Bug 1608419
| Summary: | SELinux is preventing cat from 'read, write' accesses on the chr_file /1. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Lukas Slebodnik <lslebodn> |
| Component: | container-selinux | Assignee: | Lokesh Mandvekar <lsm5> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | amurdaca, dwalsh, fkluknav, jchaloup, lsm5, walters |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | container-selinux-2.69-1.git452b90d.fc28 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-08-02 16:22:01 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
SELinux is preventing cat from getattr access on the chr_file /1.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that cat should be allowed getattr access on the 1 chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'cat' --raw | audit2allow -M my-cat
# semodule -X 300 -i my-cat.pp
Additional Information:
Source Context system_u:system_r:container_t:s0:c431,c939
Target Context system_u:object_r:container_file_t:s0:c431,c939
Target Objects /1 [ chr_file ]
Source cat
Source Path cat
Port <Unknown>
Host host.example.com
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.2-28.fc29.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name host.example.com
Platform Linux host.example.com
4.18.0-0.rc5.git4.1.fc29.x86_64 #1 SMP Fri Jul 20
17:00:15 UTC 2018 x86_64 x86_64
Alert Count 1
First Seen 2018-07-25 09:31:43 EDT
Last Seen 2018-07-25 09:31:43 EDT
Local ID ef61a86a-7c14-4b3a-aac8-d7a9125ca33c
Raw Audit Messages
type=AVC msg=audit(1532525503.797:432): avc: denied { getattr } for pid=9125 comm="cat" path="/1" dev="devpts" ino=4 scontext=system_u:system_r:container_t:s0:c431,c939 tcontext=system_u:object_r:container_file_t:s0:c431,c939 tclass=chr_file permissive=1
Hash: cat,container_t,container_file_t,chr_file,getattr
Versions: rpm -q docker container-selinux docker-1.13.1-60.git9cb56fd.fc29.x86_64 container-selinux-2.68-2.gitc139a3d.fc29.noarch How to reproduce: 1. dnf install -y docker 2. systemctl start docker 3. systemctl enable docker 4. /usr/bin/docker run --rm -t docker.io/fedora:28 cat /etc/os-release sh# /usr/bin/docker run --rm -t docker.io/fedora:28 cat /etc/os-release
sh# ausearch -m avc -i
----
type=AVC msg=audit(07/25/2018 09:31:03.292:412) : avc: denied { read write } for pid=8966 comm=cat path=/1 dev="devpts" ino=4 scontext=system_u:system_r:container_t:s0:c494,c948 tcontext=system_u:object_r:container_file_t:s0:c494,c948 tclass=chr_file permissive=0
----
type=AVC msg=audit(07/25/2018 09:31:03.293:413) : avc: denied { read write } for pid=8966 comm=cat path=/1 dev="devpts" ino=4 scontext=system_u:system_r:container_t:s0:c494,c948 tcontext=system_u:object_r:container_file_t:s0:c494,c948 tclass=chr_file permissive=0
----
type=AVC msg=audit(07/25/2018 09:31:03.293:414) : avc: denied { read write } for pid=8966 comm=cat path=/1 dev="devpts" ino=4 scontext=system_u:system_r:container_t:s0:c494,c948 tcontext=system_u:object_r:container_file_t:s0:c494,c948 tclass=chr_file permissive=0
----
type=AVC msg=audit(07/25/2018 09:31:03.293:415) : avc: denied { read write } for pid=8966 comm=cat path=/1 dev="devpts" ino=4 scontext=system_u:system_r:container_t:s0:c494,c948 tcontext=system_u:object_r:container_file_t:s0:c494,c948 tclass=chr_file permissive=0
sh# setenforce 0
sh# /usr/bin/docker run --rm -t docker.io/fedora:28 cat /etc/os-release
NAME=Fedora
VERSION="28 (Twenty Eight)"
ID=fedora
VERSION_ID=28
PLATFORM_ID="platform:f28"
PRETTY_NAME="Fedora 28 (Twenty Eight)"
ANSI_COLOR="0;34"
CPE_NAME="cpe:/o:fedoraproject:fedora:28"
HOME_URL="https://fedoraproject.org/"
SUPPORT_URL="https://fedoraproject.org/wiki/Communicating_and_getting_help"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=28
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=28
PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy"
sh# ausearch -m avc -i
