Bug 2025445
| Summary: | AVC prevents ping -I from running in UBI 8 container | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Chen <cchen> | |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 8.5 | CC: | aos-bugs, cldavey, dornelas, dwalsh, jnovy, jwboyer, keyoung, lvrabec, miabbott, mmalik, pibanezr, pprahlad, ssekidde, toneata, xzhou, ykashtan, zpytela | |
| Target Milestone: | rc | Keywords: | Triaged, ZStream | |
| Target Release: | 8.6 | Flags: | pm-rhel:
mirror+
|
|
| Hardware: | Unspecified | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.14.3-85.el8 | Doc Type: | Bug Fix | |
| Doc Text: |
Cause:
The policy does not allow the container_t domain to node_bind to an icmp_socket.
Consequence:
The ping command executed from inside the container is not allowed to set the source address with the "-I" switch.
Fix:
The rule to allow the corenet_unconfined_type attribute to node_bind to icmp_socket was added to the policy.
Result:
"ping -I" works as expected.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 2027691 2029802 (view as bug list) | Environment: | ||
| Last Closed: | 2022-05-10 15:15:37 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2027691, 2029802 | |||
Which version of container-selinux are you using? Hi Jindrich, On worker node I have: # rpm -q container-selinux container-selinux-2.167.0-1.module+el8.4.0+12646+b6fd1bdf.noarch Best Regards, Chen Looks to me like the update failed or you are using the old policy. Can you execute semodule -B to recompile the policy and see if the container-selinux package was updated. Hi Daniel, Jindrich,
I ran the semodule -B but still the same result. So in theory the 2.171 container-selinux should contain the fix am I correct ?
On worker node:
sh-4.4# rpm -qa | grep container
containernetworking-plugins-0.9.1-1.module+el8.4.0+11822+6cc1e7d7.x86_64
containers-common-1.3.1-5.module+el8.4.0+11990+22932769.x86_64
container-selinux-2.171.0-1.module+el8.5.0+13418+bc0307a5.noarch
sh-4.4# > /var/log/audit/audit.log
sh-4.4# semodule -B
In POD:
sh-4.4# ping -I 10.128.2.24 8.8.8.8
bind: Permission denied
On worker node:
sh-4.4# grep ping /var/log/audit/audit.log
type=AVC msg=audit(1637631198.704:101): avc: denied { node_bind } for pid=3181018 comm="ping" saddr=10.128.2.24 scontext=system_u:system_r:container_t:s0:c13,c407 tcontext=system_u:object_r:node_t:s0 tclass=icmp_socket permissive=0
type=SYSCALL msg=audit(1637631198.704:101): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=55d421d45070 a2=10 a3=7f44cb1d4280 items=0 ppid=3118334 pid=3181018 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="ping" exe="/usr/bin/ping" subj=system_u:system_r:container_t:s0:c13,c407 key=(null)ARCH=x86_64 SYSCALL=bind AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
Jindrich either that container-selinux does not have the fix, or something in the coreos update is failing. Can you just back port the latest container-selinux? It should not cause any problems. RHAOS-4.6 and on will have at least container-selinux-2.170.0 in next releases which is reasonably recent (and 2.172.0 in 4.10). But without proper RCA we don't really know if it fixes the problem Chen is seeing or not. Chen, Prashanth, it might be well a duplicate of the bug you mentioned in comment #16. Reassigning to selinux-policy (where the fix actually landed) to confirm. Hi Jindrich, May I know whether the following workaround can be applied to CoreOS worker node ? sh-4.4# cat /var/log/audit/audit.log | audit2allow #============= container_t ============== allow container_t node_t:icmp_socket node_bind; sh-4.4# cd /tmp/ sh-4.4# cat /var/log/audit/audit.log | audit2allow -M ping_rule ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i ping_rule.pp sh-4.4# semodule -i ping_rule.pp Also after applying the ping_rule.pp on CoreOS worker node I can confirm the ping -I <source address> could work inside the POD. Thank you so much! Best Regards, Chen FYI
-I is for interface
```
# ping --help
ping: invalid option -- '-'
Usage: ping [-aAbBdDfhLnOqrRUvV64] [-c count] [-i interval] [-I interface]
[-m mark] [-M pmtudisc_option] [-l preload] [-p pattern] [-Q tos]
[-s packetsize] [-S sndbuf] [-t ttl] [-T timestamp_option]
[-w deadline] [-W timeout] [hop1 ...] destination
Usage: ping -6 [-aAbBdDfhLnOqrRUvV] [-c count] [-i interval] [-I interface]
[-l preload] [-m mark] [-M pmtudisc_option]
[-N nodeinfo_option] [-p pattern] [-Q tclass] [-s packetsize]
[-S sndbuf] [-t ttl] [-T timestamp_option] [-w deadline]
[-W timeout] destination
```
and that pod definition only have one nic (the primary)..
