=runc:[2:INIT] capability=setpcap scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1861 |