type=PROCTITLE msg=audit(07/25/2018 09:46:03.554:444) : proctitle=/usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat /etc/os-release
type=PATH msg=audit(07/25/2018 09:46:03.554:444) : item=2 name=/lib64/ld-linux-x86-64.so.2 inode=16800828 dev=fd:05 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:container_file_t:s0:c335,c923 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(07/25/2018 09:46:03.554:444) : item=1 name=/usr/bin/coreutils inode=27264070 dev=fd:05 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:container_file_t:s0:c335,c923 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(07/25/2018 09:46:03.554:444) : item=0 name=/usr/bin/cat inode=27264047 dev=fd:05 mode=file,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:container_file_t:s0:c335,c923 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(07/25/2018 09:46:03.554:444) : cwd=/
type=EXECVE msg=audit(07/25/2018 09:46:03.554:444) : argc=4 a0=/usr/bin/coreutils a1=--coreutils-prog-shebang=cat a2=/usr/bin/cat a3=/etc/os-release
type=BPRM_FCAPS msg=audit(07/25/2018 09:46:03.554:444) : fver=0 fp=none fi=none fe=0 old_pp=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap old_pi=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap old_pe=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap old_pa=none pp=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap pi=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap pe=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap pa=none
type=BPRM_FCAPS msg=audit(07/25/2018 09:46:03.554:444) : fver=0 fp=none fi=none fe=0 old_pp=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap old_pi=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap old_pe=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap old_pa=none pp=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap pi=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap pe=chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap pa=none
type=SYSCALL msg=audit(07/25/2018 09:46:03.554:444) : arch=x86_64 syscall=execve success=yes exit=0 a0=0xc420110790 a1=0xc4201889e0 a2=0xc420077ec0 a3=0x0 items=3 ppid=9328 pid=9346 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=unset comm=cat exe=/usr/bin/coreutils subj=system_u:system_r:container_t:s0:c335,c923 key=(null)
type=AVC msg=audit(07/25/2018 09:46:03.554:444) : avc: denied { read write } for pid=9346 comm=cat path=/1 dev="devpts" ino=4 scontext=system_u:system_r:container_t:s0:c335,c923 tcontext=system_u:object_r:container_file_t:s0:c335,c923 tclass=chr_file permissive=1
----
type=PROCTITLE msg=audit(07/25/2018 09:46:03.683:446) : proctitle=/usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat /etc/os-release
type=SYSCALL msg=audit(07/25/2018 09:46:03.683:446) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x1 a1=0x7fffa1f2fe90 a2=0x7fffa1f2fe90 a3=0x5612d11ea010 items=0 ppid=9328 pid=9346 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=unset comm=cat exe=/usr/bin/coreutils subj=system_u:system_r:container_t:s0:c335,c923 key=(null)
type=AVC msg=audit(07/25/2018 09:46:03.683:446) : avc: denied { getattr } for pid=9346 comm=cat path=/1 dev="devpts" ino=4 scontext=system_u:system_r:container_t:s0:c335,c923 tcontext=system_u:object_r:container_file_t:s0:c335,c923 tclass=chr_file permissive=1
