Bug 1124312 - SELinux is preventing /bin/mknod from using the 'mknod' capabilities.
Summary: SELinux is preventing /bin/mknod from using the 'mknod' capabilities.
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 20
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:3124ec30a89f9c99216b192a25a...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-29 08:18 UTC by Yajo
Modified: 2014-09-01 09:37 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.12.1-180.fc20
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-09-01 09:37:37 UTC


Attachments (Terms of Use)

Description Yajo 2014-07-29 08:18:25 UTC
Description of problem:
I'm not sure if this is a bug or expected behavior. I was building a Ubuntu Docker image with libreoffice-headless, and at some point it raised this:

> Setting up libfuse2:amd64 (2.9.2-4ubuntu4) ...
> Setting up fuse (2.9.2-4ubuntu4) ...
> Creating fuse group...
> Adding group `fuse' (GID 107) ...
> Done.
> Creating fuse device...
> mknod: 'fuse-': Operation not permitted
> makedev fuse c 10 229 root root 0660: failed

Sorry if it is not a bug.
SELinux is preventing /bin/mknod from using the 'mknod' capabilities.

*****  Plugin catchall (100. confidence) suggests   **************************

If cree que mknod debería tener la capacidad de mknod de forma predeterminada.
Then debería reportar esto como un error.
Puede generar un módulo de política local para permitir este acceso.
Do
permita el acceso momentáneamente executando:
# grep mknod /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:svirt_lxc_net_t:s0:c428,c586
Target Context                system_u:system_r:svirt_lxc_net_t:s0:c428,c586
Target Objects                 [ capability ]
Source                        mknod
Source Path                   /bin/mknod
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           coreutils-8.21-21.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-177.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.15.6-200.fc20.x86_64 #1 SMP Fri
                              Jul 18 02:36:27 UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-07-29 10:15:04 CEST
Last Seen                     2014-07-29 10:15:04 CEST
Local ID                      70f3e4ca-4837-46ed-bce0-2d66b335d848

Raw Audit Messages
type=AVC msg=audit(1406621704.742:411): avc:  denied  { mknod } for  pid=6603 comm="mknod" capability=27  scontext=system_u:system_r:svirt_lxc_net_t:s0:c428,c586 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c428,c586 tclass=capability


type=SYSCALL msg=audit(1406621704.742:411): arch=x86_64 syscall=mknod success=no exit=EPERM a0=7fff9d725ea7 a1=21b6 a2=ae5 a3=7fff9d724ab0 items=0 ppid=6290 pid=6603 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=mknod exe=/bin/mknod subj=system_u:system_r:svirt_lxc_net_t:s0:c428,c586 key=(null)

Hash: mknod,svirt_lxc_net_t,svirt_lxc_net_t,capability,mknod

Additional info:
reporter:       libreport-2.2.3
hashmarkername: setroubleshoot
kernel:         3.15.6-200.fc20.x86_64
type:           libreport

Comment 1 Daniel Walsh 2014-07-30 09:03:50 UTC
Well I just released fixes into git that added a boolean to policy to allow containerised processes mknod.  Docker currently without SELinux allowes limited mknod in non-priv containers, and I would be interested if this container worked without this access?  If not does it work with SELinux in permissive mode?  If it still does not work in permissive mode then you would probably have to run the container with --privilege.

I don't like to allow processes within the container to create device nodes, since this is one of the ways that you could attack the host OS>

Comment 2 Yajo 2014-07-31 08:17:42 UTC
(In reply to Daniel Walsh from comment #1)
> Well I just released fixes into git that added a boolean to policy to allow
> containerised processes mknod.  Docker currently without SELinux allowes
> limited mknod in non-priv containers, and I would be interested if this
> container worked without this access?  If not does it work with SELinux in
> permissive mode?  If it still does not work in permissive mode then you
> would probably have to run the container with --privilege.

Well there is a problem: when doing a `docker build` you cannot add `--privileged`, or at least it is not documented; so all I could do is build it after a `setenforce 0`, and that part worked OK.

However, SELinux raised another error, which is weird because it was disabled. I will post it in another bug soon.

> I don't like to allow processes within the container to create device nodes,
> since this is one of the ways that you could attack the host OS>

I thought it too, that's why I asked if it was really a bug.

What I am going to do is try to execute that installation in a privileged container instead of a Dockerfile, and see what happens.

Comment 3 Yajo 2014-07-31 08:20:02 UTC
(In reply to Yajo from comment #2)
> However, SELinux raised another error, which is weird because it was
> disabled. I will post it in another bug soon.

It's bug 1125153.

Comment 4 Yajo 2014-08-01 07:09:28 UTC
(In reply to Yajo from comment #2)
> What I am going to do is try to execute that installation in a privileged
> container instead of a Dockerfile, and see what happens.

It did work fine, with SELinux enabled.

Comment 5 Miroslav Grepl 2014-08-01 11:33:18 UTC
commit 3e3d00731b61dcbb7af77729607fac23d4a79b3c
Author: Dan Walsh <dwalsh@redhat.com>
Date:   Tue Jul 29 10:48:08 2014 -0400

    Change virt.te to match default docker capabilies
    
    Add additional booleans for turning on mknod or all caps.
    
    Also add interface to allow users to write policy that matches docker defaults
    for capabilies.


Note You need to log in before you can comment on or make changes to this bug.