Bug 1469661
Summary: | allow svirt_lxc_net_t container_share_t:file execmod | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Qian Cai <qcai> |
Component: | container-selinux | Assignee: | Lokesh Mandvekar <lsm5> |
Status: | CLOSED ERRATA | QA Contact: | atomic-bugs <atomic-bugs> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.4 | CC: | dwalsh, lsu, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde |
Target Milestone: | rc | Keywords: | Extras |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | container-selinux-2.21-1.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-02 00:23:00 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1473538 |
Description
Qian Cai
2017-07-11 15:13:37 UTC
This is only reproducible on docker overlay/overlay2 backend. I suspect it could be reproduced in x86_64 as well by using libraries which require execmod. For example, running .NET on RHEL 7 with Docker. We have already fixed in non overlay/overlay2 case. # sesearch -s svirt_lxc_net_t -t svirt_sandbox_file_t -c file -p execmod -A -C Found 1 semantic av rules: allow svirt_sandbox_domain svirt_sandbox_file_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute execute_no_trans execmod open } ; but in overlay/overlay2 case, all files labeled container_share_t. # ls -ldZ /var/lib/docker/overlay2/ drwx------. root root system_u:object_r:container_share_t:s0 /var/lib/docker/overlay2/ This is confirmed by developers can be reproduced in x86_64 as well. Lokesh 333854a550c008aa76484db08cfdb67ecfa90bc6 fixes this in git, we need a new build. The label of overlay is not changed, but the dotnet container works fine on x86_64 platform. container-selinux-2.21-1.el7.noarch docker-1.12.6-48.git0fdc778.el7.x86_64 # docker run docker.io/microsoft/dotnet /usr/share/dotnet/dotnet --help .NET Command Line Tools (1.0.4) Usage: dotnet [host-options] [command] [arguments] [common-options] Arguments: [command] The command to execute [arguments] Arguments to pass to the command [host-options] Options specific to dotnet (host) [common-options] Options common to all commands Common options: -v|--verbose Enable verbose output -h|--help Show help Host options (passed before the command): -d|--diagnostics Enable diagnostic output --version Display .NET CLI Version Number --info Display .NET CLI Info Commands: new Initialize .NET projects. restore Restore dependencies specified in the .NET project. build Builds a .NET project. publish Publishes a .NET project for deployment (including the runtime). run Compiles and immediately executes a .NET project. test Runs unit tests using the test runner specified in the project. pack Creates a NuGet package. migrate Migrates a project.json based project to a msbuild based project. clean Clean build output(s). sln Modify solution (SLN) files. Project modification commands: add Add items to the project remove Remove items from the project list List items in the project Advanced Commands: nuget Provides additional NuGet commands. msbuild Runs Microsoft Build Engine (MSBuild). vstest Runs Microsoft Test Execution Command Line Tool. #sesearch -s svirt_lxc_net_t -t svirt_sandbox_file_t -c file -p execmod -A -C Found 1 semantic av rules: allow svirt_sandbox_domain svirt_sandbox_file_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute execute_no_trans execmod open } ; # ls -aZ /var/lib/docker/overlay drwx------. root root system_u:object_r:container_share_t:s0 . drwx--x--x. root root system_u:object_r:container_var_lib_t:s0 .. drwx------. root root system_u:object_r:container_share_t:s0 0e528a331a1cac764a93572682312dc2cd22df1fad57f802b260ad01b3fc582f drwx------. root root system_u:object_r:container_share_t:s0 3dff686e7781ab75a05611ef4ab365922e8123859e31dc8ae32037c26a42436a ..... Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2372 |