Hi Yuval, Thank you for your input. The POD is just a sample and in customer's scenario the POD will use source based routing so ping -I <source address> is required in customer's scenario. Best Regards, Chen SGTM Chen. Leaving this to Dan/Zdenek to double-confirm. Backporting the last out of these 3 commits will resolve the reported issue as container_t is corenet_unconfined_type.
commit 1aa9e5609375815103d2445df1746cb90a02b55a
Author: Patrik Koncity <pkoncity>
Date: Tue Aug 11 14:19:29 2020 +0200
Allow traceroute_t and ping_t to bind generic nodes.
Use newly created macro corenet_icmp_bind_generic_node() for ping_t and traceroute_t.
This macro allowing bind generic nodes in node_t domain.
commit 65c1a66265908f3d5a39fa201d6b6f9f2a2981a4
Author: Patrik Koncity <pkoncity>
Date: Tue Aug 11 13:51:55 2020 +0200
Create macro corenet_icmp_bind_generic_node()
This macro allowing bind ICMP sockets to generic nodes in node_t domain.
commit e4f9c9f4f4c5af851410fde006f6589c0bf7f863
Author: Patrik Koncity <pkoncity>
Date: Wed Aug 5 17:26:20 2020 +0200
Allow unconfined_t to node_bind icmp_sockets in node_t domain
When uncofined user run ping or traceroute, this process get label unconfined_t.
Allow to ping or traceroute, which run as unconfined_t, to node_bind icmp_sockets in node_t domain.
Bugzila: https://bugzilla.redhat.com/show_bug.cgi?id=1848929#c0
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:1995 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |
Description of problem: AVC prevents ping -I from running in UBI 8 container. Version-Release number of selected component (if applicable): OCP 4.8 How reproducible: 100% Steps to Reproduce: 1. oc new-project test-ubi-ping 2. oc add-scc-to-user privileged -z default -n test-ubi-ping 3. Apply the following deployment apiVersion: apps/v1 kind: Deployment metadata: name: demo-test spec: replicas: 1 selector: matchLabels: app: demo-test template: metadata: labels: app: demo-test annotations: spec: containers: - name: demotest image: quay.io/rhn_support_cchen/testcase:latest command: ["/bin/sh"] args: ["-c", "while true; do sleep 10000000;done"] securityContext: capabilities: add: ["NET_RAW", "NET_ADMIN"] Actual results: ping -I <source address> <target address> will fail with bind: permission denied Checking the audit.log in worker node: type=AVC msg=audit(1637569623.551:1816): avc: denied { node_bind } for pid=2923238 comm="ping" saddr=10.131.1.153 scontext=system_u:system_r:container_:s0:c41,c603 tcontext=system_u:object_r:node_t:s0 tclass=icmp_socket permissive=0 Expected results: Additional info: quay.io/rhn_support_cchen/testcase is built from ubi 8 image with iputils package installed. $ cat Dockerfile FROM registry.access.redhat.com/ubi8/ubi:8.2 RUN dnf install iputils -y CMD tail -f /dev/null