Bug 980812
| Summary: | Can't successfully start an apache container with dynamic SELinux label | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Alex Jia <ajia> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.0 | CC: | dwalsh, dyuan, gsun, mmalik, weizhan, zpeng |
| Target Milestone: | rc | Keywords: | TestBlocker |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-07-30 21:25:56 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Following AVCs appeared in permissive mode:
----
type=SYSCALL msg=audit(07/04/2013 05:31:20.904:512) : arch=x86_64 syscall=connect success=no exit=-2(No such file or directory) a0=0x4 a1=0x7fff709d2a30 a2=0x6e a3=0x0 items=0 ppid=0 pid=2143 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=pts0 comm=libvirt-sandbox exe=/usr/libexec/libvirt-sandbox-init-common subj=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 key=(null)
type=AVC msg=audit(07/04/2013 05:31:20.904:512) : avc: denied { read } for pid=2143 comm=libvirt-sandbox name=run dev="dm-1" ino=1444315 scontext=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 tcontext=unconfined_u:object_r:virt_var_lib_t:s0 tclass=lnk_file
----
type=SYSCALL msg=audit(07/04/2013 05:31:20.922:513) : arch=x86_64 syscall=open success=yes exit=4 a0=0x7ff51b49060b a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x0 items=0 ppid=0 pid=2143 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=pts0 comm=systemd exe=/usr/lib/systemd/systemd subj=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 key=(null)
type=AVC msg=audit(07/04/2013 05:31:20.922:513) : avc: denied { open } for pid=2143 comm=systemd path=/etc/hostname dev="dm-1" ino=1444297 scontext=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 tcontext=unconfined_u:object_r:virt_var_lib_t:s0 tclass=file
type=AVC msg=audit(07/04/2013 05:31:20.922:513) : avc: denied { read } for pid=2143 comm=systemd name=hostname dev="dm-1" ino=1444297 scontext=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 tcontext=unconfined_u:object_r:virt_var_lib_t:s0 tclass=file
----
type=SYSCALL msg=audit(07/04/2013 05:31:20.922:514) : arch=x86_64 syscall=open success=yes exit=4 a0=0x7ff51b4906c2 a1=O_RDWR|O_CREAT|O_NOCTTY|O_CLOEXEC a2=0x124 a3=0x0 items=0 ppid=0 pid=2143 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=pts0 comm=systemd exe=/usr/lib/systemd/systemd subj=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 key=(null)
type=AVC msg=audit(07/04/2013 05:31:20.922:514) : avc: denied { write } for pid=2143 comm=systemd name=machine-id dev="dm-1" ino=1444295 scontext=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 tcontext=unconfined_u:object_r:virt_var_lib_t:s0 tclass=file
----
type=SYSCALL msg=audit(07/04/2013 05:31:21.056:515) : arch=x86_64 syscall=mkdir success=yes exit=0 a0=0x7fcc3436f580 a1=0755 a2=0x1 a3=0xffffffff items=0 ppid=1 pid=2159 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=systemd-tmpfile exe=/usr/bin/systemd-tmpfiles subj=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 key=(null)
type=AVC msg=audit(07/04/2013 05:31:21.056:515) : avc: denied { create } for pid=2159 comm=systemd-tmpfile name=cups scontext=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=dir
type=AVC msg=audit(07/04/2013 05:31:21.056:515) : avc: denied { add_name } for pid=2159 comm=systemd-tmpfile name=cups scontext=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 tcontext=unconfined_u:object_r:virt_var_lib_t:s0 tclass=dir
type=AVC msg=audit(07/04/2013 05:31:21.056:515) : avc: denied { write } for pid=2159 comm=systemd-tmpfile name=spool dev="dm-1" ino=1444291 scontext=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 tcontext=unconfined_u:object_r:virt_var_lib_t:s0 tclass=dir
----
type=SYSCALL msg=audit(07/04/2013 05:31:21.056:516) : arch=x86_64 syscall=mkdir success=yes exit=0 a0=0x7fcc3436f300 a1=0755 a2=0x0 a3=0xffffffff items=0 ppid=1 pid=2159 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=systemd-tmpfile exe=/usr/bin/systemd-tmpfiles subj=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 key=(null)
type=AVC msg=audit(07/04/2013 05:31:21.056:516) : avc: denied { add_name } for pid=2159 comm=systemd-tmpfile name=tmp scontext=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=dir
