Bug 1500287

Summary: Running /usr/sbin/ntpd -u ntp:ntp in container produces AVC denial
Product: [Fedora] Fedora Reporter: Jan Pazdziora (Red Hat) <jpazdziora>
Component: ntpAssignee: Miroslav Lichvar <mlichvar>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 26CC: amurdaca, dwalsh, fkluknav, jchaloup, jlebon, jpazdziora, linville, lsm5, mlichvar, slaznick
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1520447 (view as bug list) Environment:
Last Closed: 2017-10-10 15:40:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1520447    

Description Jan Pazdziora (Red Hat) 2017-10-10 10:45:27 UTC 
Description of problem:

Related to https://bugzilla.redhat.com/show_bug.cgi?id=1457312.

Running /usr/sbin/ntpd -u ntp:ntp in container produces AVC denial.

Version-Release number of selected component (if applicable):

container-selinux-2.24-1.fc26.noarch
docker-1.13.1-22.gitb5e3294.fc26.x86_64
selinux-policy-3.13.1-260.10.fc26.noarch

How reproducible:

Deterministic.

Steps to Reproduce:
1. docker run --rm -ti ntpd bash
2. In the container, run /usr/sbin/ntpd -u ntp:ntp
3. Check audit.log for AVC denials.

Actual results:

type=AVC msg=audit(1507632134.832:3173): avc:  denied  { module_request } for  pid=25312 comm="ntpd" kmod="net-pf-0" scontext=system_u:system_r:container_t:s0:c40,c45 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0

Expected results:

No AVC denials.

Additional info:

Note that for some reason, running the ntpd dirrectly as parameter to docker run does not produce the AVC denial.
Comment 1 Daniel Walsh 2017-10-10 12:32:16 UTC 
We are not allowing containers to requiest loading of kernel modules. If  a kernel module needs to be loaded, then it needs to be done via the Administrator or by the packager.

I wrote about This here.

https://danwalsh.livejournal.com/77415.html

I think this is loading a kernel module to use ipv6.

The problem is a user could request the loading of any ancient network protocol which could have a vulnerability, and we don't want to allow this by default.
Comment 2 Jan Pazdziora (Red Hat) 2017-10-10 13:19:05 UTC 
Thanks. Could we have a boolean to be able to silence the denials? We have domain_kernel_load_modules to (I assume) allow them to pass but maybe we can silence them?

Anyway, reopening and moving to ntp component. What does ntpd need net-pf-0 for? Based on https://medium.com/cri-o/cri-o-has-builtin-selinux-support-6ff45b707cf0, it's AF_UNSPEC -- could it be avoided altogether?
Comment 3 Miroslav Lichvar 2017-10-10 15:40:40 UTC 
This seems to be a bug in ntpd. It calls socket() on a sockaddr which was zeroed with memset().

Upstream bug report: http://bugs.ntp.org/show_bug.cgi?id=3437
Comment 4 Jan Pazdziora (Red Hat) 2017-10-11 06:40:47 UTC 
Awesome. Miroslav, thanks a bunch for the quick turnaround.
Comment 5 Jan Pazdziora (Red Hat) 2017-10-11 07:01:40 UTC 
Um, to close the loop here, the ntpd container image used in comment 0 was built from Dockerfile

FROM fedora:26
RUN dnf install -y ntp