Bug 1677251

Summary: AVC while running php container [x86_64 only]
Product: Red Hat Enterprise Linux 8 Reporter: Lukáš Zachar <lzachar>
Component: container-selinuxAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0CC: ddarrah, dwalsh, jorton, lvrabec, mmalik, plautrba, ssekidde, tjaros, ypu, zpytela
Target Milestone: rc   
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: container-selinux 2.86 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-05 21:01:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukáš Zachar 2019-02-14 11:16:37 UTC 
Description of problem:

AVC happens when php container is run, but only on x86_64.

Version-Release number of selected component (if applicable):
selinux-policy-3.14.1-52.el8


How reproducible:


Steps to Reproduce:
1. podman run --rm -ti brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/rhel8/php-72:1-11 php -v
2. ausearch -m avc -i -ts recent

Actual results:
----
type=PROCTITLE msg=audit(14/02/19 06:11:24.785:8127) : proctitle=php -v 
type=SYSCALL msg=audit(14/02/19 06:11:24.785:8127) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x55f272a00000 a1=0x200000 a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_HUGETLB items=0 ppid=28117 pid=28127 auid=root uid=unknown(1001) gid=root euid=unknown(1001) suid=unknown(1001) fsuid=unknown(1001) egid=root sgid=root fsgid=root tty=pts0 ses=149 comm=php exe=/usr/bin/php subj=system_u:system_r:container_t:s0:c402,c500 key=(null) 
type=AVC msg=audit(14/02/19 06:11:24.785:8127) : avc:  denied  { execute } for  pid=28127 comm=php path=/anon_hugepage (deleted) dev="hugetlbfs" ino=2454127 scontext=system_u:system_r:container_t:s0:c402,c500 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=file permissive=0

Expected results:
no avc

Additional info:
https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/20110649
-->  http://artifacts.osci.redhat.com/baseos-ci/brew-build/20/11/06/20110649/https___baseos-jenkins.rhev-ci-vms.eng.rdu2.redhat.com-ci-beaker-docker/108/tests-sheep-61.lab.eng.brq.redhat.com/recipes/1/tasks/1/logs/taskout.log
Comment 1 Joe Orton 2019-02-15 08:59:22 UTC 
There is a php config option to turn off huge pages if this can't be supported in containers, though I assume this was working in the RHEL7 containers (haven't checked) so need to work out why it started failing now.
Comment 2 Lukáš Zachar 2019-02-15 09:44:27 UTC 
I'm starting to think I didn't pay attention to selinux avc in previous testing. On rhel-7's docker is produces same 
AVC
Comment 3 Daniel Walsh 2019-03-01 10:26:53 UTC 
FIxed in container-selinux-2.86
Comment 6 Joy Pu 2019-09-27 12:18:04 UTC 
Can reproduced with selinux-policy-3.14.1-52.el8.noarch and test with selinux-policy-3.14.3-20.el8.noarch it works as expect. So set this to verified. Details:
# podman run --rm -ti brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/rhel8/php-72:1-11 php -v
Trying to pull brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/rhel8/php-72:1-11...Getting image source signatures
Copying blob e1456a520312 done
Copying blob 906eb0786e5b done
Copying blob 251702110414 done
Copying blob 1d90b227b489 done
Copying blob b2085224bc28 done
Copying config 28389eca49 done
Writing manifest to image destination
Storing signatures
PHP 7.2.11 (cli) (built: Oct  9 2018 15:09:36) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.2.11, Copyright (c) 1999-2018, by Zend Technologies
# ausearch -m avc -i -ts recent
<no matches>
Comment 8 errata-xmlrpc 2019-11-05 21:01:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3403