Bug 1608419
Summary: | SELinux is preventing cat from 'read, write' accesses on the chr_file /1. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Lukas Slebodnik <lslebodn> |
Component: | container-selinux | Assignee: | Lokesh Mandvekar <lsm5> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | rawhide | CC: | amurdaca, dwalsh, fkluknav, jchaloup, lsm5, walters |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | container-selinux-2.69-1.git452b90d.fc28 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-08-02 16:22:01 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Lukas Slebodnik
2018-07-25 13:40:22 UTC
SELinux is preventing cat from getattr access on the chr_file /1. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that cat should be allowed getattr access on the 1 chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'cat' --raw | audit2allow -M my-cat # semodule -X 300 -i my-cat.pp Additional Information: Source Context system_u:system_r:container_t:s0:c431,c939 Target Context system_u:object_r:container_file_t:s0:c431,c939 Target Objects /1 [ chr_file ] Source cat Source Path cat Port <Unknown> Host host.example.com Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-28.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name host.example.com Platform Linux host.example.com 4.18.0-0.rc5.git4.1.fc29.x86_64 #1 SMP Fri Jul 20 17:00:15 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-07-25 09:31:43 EDT Last Seen 2018-07-25 09:31:43 EDT Local ID ef61a86a-7c14-4b3a-aac8-d7a9125ca33c Raw Audit Messages type=AVC msg=audit(1532525503.797:432): avc: denied { getattr } for pid=9125 comm="cat" path="/1" dev="devpts" ino=4 scontext=system_u:system_r:container_t:s0:c431,c939 tcontext=system_u:object_r:container_file_t:s0:c431,c939 tclass=chr_file permissive=1 Hash: cat,container_t,container_file_t,chr_file,getattr Versions: rpm -q docker container-selinux docker-1.13.1-60.git9cb56fd.fc29.x86_64 container-selinux-2.68-2.gitc139a3d.fc29.noarch How to reproduce: 1. dnf install -y docker 2. systemctl start docker 3. systemctl enable docker 4. /usr/bin/docker run --rm -t docker.io/fedora:28 cat /etc/os-release sh# /usr/bin/docker run --rm -t docker.io/fedora:28 cat /etc/os-release sh# ausearch -m avc -i ---- type=AVC msg=audit(07/25/2018 09:31:03.292:412) : avc: denied { read write } for pid=8966 comm=cat path=/1 dev="devpts" ino=4 scontext=system_u:system_r:container_t:s0:c494,c948 tcontext=system_u:object_r:container_file_t:s0:c494,c948 tclass=chr_file permissive=0 ---- type=AVC msg=audit(07/25/2018 09:31:03.293:413) : avc: denied { read write } for pid=8966 comm=cat path=/1 dev="devpts" ino=4 scontext=system_u:system_r:container_t:s0:c494,c948 tcontext=system_u:object_r:container_file_t:s0:c494,c948 tclass=chr_file permissive=0 ---- type=AVC msg=audit(07/25/2018 09:31:03.293:414) : avc: denied { read write } for pid=8966 comm=cat path=/1 dev="devpts" ino=4 scontext=system_u:system_r:container_t:s0:c494,c948 tcontext=system_u:object_r:container_file_t:s0:c494,c948 tclass=chr_file permissive=0 ---- type=AVC msg=audit(07/25/2018 09:31:03.293:415) : avc: denied { read write } for pid=8966 comm=cat path=/1 dev="devpts" ino=4 scontext=system_u:system_r:container_t:s0:c494,c948 tcontext=system_u:object_r:container_file_t:s0:c494,c948 tclass=chr_file permissive=0 sh# setenforce 0 sh# /usr/bin/docker run --rm -t docker.io/fedora:28 cat /etc/os-release NAME=Fedora VERSION="28 (Twenty Eight)" ID=fedora VERSION_ID=28 PLATFORM_ID="platform:f28" PRETTY_NAME="Fedora 28 (Twenty Eight)" ANSI_COLOR="0;34" CPE_NAME="cpe:/o:fedoraproject:fedora:28" HOME_URL="https://fedoraproject.org/" SUPPORT_URL="https://fedoraproject.org/wiki/Communicating_and_getting_help" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Fedora" REDHAT_BUGZILLA_PRODUCT_VERSION=28 REDHAT_SUPPORT_PRODUCT="Fedora" REDHAT_SUPPORT_PRODUCT_VERSION=28 PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy" sh# ausearch -m avc -i type=PROCTITLE msg=audit(07/25/2018 09:46:03.554:444) : proctitle=/usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat /etc/os-release type=PATH msg=audit(07/25/2018 09:46:03.554:444) : item=2 name=/lib64/ld-linux-x86-64.so.2 inode=16800828 dev=fd:05 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:container_file_t:s0:c335,c923 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(07/25/2018 09:46:03.554:444) : item=1 name=/usr/bin/coreutils inode=27264070 dev=fd:05 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:container_file_t:s0:c335,c923 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(07/25/2018 09:46:03.554:444) : item=0 name=/usr/bin/cat inode=27264047 dev=fd:05 mode=file,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:container_file_t:s0:c335,c923 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(07/25/2018 09:46:03.554:444) : cwd=/ type=EXECVE msg=audit(07/25/2018 09:46:03.554:444) : argc=4 a0=/usr/bin/coreutils a1=--coreutils-prog-shebang=cat a2=/usr/bin/cat a3=/etc/os-release type=BPRM_FCAPS msg=audit(07/25/2018 09:46:03.554:444) : fver=0 fp=none fi=none fe=0 old_pp=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap old_pi=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap