Bug 1943617
| Summary: | mount overlay in a user namespace doesn't work when a selinux label is specified | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Giuseppe Scrivano <gscrivan> |
| Component: | kernel | Assignee: | Kernel Maintainer List <kernel-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 34 | CC: | acaringi, adscvr, airlied, alciregi, bskeggs, dwalsh, hdegoede, jarodwilson, jeremy, jforbes, jglisse, jonathan, josef, kernel-maint, lgoncalv, linville, masami256, mchehab, ptalbert, rmetrich, steved |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | kernel-5.12.9-200.fc33 kernel-5.12.9-300.fc34 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-06-08 01:07:07 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Giuseppe Scrivano
2021-03-26 15:58:49 UTC
We would really like to get this into peoples hands so we could test it before we put it in RHEL8.5 in the fall. I think I'm hitting this as well.
I'm using a user namespace, I need the context= option to be supplied otherwise the overlay file system gets the context of my user, "unconfined_u:unconfined_r:unconfined_t" which prevents from executing binaries hosted on the overlay file system.
See reproducer below:
1. Create a minimal environment suitable to be chroot'ed into
(user) $ sudo dnf install --installroot=$PWD/miniroot --releasever=/ bash
(user) $ unshare -Urm
(fakeroot) # id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
(fakeroot) # mkdir /tmp/foo
2. Mount the overlay without context= option: prevents from chroot'ing
(fakeroot) # mount -t overlay overlay -o lowerdir=$PWD/miniroot:/mnt /tmp/foo
(fakeroot) # ls -Z /tmp/foo/bin/bash
unconfined_u:object_r:unconfined_t:s0 /tmp/foo/bin/bash
(fakeroot) # chroot /tmp/foo
chroot: failed to run command ‘/bin/bash’: Permission denied
3. Move to Permissive and retry to collect all the AVCs
(root) # setenforce 0
(fakeroot) # chroot /tmp/foo
(chroot) bash-5.1# exit
(root) # ausearch -m avc -ts recent
----
time->Wed Jun 2 07:55:40 2021
type=AVC msg=audit(1622613340.469:1549): avc: denied { execute } for pid=14674 comm="chroot" name="bash" dev="overlay" ino=793408 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_t:s0 tclass=file permissive=1
----
time->Wed Jun 2 07:55:40 2021
type=AVC msg=audit(1622613340.469:1550): avc: denied { execute_no_trans } for pid=14674 comm="chroot" path="/usr/bin/bash" dev="overlay" ino=793408 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_t:s0 tclass=file permissive=1
----
time->Wed Jun 2 07:55:40 2021
type=AVC msg=audit(1622613340.469:1551): avc: denied { map } for pid=14674 comm="bash" path="/usr/bin/bash" dev="overlay" ino=793408 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_t:s0 tclass=file permissive=1
(fakeroot) # umount /tmp/foo
4. Mount the overlay with context= option: doesn't work
(fakeroot) # mount -t overlay overlay -o lowerdir=$PWD/miniroot:/mnt,context=system_u:object_r:tmp_t:s0 /tmp/foo
mount: /tmp/foo: cannot mount overlay read-only.
Strace shows:
15115 08:02:59.951282 mount("overlay", "/tmp/foo", "overlay", MS_RDONLY, "lowerdir=/home/rmetrich/miniroot:/mnt,context=\"system_u:object_r:tmp_t:s0\"") = -1 EACCES (Permission denied) <0.000100>
dmesg shows:
SELinux: security_context_str_to_sid() failed for (dev overlay, type overlay) errno=-22
Now that the patch is accepted upstream, I have cherry-picked it back to the 5.12 branch for Fedora, this should appear in 5.12.9 and newer kernels. Hi Justin,
Do you know if that will also fix the issue that arises when not using "context=" option: overlay mount shows labels of the process ("unconfined_X") which is non-sense for files.
See my comment " 2. Mount the overlay without context= option: prevents from chroot'ing "
Renaud.
FEDORA-2021-c2b2f23a6f has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-c2b2f23a6f FEDORA-2021-21f80017d0 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-21f80017d0 FEDORA-2021-c2b2f23a6f has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-c2b2f23a6f` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-c2b2f23a6f See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-21f80017d0 has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-21f80017d0` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-21f80017d0 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-21f80017d0 has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2021-c2b2f23a6f has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report. 5.12.9-300.fc34.x86_64 works just fine for me: contexts appear properly. The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days |