Bug 980812
Summary: | Can't successfully start an apache container with dynamic SELinux label | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Alex Jia <ajia> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.0 | CC: | dwalsh, dyuan, gsun, mmalik, weizhan, zpeng |
Target Milestone: | rc | Keywords: | TestBlocker |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-07-30 21:25:56 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Alex Jia
2013-07-03 09:51:43 UTC
Following AVCs appeared in permissive mode: ---- type=SYSCALL msg=audit(07/04/2013 05:31:20.904:512) : arch=x86_64 syscall=connect success=no exit=-2(No such file or directory) a0=0x4 a1=0x7fff709d2a30 a2=0x6e a3=0x0 items=0 ppid=0 pid=2143 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=pts0 comm=libvirt-sandbox exe=/usr/libexec/libvirt-sandbox-init-common subj=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 key=(null) type=AVC msg=audit(07/04/2013 05:31:20.904:512) : avc: denied { read } for pid=2143 comm=libvirt-sandbox name=run dev="dm-1" ino=1444315 scontext=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 tcontext=unconfined_u:object_r:virt_var_lib_t:s0 tclass=lnk_file ---- type=SYSCALL msg=audit(07/04/2013 05:31:20.922:513) : arch=x86_64 syscall=open success=yes exit=4 a0=0x7ff51b49060b a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x0 items=0 ppid=0 pid=2143 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=pts0 comm=systemd exe=/usr/lib/systemd/systemd subj=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 key=(null) type=AVC msg=audit(07/04/2013 05:31:20.922:513) : avc: denied { open } for pid=2143 comm=systemd path=/etc/hostname dev="dm-1" ino=1444297 scontext=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 tcontext=unconfined_u:object_r:virt_var_lib_t:s0 tclass=file type=AVC msg=audit(07/04/2013 05:31:20.922:513) : avc: denied { read } for pid=2143 comm=systemd name=hostname dev="dm-1" ino=1444297 scontext=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 tcontext=unconfined_u:object_r:virt_var_lib_t:s0 tclass=file ---- type=SYSCALL msg=audit(07/04/2013 05:31:20.922:514) : arch=x86_64 syscall=open success=yes exit=4 a0=0x7ff51b4906c2 a1=O_RDWR|O_CREAT|O_NOCTTY|O_CLOEXEC a2=0x124 a3=0x0 items=0 ppid=0 pid=2143 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=pts0 comm=systemd exe=/usr/lib/systemd/systemd subj=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 key=(null) type=AVC msg=audit(07/04/2013 05:31:20.922:514) : avc: denied { write } for pid=2143 comm=systemd name=machine-id dev="dm-1" ino=1444295 scontext=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 tcontext=unconfined_u:object_r:virt_var_lib_t:s0 tclass=file ---- type=SYSCALL msg=audit(07/04/2013 05:31:21.056:515) : arch=x86_64 syscall=mkdir success=yes exit=0 a0=0x7fcc3436f580 a1=0755 a2=0x1 a3=0xffffffff items=0 ppid=1 pid=2159 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=systemd-tmpfile exe=/usr/bin/systemd-tmpfiles subj=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 key=(null) type=AVC msg=audit(07/04/2013 05:31:21.056:515) : avc: denied { create } for pid=2159 comm=systemd-tmpfile name=cups scontext=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=dir type=AVC msg=audit(07/04/2013 05:31:21.056:515) : avc: denied { add_name } for pid=2159 comm=systemd-tmpfile name=cups scontext=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 tcontext=unconfined_u:object_r:virt_var_lib_t:s0 tclass=dir type=AVC msg=audit(07/04/2013 05:31:21.056:515) : avc: denied { write } for pid=2159 comm=systemd-tmpfile name=spool dev="dm-1" ino=1444291 scontext=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 tcontext=unconfined_u:object_r:virt_var_lib_t:s0 tclass=dir ---- type=SYSCALL msg=audit(07/04/2013 05:31:21.056:516) : arch=x86_64 syscall=mkdir success=yes exit=0 a0=0x7fcc3436f300 a1=0755 a2=0x0 a3=0xffffffff items=0 ppid=1 pid=2159 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=systemd-tmpfile exe=/usr/bin/systemd-tmpfiles subj=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 key=(null) type=AVC msg=audit(07/04/2013 05:31:21.056:516) : avc: denied { add_name } for pid=2159 comm=systemd-tmpfile name=tmp scontext=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=dir type=AVC msg=audit(07/04/2013 05:31:21.056:516) : avc: denied { write } for pid=2159 comm=systemd-tmpfile name=cups dev="dm-1" ino=1444336 scontext=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=dir ---- type=SYSCALL msg=audit(07/04/2013 05:31:21.057:517) : arch=x86_64 syscall=chmod success=yes exit=0 a0=0x7fcc34372190 a1=0755 a2=0x7fff901e6cf0 a3=0xffffffff items=0 ppid=1 pid=2159 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=systemd-tmpfile exe=/usr/bin/systemd-tmpfiles subj=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 key=(null) type=AVC msg=audit(07/04/2013 05:31:21.057:517) : avc: denied { setattr } for pid=2159 comm=systemd-tmpfile name=ppp dev="dm-1" ino=1444375 scontext=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=dir ---- type=SYSCALL msg=audit(07/04/2013 05:31:21.057:518) : arch=x86_64 syscall=open success=yes exit=4 a0=0x7fcc343733f0 a1=O_WRONLY|O_CREAT|O_NOCTTY|O_APPEND|O_NONBLOCK|O_NOFOLLOW|O_CLOEXEC a2=0x1b4 a3=0xffffffff items=0 ppid=1 pid=2159 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=systemd-tmpfile exe=/usr/bin/systemd-tmpfiles