Bug 1550967

Summary:	Running systemd in container causes AVC denials about mounton /proc and write core_pattern
Product:	Red Hat Enterprise Linux 7	Reporter:	Jan Pazdziora (Red Hat) <jpazdziora>
Component:	docker	Assignee:	Daniel Walsh <dwalsh>
Status:	CLOSED ERRATA	QA Contact:	atomic-bugs <atomic-bugs>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	7.5	CC:	amurdaca, jpazdziora, lsm5, lsu, pasik
Target Milestone:	rc	Keywords:	Extras
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:	Previously, the `dontaudit` and `allow` SELinux rules were missing, so the kernel raised a SELinux AVC message. Consequently, some commands did not work as expected. This update adds the missing rules, and the commands now run successfully.	Story Points:	---
Clone Of:		Environment:
Last Closed:	2018-08-16 16:05:57 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Jan Pazdziora (Red Hat) 2018-03-02 12:20:19 UTC

Description of problem:

Starting simple

docker run --name=systemd -td fedora:26 /usr/sbin/init

causes AVC denials.

Version-Release number of selected component (if applicable):

docker-1.13.1-55.rhel75.git774336d.el7.x86_64
oci-systemd-hook-0.1.15-2.gitc04483d.el7.x86_64
selinux-policy-3.13.1-192.el7.noarch
container-selinux-2.48-1.el7.noarch

How reproducible:

Deterministic.

Steps to Reproduce:
1. docker run --name=systemd -td fedora:26 /usr/sbin/init
2. docker logs systemd
3. grep AVC /var/log/audit/audit.log

Actual results:

Mount failed for selinuxfs on /sys/fs/selinux:  No such file or directory
Failed to set up the root directory for shared mount propagation: Operation not permitted
systemd 233 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN default-hierarchy=hybrid)
Detected architecture x86-64.

Welcome to Fedora 26 (Twenty Six)!

Set hostname to <be23b15136e0>.
Initializing machine ID from random generator.
[  OK  ] Listening on /dev/initctl Compatibility Named Pipe.
[  OK  ] Listening on Journal Socket.
[  OK  ] Reached target Remote File Systems.
[  OK  ] Started Dispatch Password Requests to Console Directory Watch.
[  OK  ] Reached target Swap.
[  OK  ] Started Forward Password Requests to Wall Directory Watch.
[...]

type=AVC msg=audit(1520010316.284:910): avc:  denied  { mounton } for  pid=36237 comm="systemd" path="/proc" dev="proc" ino=1 scontext=system_u:system_r:container_t:s0:c791,c981 tcontext=system_u:object_r:proc_t:s0 tclass=dir
type=AVC msg=audit(1520010316.285:911): avc:  denied  { write } for  pid=36237 comm="systemd" name="core_pattern" dev="proc" ino=181849 scontext=system_u:system_r:container_t:s0:c791,c981 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file

Expected results:

No AVC denials.

Additional info:

Comment 2 Jan Pazdziora (Red Hat) 2018-03-02 12:21:20 UTC

This is very similar to bug 1373746 comment 2.

Comment 3 Jan Pazdziora (Red Hat) 2018-03-02 14:10:41 UTC

Another AVC denials that I see are:

type=AVC msg=audit(1519999311.398:105): avc:  denied  { write } for  pid=13044 comm="systemd" name="memory.use_hierarchy" dev="cgroup" ino=38170 scontext=system_u:system_r:container_t:s0:c671,c1000 tcontext=system_u:object_r:cgroup_t:s0 tclass=file

type=AVC msg=audit(1519999311.446:106): avc:  denied  { write } for  pid=13044 comm="systemd" name="system.slice" dev="cgroup" ino=42428 scontext=system_u:system_r:container_t:s0:c671,c1000 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir

Comment 4 Jan Pazdziora (Red Hat) 2018-03-02 14:11:15 UTC

On RHEL 7.4, only the

type=AVC msg=audit(1519999283.226:114): avc:  denied  { mounton } for  pid=14830 comm="systemd" path="/proc" dev="proc" ino=1 scontext=system_u:system_r:svirt_lxc_net_t:s0:c541,c668 tcontext=system_u:object_r:proc_t:s0 tclass=dir

is shown.