type=AVC msg=audit(07/04/2013 05:31:21.056:516) : avc: denied { write } for pid=2159 comm=systemd-tmpfile name=cups dev="dm-1" ino=1444336 scontext=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=dir
----
type=SYSCALL msg=audit(07/04/2013 05:31:21.057:517) : arch=x86_64 syscall=chmod success=yes exit=0 a0=0x7fcc34372190 a1=0755 a2=0x7fff901e6cf0 a3=0xffffffff items=0 ppid=1 pid=2159 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=systemd-tmpfile exe=/usr/bin/systemd-tmpfiles subj=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 key=(null)
type=AVC msg=audit(07/04/2013 05:31:21.057:517) : avc: denied { setattr } for pid=2159 comm=systemd-tmpfile name=ppp dev="dm-1" ino=1444375 scontext=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=dir
----
type=SYSCALL msg=audit(07/04/2013 05:31:21.057:518) : arch=x86_64 syscall=open success=yes exit=4 a0=0x7fcc343733f0 a1=O_WRONLY|O_CREAT|O_NOCTTY|O_APPEND|O_NONBLOCK|O_NOFOLLOW|O_CLOEXEC a2=0x1b4 a3=0xffffffff items=0 ppid=1 pid=2159 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=systemd-tmpfile exe=/usr/bin/systemd-tmpfiles subj=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 key=(null)
type=AVC msg=audit(07/04/2013 05:31:21.057:518) : avc: denied { append open } for pid=2159 comm=systemd-tmpfile path=/var/log/wtmp dev="dm-1" ino=1444376 scontext=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=file
type=AVC msg=audit(07/04/2013 05:31:21.057:518) : avc: denied { create } for pid=2159 comm=systemd-tmpfile name=wtmp scontext=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=file
----
type=SYSCALL msg=audit(07/04/2013 05:31:21.057:519) : arch=x86_64 syscall=chmod success=yes exit=0 a0=0x7fcc343733f0 a1=0664 a2=0x7fff901e6c00 a3=0xffffffff items=0 ppid=1 pid=2159 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=systemd-tmpfile exe=/usr/bin/systemd-tmpfiles subj=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 key=(null)
type=AVC msg=audit(07/04/2013 05:31:21.057:519) : avc: denied { setattr } for pid=2159 comm=systemd-tmpfile name=wtmp dev="dm-1" ino=1444376 scontext=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=file
----
type=SYSCALL msg=audit(07/04/2013 05:31:21.057:520) : arch=x86_64 syscall=chmod success=yes exit=0 a0=0x7fcc343749d0 a1=,sticky,777 a2=0x7fff901e6cf0 a3=0xffffffff items=0 ppid=1 pid=2159 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=systemd-tmpfile exe=/usr/bin/systemd-tmpfiles subj=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 key=(null)
type=AVC msg=audit(07/04/2013 05:31:21.057:520) : avc: denied { setattr } for pid=2159 comm=systemd-tmpfile name=tmp dev="dm-1" ino=1444292 scontext=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 tcontext=unconfined_u:object_r:virt_var_lib_t:s0 tclass=dir
----
type=SYSCALL msg=audit(07/04/2013 05:31:21.244:521) : arch=x86_64 syscall=open success=yes exit=6 a0=0x7fe398521d3c a1=O_WRONLY a2=0x7fff64967d40 a3=0x8 items=0 ppid=1 pid=2168 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=systemd-update- exe=/usr/lib/systemd/systemd-update-utmp subj=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 key=(null)
type=AVC msg=audit(07/04/2013 05:31:21.244:521) : avc: denied { write } for pid=2168 comm=systemd-update- name=wtmp dev="dm-1" ino=1444376 scontext=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=file
----
type=SYSCALL msg=audit(07/04/2013 05:31:21.244:522) : arch=x86_64 syscall=fcntl success=yes exit=0 a0=0x6 a1=F_SETLKW a2=0x7fff64967b80 a3=0x8 items=0 ppid=1 pid=2168 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=systemd-update- exe=/usr/lib/systemd/systemd-update-utmp subj=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 key=(null)
type=AVC msg=audit(07/04/2013 05:31:21.244:522) : avc: denied { lock } for pid=2168 comm=systemd-update- path=/var/log/wtmp dev="dm-1" ino=1444376 scontext=system_u:system_r:svirt_lxc_net_t:s0:c127,c937 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=file
----
The Apache service failed even if the container is started in permissive mode.
# setenforce 0
# virt-sandbox-service start myapachesystemd 204 running in system mode. (+PAM +LIBWRAP +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ)
Detected virtualization 'lxc-libvirt'.
