Bug 1602914
| Summary: | Running dnf upgrade in container (build) which updates elfutils-default-yama-scope causes AVC denial | |||
|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jan Pazdziora (Red Hat) <jpazdziora> | |
| Component: | container-selinux | Assignee: | Lokesh Mandvekar <lsm5> | |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 28 | CC: | amurdaca, dwalsh, fche, fkluknav, jchaloup, jpazdziora, lsm5, mjw | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | container-selinux-2.69-1.git452b90d.fc28 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1609806 (view as bug list) | Environment: | ||
| Last Closed: | 2018-08-02 16:21:44 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1609806 | |||
I guess this is reproducer for bug 1435868. Are these properly namespaced? I have no idea. I'm merely external observer here. Ok so this is also mounted readonly, so I think I will just add a dontaudit rule. Fixed in container-selinux-2.69-1.git452b90d container-selinux-2.69-1.git452b90d.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-42991b7a1d It seems to me that elfutils' %post should not attempt to run this sysctl at all, and just leave it to the next reboot. That would also solve this problem (since a container startup wouldn't trigger this). container-selinux-2.69-1.git452b90d.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-42991b7a1d (In reply to Frank Ch. Eigler from comment #8) > It seems to me that elfutils' %post should not attempt to run this sysctl at > all, and just leave it to the next reboot. That would also solve this > problem (since a container startup wouldn't trigger this). I've cloned into bug 1609806 for possible elfutils change. container-selinux-2.69-1.git452b90d.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: When elfutils-default-yama-scope happens to be upgraded in container, AVC denial about container_t and sysctl_kernel_t. Version-Release number of selected component (if applicable): On host: container-selinux-2:2.65-1.gitbf5b26b.fc28.noarch In container: elfutils-default-yama-scope-0.170-11.fc29.noarch How reproducible: Deterministic. Steps to Reproduce: 1. docker run --rm registry.fedoraproject.org/fedora:rawhide dnf upgrade -y elfutils-default-yama-scope 2. Check audit.log Actual results: Unable to find image 'registry.fedoraproject.org/fedora:rawhide' locally Trying to pull repository registry.fedoraproject.org/fedora ... sha256:521225b1a14aba45bdbce042f42f2f457813b0fdd58989325a7fa5321a223387: Pulling from registry.fedoraproject.org/fedora f5b598b9ce0d: Pulling fs layer f5b598b9ce0d: Verifying Checksum f5b598b9ce0d: Download complete f5b598b9ce0d: Pull complete Digest: sha256:521225b1a14aba45bdbce042f42f2f457813b0fdd58989325a7fa5321a223387 Status: Downloaded newer image for registry.fedoraproject.org/fedora:rawhide MARK-LWD-LOOP -- 2018-07-18 15:24:57 -- Fedora - Rawhide - Developmental packages for t 427 kB/s | 62 MB 02:27 Last metadata expiration check: 0:01:02 ago on Wed Jul 18 19:26:35 2018. Dependencies resolved. ================================================================================ Package Arch Version Repository Size ================================================================================ Upgrading: elfutils-default-yama-scope noarch 0.173-2.fc29 rawhide 14 k Transaction Summary ================================================================================ Upgrade 1 Package Total download size: 14 k Downloading Packages: elfutils-default-yama-scope-0.173-2.fc29.noarch 60 kB/s | 14 kB 00:00 -------------------------------------------------------------------------------- Total 13 kB/s | 14 kB 00:01 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Upgrading : elfutils-default-yama-scope-0.173-2.fc29.noarch 1/2 Running scriptlet: elfutils-default-yama-scope-0.173-2.fc29.noarch 1/2 Cleanup : elfutils-default-yama-scope-0.170-11.fc29.noarch 2/2 Running scriptlet: elfutils-default-yama-scope-0.170-11.fc29.noarch 2/2 Verifying : elfutils-default-yama-scope-0.173-2.fc29.noarch 1/2 Verifying : elfutils-default-yama-scope-0.170-11.fc29.noarch 2/2 Upgraded: elfutils-default-yama-scope.noarch 0.173-2.fc29 Complete! and type=AVC msg=audit(1531942069.455:173): avc: denied { write } for pid=14418 comm="systemd-sysctl" name="ptrace_scope" dev="proc" ino=48216 scontext=system_u:system_r:container_t:s0:c162,c763 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0 Expected results: No AVC denial. Additional info: Scriptlet in elfutils-default-yama-scope does /usr/lib/systemd/systemd-sysctl 10-default-yama-scope.conf >/dev/null 2>&1 || : and /usr/lib/sysctl.d/10-default-yama-scope.conf contains kernel.yama.ptrace_scope = 0