old_pe=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap old_pa=none pp=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap pi=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap pe=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap pa=none type=BPRM_FCAPS msg=audit(07/25/2018 09:46:03.554:444) : fver=0 fp=none fi=none fe=0 old_pp=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap old_pi=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap old_pe=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap old_pa=none pp=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap pi=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap pe=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap pa=none type=SYSCALL msg=audit(07/25/2018 09:46:03.554:444) : arch=x86_64 syscall=execve success=yes exit=0 a0=0xc420110790 a1=0xc4201889e0 a2=0xc420077ec0 a3=0x0 items=3 ppid=9328 pid=9346 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=unset comm=cat exe=/usr/bin/coreutils subj=system_u:system_r:container_t:s0:c335,c923 key=(null) type=AVC msg=audit(07/25/2018 09:46:03.554:444) : avc: denied { read write } for pid=9346 comm=cat path=/1 dev="devpts" ino=4 scontext=system_u:system_r:container_t:s0:c335,c923 tcontext=system_u:object_r:container_file_t:s0:c335,c923 tclass=chr_file permissive=1 ---- type=PROCTITLE msg=audit(07/25/2018 09:46:03.683:446) : proctitle=/usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat /etc/os-release type=SYSCALL msg=audit(07/25/2018 09:46:03.683:446) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x1 a1=0x7fffa1f2fe90 a2=0x7fffa1f2fe90 a3=0x5612d11ea010 items=0 ppid=9328 pid=9346 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=unset comm=cat exe=/usr/bin/coreutils subj=system_u:system_r:container_t:s0:c335,c923 key=(null) type=AVC msg=audit(07/25/2018 09:46:03.683:446) : avc: denied { getattr } for pid=9346 comm=cat path=/1 dev="devpts" ino=4 scontext=system_u:system_r:container_t:s0:c335,c923 tcontext=system_u:object_r:container_file_t:s0:c335,c923 tclass=chr_file permissive=1 sh# sh# docker info | sed -ne '/Storage Driver/,+20p' Storage Driver: devicemapper Pool Name: fedora_sde--ci--works06-docker--pool Pool Blocksize: 524.3 kB Base Device Size: 10.74 GB Backing Filesystem: xfs Data file: Metadata file: Data Space Used: 328.7 MB Data Space Total: 593.3 GB Data Space Available: 593 GB Metadata Space Used: 462.8 kB Metadata Space Total: 1.514 GB Metadata Space Available: 1.514 GB Thin Pool Minimum Free Space: 59.33 GB WARNING: You're not using the default seccomp profile Udev Sync Supported: true Deferred Removal Enabled: true Deferred Deletion Enabled: true Deferred Deleted Device Count: 0 Library Version: 1.02.149 (2018-07-19) Logging Driver: journald Cgroup Driver: systemd Plugins: Volume: local Network: bridge host macvlan null overlay Authorization: rhel-push-plugin Swarm: inactive Runtimes: oci runc Default Runtime: oci Init Binary: /usr/libexec/docker/docker-init-current containerd version: b640dbe0fedca9bda6836ba68592f757aa377c28 (expected: aa8187dbd3b7ad67d8e5e3a15115d3eef43a7ed1) runc version: b640dbe0fedca9bda6836ba68592f757aa377c28-dirty (expected: 9df8b306d01f59d3a8029be411de015b7304dd8f) init version: N/A (expected: 949e6facb77383876aeff8a6944dde66b3089574) Security Options: seccomp WARNING: You're not using the default seccomp profile Profile: /etc/docker/seccomp.json selinux Kernel Version: 4.18.0-0.rc5.git4.1.fc29.x86_64 Operating System: Fedora 29 (Rawhide) OSType: linux Architecture: x86_64 Number of Docker Hooks: 2 CPUs: 16 Total Memory: 78.54 GiB Name: sde-ci-works06.lab.eng.bos.redhat.com ID: SRYY:3H4S:BCIN:QFUI:QEY7:Q3P5:2NXQ:SJQD:GRSE:EZ5V:LZR2:P4O5 Docker Root Dir: /var/lib/docker Debug Mode (client): false Debug Mode (server): false Registry: https://index.docker.io/v1/ Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: true Registries: docker.io (secure), registry.fedoraproject.org (secure), quay.io (secure), registry.access.redhat.com (secure), registry.centos.org (secure), docker.io (secure) Is this on an ostree based system? It looks to me like the container-selinux package was not installed correctly. grep expand /etc/selinux/semanage.conf (In reply to Daniel Walsh from comment #6) > It looks to me like the container-selinux package was not installed > correctly. (In reply to Daniel Walsh from comment #7) > grep expand /etc/selinux/semanage.conf Yes, seems to be the same issue as in https://bugzilla.redhat.com/show_bug.cgi?id=1600242#c3 If you change it to 0 and do semodule -B does the problem go away? (In reply to Daniel Walsh from comment #9) > If you change it to 0 and do semodule -B does the problem go away? Yes, that helped. * edit /etc/selinux/semanage.conf * dnf install -y docker * systemctl start docker * /usr/bin/docker run --rm -t docker.io/fedora:28 cat /etc/os-release Sorry that it was not clear from comment 8 container-selinux-2.69-1.git452b90d.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-42991b7a1d The latest libsemanage is supposed to have that setting by default. container-selinux-2.69-1.git452b90d.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-42991b7a1d container-selinux-2.69-1.git452b90d.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. |