Bug 1583843

Summary: the selinux 'z' and 'Z' options don't work with build run volumes
Product: [Fedora] Fedora Reporter: David Smith <dsmith>
Component: buildahAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 28CC: amurdaca, dwalsh, fkluknav, lsm5, nalin
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: buildah-1.2-1.gitbe87762.fc28 buildah-1.2-1.gitbe87762.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-24 17:29:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Smith 2018-05-29 21:31:48 UTC 
Description of problem:

According to the buildah-run man page, the --volume option supports the 'z' (shared) and 'Z' (private) options that set the SELinux context on the volume. The "docker run" command has similar options.

However, in practice, these options don't work (or aren't implemented).

Version-Release number of selected component (if applicable):

buildah-1.0-1.git1ab80bc.fc28.x86_64

How reproducible:

100%

Steps to Reproduce:

1. Make sure selinux is enabled and in enforcing mode:

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31

2. Create a container (any container)

3. Create a directory to mount down into the container

# mkdir /tmp/hostdir

4. Try to use the buildah run --volume option to mount the directory read-write:

# buildah run --volume /tmp/hostdir:/tmp/targetdir:rw sourceware.org/e5f82c665e5c430fbd31675dbfbb81aa -- mkdir -p /tmp/targetdir/bar
mkdir: cannot create directory '/tmp/targetdir/bar': Permission denied

At this point a selinux AVC denial will occur. But, that is to be expected since we didn't use the 'z' or 'Z' option.

Let's check the context of the directory:

# buildah run --volume /tmp/hostdir:/tmp/targetdir:rw sourceware.org/e5f82c665e5c430fbd31675dbfbb81aa -- ls -Zd /tmp/targetdir/
drwxrwxr-x. 5183 5184 unconfined_u:object_r:user_tmp_t:s0 /tmp/targetdir/

That isn't correct, but once again to be expected.

5. Try the 'z' option:

# buildah run --volume /tmp/hostdir:/tmp/targetdir:rw,z sourceware.org/e5f82c665e5c430fbd31675dbfbb81aa -- mkdir -p /tmp/targetdir/bar
mkdir: cannot create directory '/tmp/targetdir/bar': Permission denied

Another selinux AVC denial will occur.

Let's check the context:

# buildah run --volume /tmp/hostdir:/tmp/targetdir:rw,z sourceware.org/e5f82c665e5c430fbd31675dbfbb81aa -- ls -Zd /tmp/targetdir/
drwxrwxr-x. 5183 5184 unconfined_u:object_r:user_tmp_t:s0 /tmp/targetdir/

Notice the context is exactly the same as without using the 'z' option, so the 'z' option didn't do anything.

6. Try the 'Z' option:

# buildah run --volume /tmp/hostdir:/tmp/targetdir:rw,Z sourceware.org/e5f82c665e5c430fbd31675dbfbb81aa -- mkdir -p /tmp/targetdir/bar
mkdir: cannot create directory '/tmp/targetdir/bar': Permission denied

Another selinux AVC denial will occur.

Let's check the context:

# buildah run --volume /tmp/hostdir:/tmp/targetdir:rw,Z sourceware.org/e5f82c665e5c430fbd31675dbfbb81aa -- ls -Zd /tmp/targetdir/
drwxrwxr-x. 5183 5184 unconfined_u:object_r:user_tmp_t:s0 /tmp/targetdir/

Once again the context of the directory hasn't changed.

Actual results:

See above.

Expected results:

The context of the volume would be set correctly.

Additional info:

Note that the equivalent "docker run" command does set the context correctly.

I pulled down the upstream buildah source down and took a look. If I'm not mistaken, the support for actually setting the context should be in the file vendor/github.com/opencontainers/selinux/go-selinux/label/label.go, function Relabel - but that function just returns (like the rest of that file).

This functionality should be implemented - or at least the functionality could be marked as not yet implemented in the documentation to avoid confusion.
Comment 1 Daniel Walsh 2018-05-30 21:44:24 UTC 
The bug here is that the buildah run command has --volume flag. I am opening a PR to remove this.

buildah from --volume /tmp/hostdir:/tmp/targetdir:rw,z  IMAGE

Should be where the volume is created not in the buildah run command.

If you do it on the from line, then everything should work correctly.
Comment 2 David Smith 2018-05-31 15:37:17 UTC 
Yes, using "build from --volume" works correctly.

Be sure to remove the "buildah run --volume" option itself and its documentation.

Thanks for the help.
Comment 3 Fedora Update System 2018-07-15 12:57:15 UTC 
buildah-1.2-1.gitbe87762.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-d9a8457274
Comment 4 Fedora Update System 2018-07-15 12:57:37 UTC 
buildah-1.2-1.gitbe87762.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0eb77f53f4
Comment 5 Fedora Update System 2018-07-16 18:05:05 UTC 
buildah-1.2-1.gitbe87762.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0eb77f53f4
Comment 6 Fedora Update System 2018-07-16 20:29:14 UTC 
buildah-1.2-1.gitbe87762.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-d9a8457274
Comment 7 Fedora Update System 2018-07-24 17:29:24 UTC 
buildah-1.2-1.gitbe87762.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2018-07-25 18:44:25 UTC 
buildah-1.2-1.gitbe87762.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.