Bug 2031022

Summary: avc: denied { ioctl } for pid=510216 comm="iptables" path="/var/lib/containers/storage/overlay/7d65c03c0ff08daf6366d735723151aa1f2cf165d51be30f62bded9ed586b838/merged" dev="overlay" ino=42308193 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023
Product: [Fedora] Fedora Reporter: Bruno Goncalves <bgoncalv>
Component: netavarkAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED ERRATA QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 36CC: amurdaca, bbaude, bugzilla-redhat, dwalsh, dweomer5, grepl.miroslav, jchaloup, jnovy, lsm5, lvrabec, mheon, mmalik, mmarusak, mpitt, omosnace, pehunt, pkoncity, rh.container.bot, tsweeney, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: CockpitTest
Fixed In Version: container-selinux-2.190.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2089257 (view as bug list) Environment:
Last Closed: 2022-09-18 00:17:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2089257, 2106396    

Description Bruno Goncalves 2021-12-10 10:44:56 UTC 
Description of problem:
During CKI podman test [1] we've hit the following issue:

avc:  denied  { ioctl } for  pid=510216 comm="iptables" path="/var/lib/containers/storage/overlay/7d65c03c0ff08daf6366d735723151aa1f2cf165d51be30f62bded9ed586b838/merged" dev="overlay" ino=42308193 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0:c878,c982 tclass=dir permissive=0

Version-Release number of selected component (if applicable):
selinux-policy-35.6-1.fc36.noarch

How reproducible:
It seems easily reproducible with podman test

Steps to Reproduce:
1. Run test [1]


Additional info:
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-35.6-1.fc36.noarch

[1] https://gitlab.com/cki-project/kernel-tests/-/tree/main/container/podman
Comment 2 Zdenek Pytela 2021-12-10 11:37:43 UTC 
Switching the component, there are already some rules in container-selinux:

f35# sesearch -A -s iptables_t -t container_file_t -c dir,file
allow application_domain_type logfile:file { append getattr ioctl lock };
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow iptables_t container_file_t:dir { getattr open search };
allow iptables_t container_file_t:file open;
Comment 3 Martin Pitt 2022-01-10 07:36:05 UTC 
In Cockpit we started to see these as well now, in our Fedora CoreOS CI: for example, [1]

audit: type=1400 audit(1641799023.984:237): avc:  denied  { ioctl } for  pid=1161 comm="iptables" path="/var/lib/containers/storage/overlay/0fac9b410d57d0f8ae6fa8f042e8672ae70ddbeb4e25845223e35a3b2260c169/merged" dev="overlay" ino=17950249 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0:c1022,c1023 tclass=dir permissive=0

Nothing in that test fiddles with iptables, that's somehow internal to podman. But lots of tests start a cockpit/ws container there, so this just feels random. E.g. here [2] and here[3] it hit two different, and completely unrelated tests. We haven't seen this before, and haven't refreshed our CoreOS image in a whole week. Was this some sort of a time bomb? (But I can't imagine SELinux rules being time dependent)

[1] https://logs.cockpit-project.org/logs/pull-16798-20220110-064948-be591291-fedora-coreos/log.html#232
[2] https://logs.cockpit-project.org/logs/pull-2784-20220110-024544-7afed88e-fedora-coreos-cockpit-project-cockpit/log.html#152
[3] https://logs.cockpit-project.org/logs/pull-2784-20220110-063907-7afed88e-fedora-coreos-cockpit-project-cockpit/log.html#241
Comment 4 Ben Cotton 2022-02-08 21:15:40 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 36 development cycle.
Changing version to 36.
Comment 5 Zdenek Pytela 2022-09-13 14:35:15 UTC 
It seems it is /usr/libexec/podman/netavark which executes iptables which tries to ioctl /var/lib/containers/storage/overlay/HASH/merged on execve:

    PID    PPID COMMAND                     CONTEXT
    685     670 bash -l                     unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
 179294     685 podman run -p 9090:9090 -d  unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023
 179304  179294 /usr/libexec/podman/netavar unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023

----
type=PROCTITLE msg=audit(09/13/2022 10:15:05.216:33510) : proctitle=iptables --version 
type=PATH msg=audit(09/13/2022 10:15:05.216:33510) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=137936 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(09/13/2022 10:15:05.216:33510) : item=0 name=/usr/sbin/iptables inode=158128 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:iptables_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(09/13/2022 10:15:05.216:33510) : cwd=/root
type=EXECVE msg=audit(09/13/2022 10:15:05.216:33510) : argc=2 a0=iptables a1=--version
type=SYSCALL msg=audit(09/13/2022 10:15:05.216:33510) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7fdb735a4d90 a1=0x559443869c80 a2=0x7ffe25ccd7d8 a3=0x8 items=2 ppid=179304 pid=179305 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=iptables exe=/usr/sbin/xtables-nft-multi subj=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(09/13/2022 10:15:05.216:33510) : avc:  denied  { ioctl } for  pid=179305 comm=iptables path=/var/lib/containers/storage/overlay/bd4ddcdfce3c80350149a8f9d5f9caaf4442ec64ccd646addfb6983a86d8fdef/merged/etc dev="overlay" ino=263556 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0:c775,c1020 tclass=dir permissive=0
type=AVC msg=audit(09/13/2022 10:15:05.216:33510) : avc:  denied  { ioctl } for  pid=179305 comm=iptables path=/var/lib/containers/storage/overlay/bd4ddcdfce3c80350149a8f9d5f9caaf4442ec64ccd646addfb6983a86d8fdef/merged dev="overlay" ino=399476 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0:c775,c1020 tclass=dir permissive=0

Switching the component, please assess if there can be leaked file descriptors.
Comment 6 Daniel Walsh 2022-09-13 14:50:31 UTC 
Fixed in container-selinux-2.190.0
Comment 7 Fedora Update System 2022-09-13 18:37:48 UTC 
FEDORA-2022-32ab235aaa has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-32ab235aaa
Comment 8 Fedora Update System 2022-09-13 18:38:10 UTC 
FEDORA-2022-e2afae8ac7 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-e2afae8ac7
Comment 9 Fedora Update System 2022-09-14 01:52:50 UTC 
FEDORA-2022-32ab235aaa has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-32ab235aaa`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-32ab235aaa

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 10 Fedora Update System 2022-09-14 02:40:26 UTC 
FEDORA-2022-e2afae8ac7 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-e2afae8ac7`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-e2afae8ac7

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 11 Fedora Update System 2022-09-18 00:17:57 UTC 
FEDORA-2022-32ab235aaa has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 12 Fedora Update System 2022-09-22 01:17:07 UTC 
FEDORA-2022-e2afae8ac7 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.