Comment 6 Jan Pazdziora (Red Hat) 2018-03-02 14:13:22 UTC

On Fedora 27 host, I see

type=AVC msg=audit(1520017465.878:172): avc:  denied  { write } for  pid=12280 comm="systemd" name="release_agent" dev="cgroup" ino=7 scontext=system_u:system_r:container_t:s0:c636,c805 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=0

type=AVC msg=audit(1520017528.039:352): avc:  denied  { mounton } for  pid=13217 comm="systemd" path="/proc" dev="proc" ino=1 scontext=system_u:system_r:container_t:s0:c150,c648 tcontext=system_u:object_r:proc_t:s0 tclass=dir permissive=0

On Fedora 26 host, I see

type=AVC msg=audit(1520017359.544:172): avc:  denied  { write } for  pid=12197 comm="systemd" name="release_agent" dev="cgroup" ino=7 scontext=system_u:system_r:container_t:s0:c57,c418 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=0

type=AVC msg=audit(1520017359.544:173): avc:  denied  { write } for  pid=12197 comm="systemd" name="cgroup.procs" dev="cgroup" ino=724 scontext=system_u:system_r:container_t:s0:c57,c418 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=0

type=AVC msg=audit(1520017418.594:185): avc:  denied  { mounton } for  pid=13123 comm="systemd" path="/proc" dev="proc" ino=1 scontext=system_u:system_r:container_t:s0:c353,c701 tcontext=system_u:object_r:proc_t:s0 tclass=dir permissive=0

Comment 8 Daniel Walsh 2018-03-02 18:41:34 UTC

The write to cgroup requires the boolean be set.  We don't have labeled cgroups yet.

The write to userhelper, I will fix.

The mounton /proc, is strange. I guess we can allow it.

Comment 9 Jan Pazdziora (Red Hat) 2018-03-03 14:18:34 UTC

Ah, container_manage_cgroup. Starting the container did not outright fail so it did not kick me to add it. I confirm that with the boolean set, the container_t/cgroup_t AVC denials is gone.

Comment 11 Daniel Walsh 2018-03-04 15:47:19 UTC

Attempt another fix in container-selinux-2.49-1.el7

Comment 14 Daniel Walsh 2018-03-12 15:33:35 UTC

I would think we would just wait for RHEL7.5 at this point.

Comment 16 Luwen Su 2018-08-05 17:30:28 UTC

Package version:
container-selinux-2.68-1.el7.noarch
docker-1.13.1-74.git6e3bb8e.el7.x86_64

Pre-requires:
# getsebool -a | grep -i container
container_connect_any --> off
container_manage_cgroup --> on
logrotate_read_inside_containers --> off

#docker run --name=systemd -td rhel7 /usr/sbin/init

No avc logs. 

Docker logs see below:
# docker logs systemd
systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
Detected virtualization other.
Detected architecture x86-64.

Welcome to Red Hat Enterprise Linux Server 7.5 (Maipo)!

Set hostname to <de5509bcee50>.
Initializing machine ID from random generator.
Cannot add dependency job for unit sys-fs-fuse-connections.mount, ignoring: Unit is masked.
Cannot add dependency job for unit getty.target, ignoring: Unit is masked.
Cannot add dependency job for unit systemd-logind.service, ignoring: Unit is masked.
[  OK  ] Reached target Remote File Systems.
[  OK  ] Reached target Local Encrypted Volumes.
[  OK  ] Reached target Swap.
[  OK  ] Reached target Paths.
[  OK  ] Created slice Root Slice.
[  OK  ] Listening on /dev/initctl Compatibility Named Pipe.
[  OK  ] Listening on Delayed Shutdown Socket.
[  OK  ] Listening on Journal Socket.
[  OK  ] Created slice System Slice.
[  OK  ] Reached target Slices.
         Starting Journal Service...
         Starting Load/Save Random Seed...
         Starting Rebuild Hardware Database...
[  OK  ] Reached target Local File Systems (Pre).
[  OK  ] Reached target Local File Systems.
         Starting Rebuild Journal Catalog...
[  OK  ] Started Journal Service.
         Starting Flush Journal to Persistent Storage...
[  OK  ] Started Load/Save Random Seed.
[  OK  ] Started Rebuild Hardware Database.
[  OK  ] Started Rebuild Journal Catalog.
         Starting Update is Completed...
[  OK  ] Started Update is Completed.
[  OK  ] Started Flush Journal to Persistent Storage.
         Starting Create Volatile Files and Directories...
[  OK  ] Started Create Volatile Files and Directories.
         Starting Update UTMP about System Boot/Shutdown...
[  OK  ] Started Update UTMP about System Boot/Shutdown.
[  OK  ] Reached target System Initialization.
[  OK  ] Listening on D-Bus System Message Bus Socket.
[  OK  ] Reached target Sockets.
[  OK  ] Reached target Basic System.
         Starting Permit User Sessions...
[  OK  ] Started D-Bus System Message Bus.
         Starting D-Bus System Message Bus...
[  OK  ] Reached target Timers.
[  OK  ] Started Permit User Sessions.
         Starting Cleanup of Temporary Directories...
[  OK  ] Reached target Multi-User System.
         Starting Update UTMP about System Runlevel Changes...
[  OK  ] Started Cleanup of Temporary Directories.
[  OK  ] Started Update UTMP about System Runlevel Changes.

Comment 17 Lokesh Mandvekar 2018-08-09 10:58:26 UTC

Dan, could you please write the 'Doc Text' for this bug. Please select Doc Type as 'Bug Fix', it will display the template.

Comment 19 errata-xmlrpc 2018-08-16 16:05:57 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2482