Bug 1469716

Summary: 7.4 rc: avc deny running .Net in docker
Product: Red Hat Enterprise Linux 7 Reporter: Qian Cai <qcai>
Component: container-selinuxAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 7.4CC: dwalsh, lsu, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-02 00:23:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Qian Cai 2017-07-11 17:27:02 UTC 
Description of problem:
# docker run docker.io/microsoft/dotnet /usr/share/dotnet/dotnet --help

# ausearch -m avc
time->Tue Jul 11 13:23:28 2017
type=PROCTITLE msg=audit(1499793808.896:374): proctitle=2F7573722F73686172652F646F746E65742F646F746E6574002D2D68656C70
type=SYSCALL msg=audit(1499793808.896:374): arch=c000003e syscall=124 success=no exit=-13 a0=1 a1=4 a2=1 a3=7fffde512100 items=0 ppid=19326 pid=19343 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dotnet" exe="/usr/share/dotnet/dotnet" subj=system_u:system_r:svirt_lxc_net_t:s0:c696,c974 key=(null)
type=AVC msg=audit(1499793808.896:374): avc:  denied  { getsession } for  pid=19343 comm="dotnet" scontext=system_u:system_r:svirt_lxc_net_t:s0:c696,c974 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c696,c974 tclass=process

# audit2allow -a
allow svirt_lxc_net_t self:process getsession;

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-166.el7.noarch
libselinux-2.5-11.el7.x86_64
libselinux-utils-2.5-11.el7.x86_64
libselinux-python-2.5-11.el7.x86_64
selinux-policy-3.13.1-166.el7.noarch
container-selinux-2.19-2.1.el7.noarch
docker-1.12.6-40.1.gitf55a118.el7.x86_64

How reproducible:
always
Comment 2 Qian Cai 2017-07-11 17:57:43 UTC 
Looks like this one has been taken care of in upstream already.

https://github.com/projectatomic/container-selinux/commit/c5fd77fc2496e04c2722d23860842b58a72d0178
Comment 3 Qian Cai 2017-07-11 18:09:53 UTC 
Same avc deny running our software collection images.

# docker run registry.access.redhat.com/dotnet/dotnetcore-10-rhel7 dotnet --help

[   75.265024] type=1400 audit(1499796422.188:7): avc:  denied  { getsession } for  pid=11564 comm="dotnet" scontext=system_u:system_r:svirt_lxc_net_t:s0:c787,c837 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c787,c837 tclass=process
[   75.269935] type=1401 audit(1499796422.193:8): op=security_compute_av reason=bounds scontext=system_u:system_r:svirt_lxc_net_t:s0:c787,c837 tcontext=system_u:object_r:cpu_online_t:s0 tclass=file perms=entrypoint
[   75.286475] type=1400 audit(1499796422.210:9): avc:  denied  { getsession } for  pid=11564 comm="dotnet" scontext=system_u:system_r:svirt_lxc_net_t:s0:c787,c837 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c787,c837 tclass=process
Comment 4 Daniel Walsh 2017-07-11 18:33:22 UTC 
Yes this should be fixed in container-selinux-2.20 release or later.
Comment 6 Luwen Su 2017-07-24 09:59:08 UTC 
Looks fine in 

# rpm -q docker container-selinux
docker-1.12.6-48.git0fdc778.el7.x86_64
container-selinux-2.21-1.el7.noarch


# docker run registry.access.redhat.com/dotnet/dotnetcore-10-rhel7 dotnet --help
.NET Command Line Tools (1.0.0-preview2-003159)
Usage: dotnet [host-options] [command] [arguments] [common-options]

Arguments:
  [command]             The command to execute
  [arguments]           Arguments to pass to the command
  [host-options]        Options specific to dotnet (host)
  [common-options]      Options common to all commands

Common options:
  -v|--verbose          Enable verbose output
  -h|--help             Show help 

Host options (passed before the command):
  -v|--verbose          Enable verbose output
  --version             Display .NET CLI Version Number
  --info                Display .NET CLI Info

Common Commands:
  new           Initialize a basic .NET project
  restore       Restore dependencies specified in the .NET project
  build         Builds a .NET project
  publish       Publishes a .NET project for deployment (including the runtime)
  run           Compiles and immediately executes a .NET project
  test          Runs unit tests using the test runner specified in the project
  pack          Creates a NuGet package
Comment 8 errata-xmlrpc 2017-08-02 00:23:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2372