Bug 1464455

Summary: Running commands in docker containers is causing AVCs
Product: Red Hat Enterprise Linux 7 Reporter: Matus Marhefka <mmarhefk>
Component: container-selinuxAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED NOTABUG QA Contact: atomic-bugs <atomic-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 7.4CC: dwalsh
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-17 20:03:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matus Marhefka 2017-06-23 13:05:26 UTC 
Description of problem:
Running commands in docker containers is causing AVCs, see steps to reproduce.


Version-Release number of selected component (if applicable):
container-selinux-2.15-1.git583ca40.el7.noarch
docker-1.12.6-32.git88a4867.el7.x86_64


How reproducible:
always


Steps to Reproduce:
# date
Fri Jun 23 08:56:02 EDT 2017

# docker run --rm -it registry.access.redhat.com/rhel7 ls /
bin   dev  home  lib64	     media  opt   root	sbin  sys  usr
boot  etc  lib	 lost+found  mnt    proc  run	srv   tmp  var

# ausearch -m PROCTITLE -ts 8:56
----
time->Fri Jun 23 08:56:14 2017
type=PROCTITLE msg=audit(1498222574.448:660): proctitle=2F7573722F62696E2F646F636B6572642D63757272656E74002D2D6164642D72756E74696D6500646F636B65722D72756E633D2F7573722F6C6962657865632F646F636B65722F646F636B65722D72756E632D63757272656E74002D2D64656661756C742D72756E74696D653D646F636B65722D72756E63002D2D617574686F
type=SYSCALL msg=audit(1498222574.448:660): arch=c000003e syscall=44 success=yes exit=40 a0=a a1=c422673890 a2=28 a3=0 items=0 ppid=1 pid=11720 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dockerd-current" exe="/usr/bin/dockerd-current" subj=system_u:system_r:container_runtime_t:s0-s0:c0.c1023 key=(null)
type=ANOM_PROMISCUOUS msg=audit(1498222574.448:660): dev=veth8d4f3c2 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295
----
time->Fri Jun 23 08:56:14 2017
type=PROCTITLE msg=audit(1498222574.478:661): proctitle=2F70726F632F73656C662F65786500696E6974
type=SYSCALL msg=audit(1498222574.478:661): arch=c000003e syscall=56 success=yes exit=15437 a0=6c028011 a1=7ffe91d90060 a2=7ffe91d91190 a3=0 items=0 ppid=15429 pid=15434 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="exe" exe="/usr/libexec/docker/docker-runc-current" subj=system_u:system_r:container_runtime_t:s0-s0:c0.c1023 key=(null)
type=NETFILTER_CFG msg=audit(1498222574.478:661): table=nat family=2 entries=0
type=NETFILTER_CFG msg=audit(1498222574.478:661): table=filter family=2 entries=0
----
time->Fri Jun 23 08:56:14 2017
type=PROCTITLE msg=audit(1498222574.530:662): proctitle="(machined)"
type=SYSCALL msg=audit(1498222574.530:662): arch=c000003e syscall=272 success=yes exit=0 a0=40000000 a1=7fffb8af2920 a2=fffffffffffffff5 a3=22 items=0 ppid=1 pid=15453 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(machined)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=NETFILTER_CFG msg=audit(1498222574.530:662): table=nat family=2 entries=0
type=NETFILTER_CFG msg=audit(1498222574.530:662): table=filter family=2 entries=0
----
time->Fri Jun 23 08:56:14 2017
type=PROCTITLE msg=audit(1498222574.634:666): proctitle=2F7573722F62696E2F646F636B6572642D63757272656E74002D2D6164642D72756E74696D6500646F636B65722D72756E633D2F7573722F6C6962657865632F646F636B65722F646F636B65722D72756E632D63757272656E74002D2D64656661756C742D72756E74696D653D646F636B65722D72756E63002D2D617574686F
type=SYSCALL msg=audit(1498222574.634:666): arch=c000003e syscall=44 success=yes exit=32 a0=a a1=c4213a3360 a2=20 a3=0 items=0 ppid=1 pid=11720 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dockerd-current" exe="/usr/bin/dockerd-current" subj=system_u:system_r:container_runtime_t:s0-s0:c0.c1023 key=(null)
type=ANOM_PROMISCUOUS msg=audit(1498222574.634:666): dev=veth8d4f3c2 prom=0 old_prom=256 auid=4294967295 uid=0 gid=0 ses=4294967295

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
Comment 4 Daniel Walsh 2017-07-17 20:03:14 UTC 
There are no AVC's in the report. Those are all just regular audit messages.