Welcome to Red Hat Enterprise Linux Server 7.0 (Maipo)!
Set hostname to <myapache>.
/dev/mapper/control: mknod failed: Operation not permitted
Failure to communicate with kernel device-mapper driver.
Check that device-mapper is available in the kernel.
[ OK ] Reached target Paths.
[ OK ] Listening on Delayed Shutdown Socket.
[ OK ] Listening on Journal Socket.
[ OK ] Reached target Swap.
Starting Activation of LVM2 logical volumes...
Starting Journal Service...
[ OK ] Started Journal Service.
[ OK ] Started Activation of LVM2 logical volumes.
Starting Activation of LVM2 logical volumes...
[ OK ] Started Activation of LVM2 logical volumes.
[ OK ] Reached target Local File Systems.
Starting Recreate Volatile Files and Directories...
[ OK ] Started Recreate Volatile Files and Directories.
[ OK ] Reached target System Initialization.
[ OK ] Listening on D-Bus System Message Bus Socket.
[ OK ] Reached target Sockets.
[ OK ] Reached target Timers.
[ OK ] Reached target Basic System.
Starting The Apache HTTP Server...
Starting Cleanup of Temporary Directories...
[ OK ] Started Cleanup of Temporary Directories.
httpd.service: main process exited, code=exited, status=1/FAILURE
[FAILED] Failed to start The Apache HTTP Server.
See 'systemctl status httpd.service' for details.
Unit httpd.service entered failed state.
[ OK ] Reached target Sandbox multi-user target.
(In reply to Milos Malik from comment #4) > httpd.service: main process exited, code=exited, status=1/FAILURE > [FAILED] Failed to start The Apache HTTP Server. Milos, it may be not relevant with AVC denied, a workaround is to connect your container and get its IP address(you probably need to run 'ifconfig' more than 2 times to wait dhcp assigning a IP in the container), of course, the prerequisite is you create container with dhcp network such as "virt-sandbox-service create -C -u httpd.service -s dynamic -N dhcp myapache", and then shutdown your container firstly and add your container's IP and hostname(container name) into /etc/hosts on the host, finally, to start your container again. # cat /etc/hosts (on the host) 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.122.207 myapache Dynamic labeling is only supposed to work with image files. libvirt-sandbox-0.2.1-1.el7 Is supposed to enforce this. |
Description of problem: Can't successfully start a apache container with dynamic SELinux label, and hit many "Permission denied" error. Version-Release number of selected component (if applicable): # rpm -q selinux-policy libvirt-sandbox libvirt systemd selinux-policy-3.12.1-56.el7.noarch libvirt-sandbox-0.2.0-1.el7.x86_64 libvirt-1.1.0-1.el7.x86_64 systemd-204-9.el7.1.x86_64 How reproducible: always Steps to Reproduce: 1. # virt-sandbox-service create -C -u httpd.service -s dynamic myapache 2. # virt-sandbox-service start myapache Actual results: # virt-sandbox-service create -C -u httpd.service -s dynamic myapache Created sandbox container dir /var/lib/libvirt/filesystems/myapache Created unit file /etc/systemd/system/myapache_sandbox.service Created sandbox config /etc/libvirt-sandbox/services/myapache.sandbox # virt-sandbox-service start myapache systemd 204 running in system mode. (+PAM +LIBWRAP +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ) Detected virtualization 'lxc-libvirt'. Welcome to Linux! Failed to read configured hostname: Permission denied Cannot open /etc/machine-id: Permission denied Failed to open /etc/fstab: Permission denied /dev/mapper/control: mknod failed: Operation not permitted Failure to communicate with kernel device-mapper driver. Check that device-mapper is available in the kernel. /usr/lib/systemd/system-generators/systemd-fstab-generator exited with exit status 1. Failed to open directory /etc/systemd/system: Permission denied opendir(/etc/rc.d/rc1.d) failed: Permission denied opendir(/etc/rc.d/rc2.d) failed: Permission