Bug 1469661
| Summary: | allow svirt_lxc_net_t container_share_t:file execmod | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Qian Cai <qcai> |
| Component: | container-selinux | Assignee: | Lokesh Mandvekar <lsm5> |
| Status: | CLOSED ERRATA | QA Contact: | atomic-bugs <atomic-bugs> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.4 | CC: | dwalsh, lsu, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde |
| Target Milestone: | rc | Keywords: | Extras |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | container-selinux-2.21-1.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-02 00:23:00 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1473538 | ||
This is only reproducible on docker overlay/overlay2 backend. I suspect it could be reproduced in x86_64 as well by using libraries which require execmod. For example, running .NET on RHEL 7 with Docker. We have already fixed in non overlay/overlay2 case.
# sesearch -s svirt_lxc_net_t -t svirt_sandbox_file_t -c file -p execmod -A -C
Found 1 semantic av rules:
allow svirt_sandbox_domain svirt_sandbox_file_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute execute_no_trans execmod open } ;
but in overlay/overlay2 case, all files labeled container_share_t.
# ls -ldZ /var/lib/docker/overlay2/
drwx------. root root system_u:object_r:container_share_t:s0 /var/lib/docker/overlay2/
This is confirmed by developers can be reproduced in x86_64 as well. Lokesh 333854a550c008aa76484db08cfdb67ecfa90bc6 fixes this in git, we need a new build. The label of overlay is not changed, but the dotnet container works fine on x86_64 platform.
container-selinux-2.21-1.el7.noarch
docker-1.12.6-48.git0fdc778.el7.x86_64
# docker run docker.io/microsoft/dotnet /usr/share/dotnet/dotnet --help
.NET Command Line Tools (1.0.4)
Usage: dotnet [host-options] [command] [arguments] [common-options]
Arguments:
[command] The command to execute
[arguments] Arguments to pass to the command
[host-options] Options specific to dotnet (host)
[common-options] Options common to all commands
Common options:
-v|--verbose Enable verbose output
-h|--help Show help
Host options (passed before the command):
-d|--diagnostics Enable diagnostic output
--version Display .NET CLI Version Number
--info Display .NET CLI Info
Commands:
new Initialize .NET projects.
restore Restore dependencies specified in the .NET project.
build Builds a .NET project.
publish Publishes a .NET project for deployment (including the runtime).
run Compiles and immediately executes a .NET project.
test Runs unit tests using the test runner specified in the project.
pack Creates a NuGet package.
migrate Migrates a project.json based project to a msbuild based project.
clean Clean build output(s).
sln Modify solution (SLN) files.
Project modification commands:
add Add items to the project
remove Remove items from the project
list List items in the project
Advanced Commands:
nuget Provides additional NuGet commands.
msbuild Runs Microsoft Build Engine (MSBuild).
vstest Runs Microsoft Test Execution Command Line Tool.
#sesearch -s svirt_lxc_net_t -t svirt_sandbox_file_t -c file -p execmod -A -C
Found 1 semantic av rules:
allow svirt_sandbox_domain svirt_sandbox_file_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute execute_no_trans execmod open } ;
# ls -aZ /var/lib/docker/overlay
drwx------. root root system_u:object_r:container_share_t:s0 .
drwx--x--x. root root system_u:object_r:container_var_lib_t:s0 ..
drwx------. root root system_u:object_r:container_share_t:s0 0e528a331a1cac764a93572682312dc2cd22df1fad57f802b260ad01b3fc582f
drwx------. root root system_u:object_r:container_share_t:s0 3dff686e7781ab75a05611ef4ab365922e8123859e31dc8ae32037c26a42436a
.....
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2372 |
Description of problem: # docker run -it --rm docker.io/ppc64le/debian dpkg --list dpkg: error while loading shared libraries: cannot restore segment prot after reloc: Permission denied # ausearch -m avc ---- time->Tue Jul 11 09:26:00 2017 type=PROCTITLE msg=audit(1499779560.826:2078): proctitle=64706B67002D2D6C697374 type=SYSCALL msg=audit(1499779560.826:2078): arch=c0000015 syscall=125 success=no exit=-13 a0=5eff0000 a1=50000 a2=5 a3=7fbc0 items=0 ppid=44022 pid=44064 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=4294967295 comm="dpkg" exe="/usr/bin/dpkg" subj=system_u:system_r:svirt_lxc_net_t:s0:c635,c815 key=(null) type=AVC msg=audit(1499779560.826:2078): avc: denied { execmod } for pid=44064 comm="dpkg" path="/usr/bin/dpkg" dev="dm-0" ino=75708698 scontext=system_u:system_r:svirt_lxc_net_t:s0:c635,c815 tcontext=system_u:object_r:container_share_t:s0 tclass=file # audit2allow -a #============= svirt_lxc_net_t ============== #!!!! The file '/usr/bin/dpkg' is mislabeled on your system. #!!!! Fix with $ restorecon -R -v /usr/bin/dpkg allow svirt_lxc_net_t container_share_t:file execmod; Version-Release number of selected component (if applicable): docker-1.12.6-40.1.gitf55a118.el7.ppc64le libselinux-utils-2.5-11.el7.ppc64le container-selinux-2.19-2.1.el7.noarch libselinux-python-2.5-11.el7.ppc64le selinux-policy-3.13.1-165.el7.noarch libselinux-2.5-11.el7.ppc64le libselinux-devel-2.5-11.el7.ppc64le selinux-policy-targeted-3.13.1-165.el7.noarch How reproducible: always