subj=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 key=(null) type=AVC msg=audit(07/04/2013 05:31:21.057:518) : avc: denied { append open } for pid=2159 comm=systemd-tmpfile path=/var/log/wtmp dev="dm-1" ino=1444376 scontext=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=file type=AVC msg=audit(07/04/2013 05:31:21.057:518) : avc: denied { create } for pid=2159 comm=systemd-tmpfile name=wtmp scontext=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=file ---- type=SYSCALL msg=audit(07/04/2013 05:31:21.057:519) : arch=x86_64 syscall=chmod success=yes exit=0 a0=0x7fcc343733f0 a1=0664 a2=0x7fff901e6c00 a3=0xffffffff items=0 ppid=1 pid=2159 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=systemd-tmpfile exe=/usr/bin/systemd-tmpfiles subj=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 key=(null) type=AVC msg=audit(07/04/2013 05:31:21.057:519) : avc: denied { setattr } for pid=2159 comm=systemd-tmpfile name=wtmp dev="dm-1" ino=1444376 scontext=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=file ---- type=SYSCALL msg=audit(07/04/2013 05:31:21.057:520) : arch=x86_64 syscall=chmod success=yes exit=0 a0=0x7fcc343749d0 a1=,sticky,777 a2=0x7fff901e6cf0 a3=0xffffffff items=0 ppid=1 pid=2159 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=systemd-tmpfile exe=/usr/bin/systemd-tmpfiles subj=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 key=(null) type=AVC msg=audit(07/04/2013 05:31:21.057:520) : avc: denied { setattr } for pid=2159 comm=systemd-tmpfile name=tmp dev="dm-1" ino=1444292 scontext=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 tcontext=unconfined_u:object_r:virt_var_lib_t:s0 tclass=dir ---- type=SYSCALL msg=audit(07/04/2013 05:31:21.244:521) : arch=x86_64 syscall=open success=yes exit=6 a0=0x7fe398521d3c a1=O_WRONLY a2=0x7fff64967d40 a3=0x8 items=0 ppid=1 pid=2168 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=systemd-update- exe=/usr/lib/systemd/systemd-update-utmp subj=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 key=(null) type=AVC msg=audit(07/04/2013 05:31:21.244:521) : avc: denied { write } for pid=2168 comm=systemd-update- name=wtmp dev="dm-1" ino=1444376 scontext=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=file ---- type=SYSCALL msg=audit(07/04/2013 05:31:21.244:522) : arch=x86_64 syscall=fcntl success=yes exit=0 a0=0x6 a1=F_SETLKW a2=0x7fff64967b80 a3=0x8 items=0 ppid=1 pid=2168 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=systemd-update- exe=/usr/lib/systemd/systemd-update-utmp subj=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 key=(null) type=AVC msg=audit(07/04/2013 05:31:21.244:522) : avc: denied { lock } for pid=2168 comm=systemd-update- path=/var/log/wtmp dev="dm-1" ino=1444376 scontext=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=file ---- The Apache service failed even if the container is started in permissive mode. # setenforce 0 # virt-sandbox-service start myapachesystemd 204 running in system mode. (+PAM +LIBWRAP +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ) Detected virtualization 'lxc-libvirt'. Welcome to Red Hat Enterprise Linux Server 7.0 (Maipo)! Set hostname to <myapache>. /dev/mapper/control: mknod failed: Operation not permitted Failure to communicate with kernel device-mapper driver. Check that device-mapper is available in the kernel. [ OK ] Reached target Paths. [ OK ] Listening on Delayed Shutdown Socket. [ OK ] Listening on Journal Socket. [ OK ] Reached target Swap. Starting Activation of LVM2 logical volumes... Starting Journal Service... [ OK ] Started Journal Service. [ OK ] Started Activation of LVM2 logical volumes. Starting Activation of LVM2 logical volumes... [ OK ] Started Activation of LVM2 logical volumes. [ OK ] Reached target Local File Systems. Starting Recreate Volatile Files and Directories... [ OK ] Started Recreate Volatile Files and Directories. [ OK ] Reached target System Initialization. [ OK ] Listening on D-Bus System Message Bus Socket. [ OK ] Reached target Sockets. [ OK ] Reached target Timers. [ OK ] Reached target Basic System. Starting The Apache HTTP Server... Starting Cleanup of Temporary Directories... [ OK ] Started Cleanup of Temporary Directories. httpd.service: main process exited, code=exited, status=1/FAILURE [FAILED] Failed to start The Apache HTTP Server. See 'systemctl status httpd.service' for details. Unit httpd.service entered failed state. [ OK ] Reached target Sandbox multi-user target. (In reply to Milos Malik from comment #4) > httpd.service: main process exited, code=exited, status=1/FAILURE > [FAILED] Failed to start The Apache HTTP Server. Milos, it may be not relevant with AVC denied, a workaround is to connect your container and get its IP address(you probably need to run 'ifconfig' more than 2 times to wait dhcp assigning a IP in the container), of course, the prerequisite is you create container with dhcp network such as "virt-sandbox-service create -C -u httpd.service -s dynamic -N dhcp myapache", and then shutdown your container firstly and add your container's IP and hostname(container name) into /etc/hosts on the host, finally, to start your container again. # cat /etc/hosts (on the host) 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.122.207 myapache Dynamic labeling is only supposed to work with image files. libvirt-sandbox-0.2.1-1.el7 Is supposed to enforce this. |