Bug 1675125

Summary: Moby-engine - SELinux is not enabled in Moby Engine in the systemd unit file
Product: [Fedora] Fedora Reporter: Scott McCarty <smccarty>
Component: moby-engineAssignee: fedora.dm0
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 29CC: adimania, admiller, amurdaca, cje, damichae, dustymabe, dwalsh, fedora.dm0, ichavero, jcajka, lantw44, lsm5, nalin, pasik, santiago, vbatts
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-15 04:09:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Scott McCarty 2019-02-11 19:56:18 UTC 
Description of problem:
The --selinux-enabled option is not enabled in the systemd unit file, and there does not appear to be a "config" option in etc.

Version-Release number of selected component (if applicable):
moby-engine-18.06.0-1.ce.git0ffa825.fc29.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Install moby engine
2. Run bash in a container
3. Inspect the SELinux context of the bash process in the container

Actual results:

Terminal #1
=======================================================================
[root@fedora ~]# which docker
/usr/bin/docker
 
[root@fedora ~]# rpm -qf /usr/bin/docker
moby-engine-18.06.0-1.ce.git0ffa825.fc29.x86_64
 
docker run -it fedora bash
 
podman run -it fedora bash
 
Terminal #1
=======================================================================
Docker Output
 
[root@fedora ~]# ps -efZ | grep bash
unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 root 27937 985  2 13:06 pts/0 00:00:00 docker run -it fedora bash
system_u:system_r:spc_t:s0      root     27972 27954  1 13:06 pts/0    00:00:00 bash
 
Podman Output
 
[root@fedora ~]# ps -efZ | grep bash
unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 root 28073 985  0 13:06 pts/0 00:00:00 podman run -it fedora bash
system_u:system_r:container_t:s0:c326,c566 root 28160 28148  0 13:06 pts/0 00:00:00 bash

Expected results:

system_u:system_r:container_t:s0:c326,c566 root 28160 28148  0 13:06 pts/0 00:00:00 bash

Additional info:

Notice the bash ran under moby engine has this context: spc_t
Comment 1 Scott McCarty 2019-02-11 19:58:00 UTC 
More info here: https://www.openwall.com/lists/oss-security/2019/02/11/2

Also, I verified that you can add a --selinux-enabled to the systemd unit file like this, which protects the host:

ExecStart=/usr/bin/dockerd --selinux-enabled
Comment 2 Daniel Walsh 2019-02-12 13:26:34 UTC 
I think in the latest moby, you can set this flag in a file in /etc/.  /etc/docker.json or /etc/config/docker.json or something like that.  Would be better to allow uses to easily change the defaults.
Comment 3 Scott McCarty 2019-02-12 14:16:00 UTC 
Dan,
    You are dead on. I don't know the rules in Fedora, can we just rebase to master? I agree everything looks good in Master. 

If we can't rebase, it looks like The F29 branch doesn't have a docker.sysconfig nor a docker.service file, so I believe the spec file uses the upstream. The Master branch, on the other hand, has both and "should" start correctly (I haven't been able to build a package to test yet). Sadly, I "tried" to add the files to f29 branch, but I can't push files (can't figure out what password to use for the Fedora GitLab instance :-( ).

That said, I "think" all that needs done is to copy these two files from the Master branch, to the F29 branch, and rebuild. I looked at the spec file between the two and didn't see anything different. I think the Fedora package just "overwrites" the original files in the upstream...
Comment 4 David Michael 2019-02-14 16:41:26 UTC 
As noted, this was done for Fedora 30 a few months ago, but changing a default setting like enabling SELinux seems like it would be disruptive to existing users on a released version.  Fedora 29 users that want SELinux can change the setting with the standard systemd methods, such as making a dropin with "systemctl edit docker" containing:

    [Service]
    ExecStart=
    ExecStart=/usr/bin/dockerd --selinux-enabled

If the concern with this is CVE-2019-5736, the fix was pushed for testing when the embargo lifted on Monday: https://bodhi.fedoraproject.org/updates/FEDORA-2019-352d4b9cd8
Comment 5 Scott McCarty 2019-02-14 17:22:05 UTC 
(In reply to David Michael from comment #4)
> As noted, this was done for Fedora 30 a few months ago, but changing a
> default setting like enabling SELinux seems like it would be disruptive to
> existing users on a released version.  Fedora 29 users that want SELinux can
> change the setting with the standard systemd methods, such as making a
> dropin with "systemctl edit docker" containing:
> 
>     [Service]
>     ExecStart=
>     ExecStart=/usr/bin/dockerd --selinux-enabled
> 
> If the concern with this is CVE-2019-5736, the fix was pushed for testing
> when the embargo lifted on Monday:
> https://bodhi.fedoraproject.org/updates/FEDORA-2019-352d4b9cd8

Kinda, it was more that defense in depth is good because that specific CVE likely won't be the last, and F29 is the latest version. I totally understand if you want to wait until F30 though. It looks good in master.
Comment 6 cje 2019-02-22 13:19:57 UTC 
FYI i've tried adding {"selinux-enabled": true} in /etc/docker/daemon.json and that looks like it works, because if i add it to the ExecStart in the .service file as well then the service fails with "directives are specified both as a flag and in the configuration file: selinux-enabled: (from flag: true, from file: true)".
Comment 7 Scott McCarty 2019-03-11 02:45:28 UTC 
cje I tried it again on Fedora 29, and SELinux still doesn't seem enabled by default...
Comment 8 Dusty Mabe 2019-03-11 13:51:51 UTC 
(In reply to Scott McCarty from comment #7)
> cje I tried it again on Fedora 29, and SELinux still doesn't
> seem enabled by default...

Right. That is by design. David decided that it would be a breaking change to enable SELinux in the middle of a release (see comment#4) . I agree with him. We don't want users systems to just stop working overnight. They'll get the better security defaults in F30.
Comment 9 Daniel Walsh 2019-03-12 13:05:30 UTC 
Couldn't they get it only when fresh install.  Even in F30 we don't want to update a F29 system and have Moby broken in F30.
Comment 12 Dusty Mabe 2019-04-10 00:45:32 UTC 
(In reply to Daniel Walsh from comment #9)
> Couldn't they get it only when fresh install.  Even in F30 we don't want to
> update a F29 system and have Moby broken in F30.

I defer to David or Lokesh (maintainers of the package) on this. They'd be able to say how much work it would be or if it would be worth doing it over waiting for f30.
Comment 13 David Michael 2019-05-15 04:09:31 UTC 
This is fixed in F30 and rawhide while F29 was left as is for compatibility, so I think this can be closed.