denied opendir(/etc/rc.d/rc3.d) failed: Permission denied opendir(/etc/rc.d/rc4.d) failed: Permission denied opendir(/etc/rc.d/rc5.d) failed: Permission denied opendir(/etc/rc.d/rc0.d) failed: Permission denied opendir(/etc/rc.d/rc6.d) failed: Permission denied Failed to load default target: Permission denied Trying to load rescue target... Failed to isolate default target: Unit sysinit.target failed to load: Permission denied. See system logs and 'systemctl status sysinit.target' for details. Expected results: Additional info: # getenforce Enforcing # auvirt --vm apache --all-events avc apache root Wed Jul 3 17:39 read denied libvirt-sandbox run avc apache root Wed Jul 3 17:39 read denied libvirt-sandbox run avc apache root Wed Jul 3 17:39 read denied systemd hostname avc apache root Wed Jul 3 17:39 read,write denied systemd machine-id avc apache root Wed Jul 3 17:39 read denied systemd machine-id avc apache root Wed Jul 3 17:39 read denied systemd-fstab-g fstab For details: # grep avc /var/log/audit/audit.log type=AVC msg=audit(1372844369.949:9831): avc: denied { read } for pid=27195 comm="libvirt-sandbox" name="run" dev="dm-0" ino=434497 scontext=system_u:system_r:svirt_lxc_net_t:s0:c59,c501 tcontext=unconfined_u:object_r:virt_var_lib_t:s0 tclass=lnk_file type=AVC msg=audit(1372844369.949:9832): avc: denied { read } for pid=27195 comm="libvirt-sandbox" name="run" dev="dm-0" ino=434497 scontext=system_u:system_r:svirt_lxc_net_t:s0:c59,c501 tcontext=unconfined_u:object_r:virt_var_lib_t:s0 tclass=lnk_file type=AVC msg=audit(1372844369.952:9833): avc: denied { read } for pid=27195 comm="systemd" name="hostname" dev="dm-0" ino=434480 scontext=system_u:system_r:svirt_lxc_net_t:s0:c59,c501 tcontext=unconfined_u:object_r:virt_var_lib_t:s0 tclass=file type=AVC msg=audit(1372844369.952:9834): avc: denied { read write } for pid=27195 comm="systemd" name="machine-id" dev="dm-0" ino=434478 scontext=system_u:system_r:svirt_lxc_net_t:s0:c59,c501 tcontext=unconfined_u:object_r:virt_var_lib_t:s0 tclass=file type=AVC msg=audit(1372844369.952:9835): avc: denied { read } for pid=27195 comm="systemd" name="machine-id" dev="dm-0" ino=434478 scontext=system_u:system_r:svirt_lxc_net_t:s0:c59,c501 tcontext=unconfined_u:object_r:virt_var_lib_t:s0 tclass=file type=AVC msg=audit(1372844369.955:9836): avc: denied { read } for pid=27204 comm="systemd-fstab-g" name="fstab" dev="dm-0" ino=434479 scontext=system_u:system_r:svirt_lxc_net_t:s0:c59,c501 tcontext=unconfined_u:object_r:virt_var_lib_t:s0 tclass=file # virsh -c lxc:/// dumpxml myapache|grep -A 5 seclabel <seclabel type='dynamic' model='selinux' relabel='yes'> <label>system_u:system_r:svirt_lxc_net_t:s0:c59,c501</label> <imagelabel>system_u:object_r:svirt_lxc_file_t:s0:c59,c501</imagelabel> <baselabel>system_u:system_r:svirt_lxc_net_t:s0</baselabel> </seclabel> </domain> # ll -Z /etc/fstab /etc/machine-id /etc/rc.d/ -rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/fstab -r--r--r--. root root system_u:object_r:machineid_t:s0 /etc/machine-id /etc/rc.d/: drwxr-xr-x. root root system_u:object_r:etc_t:s0 init.d drwxr-xr-x. root root system_u:object_r:etc_t:s0 rc0.d drwxr-xr-x. root root system_u:object_r:etc_t:s0 rc1.d drwxr-xr-x. root root system_u:object_r:etc_t:s0 rc2.d drwxr-xr-x. root root system_u:object_r:etc_t:s0 rc3.d drwxr-xr-x. root root system_u:object_r:etc_t:s0 rc4.d drwxr-xr-x. root root system_u:object_r:etc_t:s0 rc5.d drwxr-xr-x. root root system_u:object_r:etc_t:s0 rc6.d # systemctl status sysinit.target sysinit.target - System Initialization Loaded: loaded (/usr/lib/systemd/system/sysinit.target; static) Active: active since Wed 2013-07-03 13:32:49 HKT; 4h 15min ago Docs: man:systemd.special(7) Jul 03 13:32:49 localhost.localdomain systemd[1]: Starting System Initialization. Jul 03 13:32:49 localhost.localdomain systemd[1]: Reached target System Initialization.