sh# sh# docker info | sed -ne '/Storage Driver/,+20p' Storage Driver: devicemapper Pool Name: fedora_sde--ci--works06-docker--pool Pool Blocksize: 524.3 kB Base Device Size: 10.74 GB Backing Filesystem: xfs Data file: Metadata file: Data Space Used: 328.7 MB Data Space Total: 593.3 GB Data Space Available: 593 GB Metadata Space Used: 462.8 kB Metadata Space Total: 1.514 GB Metadata Space Available: 1.514 GB Thin Pool Minimum Free Space: 59.33 GB WARNING: You're not using the default seccomp profile Udev Sync Supported: true Deferred Removal Enabled: true Deferred Deletion Enabled: true Deferred Deleted Device Count: 0 Library Version: 1.02.149 (2018-07-19) Logging Driver: journald Cgroup Driver: systemd Plugins: Volume: local Network: bridge host macvlan null overlay Authorization: rhel-push-plugin Swarm: inactive Runtimes: oci runc Default Runtime: oci Init Binary: /usr/libexec/docker/docker-init-current containerd version: b640dbe0fedca9bda6836ba68592f757aa377c28 (expected: aa8187dbd3b7ad67d8e5e3a15115d3eef43a7ed1) runc version: b640dbe0fedca9bda6836ba68592f757aa377c28-dirty (expected: 9df8b306d01f59d3a8029be411de015b7304dd8f) init version: N/A (expected: 949e6facb77383876aeff8a6944dde66b3089574) Security Options: seccomp WARNING: You're not using the default seccomp profile Profile: /etc/docker/seccomp.json selinux Kernel Version: 4.18.0-0.rc5.git4.1.fc29.x86_64 Operating System: Fedora 29 (Rawhide) OSType: linux Architecture: x86_64 Number of Docker Hooks: 2 CPUs: 16 Total Memory: 78.54 GiB Name: sde-ci-works06.lab.eng.bos.redhat.com ID: SRYY:3H4S:BCIN:QFUI:QEY7:Q3P5:2NXQ:SJQD:GRSE:EZ5V:LZR2:P4O5 Docker Root Dir: /var/lib/docker Debug Mode (client): false Debug Mode (server): false Registry: https://index.docker.io/v1/ Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: true Registries: docker.io (secure), registry.fedoraproject.org (secure), quay.io (secure), registry.access.redhat.com (secure), registry.centos.org (secure), docker.io (secure) Is this on an ostree based system? It looks to me like the container-selinux package was not installed correctly. grep expand /etc/selinux/semanage.conf (In reply to Daniel Walsh from comment #6) > It looks to me like the container-selinux package was not installed > correctly. (In reply to Daniel Walsh from comment #7) > grep expand /etc/selinux/semanage.conf Yes, seems to be the same issue as in https://bugzilla.redhat.com/show_bug.cgi?id=1600242#c3 If you change it to 0 and do semodule -B does the problem go away? (In reply to Daniel Walsh from comment #9) > If you change it to 0 and do semodule -B does the problem go away? Yes, that helped. * edit /etc/selinux/semanage.conf * dnf install -y docker * systemctl start docker * /usr/bin/docker run --rm -t docker.io/fedora:28 cat /etc/os-release Sorry that it was not clear from comment 8 container-selinux-2.69-1.git452b90d.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-42991b7a1d The latest libsemanage is supposed to have that setting by default. container-selinux-2.69-1.git452b90d.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-42991b7a1d container-selinux-2.69-1.git452b90d.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. |
SELinux is preventing cat from 'read, write' accesses on the chr_file /1. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that cat should be allowed read write access on the 1 chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'cat' --raw | audit2allow -M my-cat # semodule -X 300 -i my-cat.pp Additional Information: Source Context system_u:system_r:container_t:s0:c431,c939 Target Context system_u:object_r:container_file_t:s0:c431,c939 Target Objects /1 [ chr_file ] Source cat Source Path cat Port <Unknown> Host host.example.com Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-28.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name host.example.com Platform Linux host.example.com 4.18.0-0.rc5.git4.1.fc29.x86_64 #1 SMP Fri Jul 20 17:00:15 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-07-25 09:31:43 EDT Last Seen 2018-07-25 09:31:43 EDT Local ID ae6d58d2-8403-446f-b499-66f52db07bc8 Raw Audit Messages type=AVC msg=audit(1532525503.681:430): avc: denied { read write } for pid=9125 comm="cat" path="/1" dev="devpts" ino=4 scontext=system_u:system_r:container_t:s0:c431,c939 tcontext=system_u:object_r:container_file_t:s0:c431,c939 tclass=chr_file permissive=1 Hash: cat,container_t,container_file_t,chr_file,read,write