Bug 1292318 - SELinux is preventing /usr/sbin/ip from mounton access on the directory /.
SELinux is preventing /usr/sbin/ip from mounton access on the directory /.
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.1
x86_64 Linux
medium Severity medium
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
:
Depends On:
Blocks: 1301700
  Show dependency treegraph
 
Reported: 2015-12-16 21:53 EST by Britt Houser
Modified: 2016-11-03 22:26 EDT (History)
8 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-80.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-03 22:26:23 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Output of sealert (2.29 KB, text/plain)
2015-12-17 07:04 EST, Britt Houser
no flags Details

  None (edit)
Description Britt Houser 2015-12-16 21:53:11 EST
Description of problem:

As part of adding an interface to a running container, we execute the following command:
  ip netns exec $pid ip link set dev mgmt-in name mgmt

When that command is executed, SELinux kicks in and the following entries are see in audit.log

type=AVC msg=audit(1450281422.633:9548): avc:  denied  { mounton } for  pid=56100 comm="ip" path="/" dev="dm-1" ino=128 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir

type=SYSCALL msg=audit(1450281422.633:9548): arch=x86_64 syscall=mount success=yes exit=0 a0=43c4d4 a1=4372cf a2=43838d a3=84000 items=0 ppid=56063 pid=56100 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ip exe=/usr/sbin/ip subj=system_u:system_r:ifconfig_t:s0 key=(null)


Version-Release number of selected component (if applicable):
# rpm -qa | grep selinux
selinux-policy-targeted-3.13.1-23.el7.noarch
docker-selinux-1.8.2-7.el7.x86_64
selinux-policy-3.13.1-23.el7.noarch

How reproducible:
Every time

Steps to Reproduce:
1. Launch a container with net=none
2. Add interface
pid=$(docker inspect -f '{{.State.Pid}}' `docker ps -a |  grep my_container  | awk '{print $1}'`)
ip link add mgmt-out type veth peer name mgmt-in
ip link set mgmt-out up
ip link set mgmt-in netns $pid
ip netns exec $pid ip link set dev mgmt-in name mgmt

Actual results:

type=AVC msg=audit(1450281422.633:9548): avc:  denied  { mounton } for  pid=56100 comm="ip" path="/" dev="dm-1" ino=128 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir

type=SYSCALL msg=audit(1450281422.633:9548): arch=x86_64 syscall=mount success=yes exit=0 a0=43c4d4 a1=4372cf a2=43838d a3=84000 items=0 ppid=56063 pid=56100 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ip exe=/usr/sbin/ip subj=system_u:system_r:ifconfig_t:s0 key=(null)


Expected results:
NO SELinux violations

Additional info:
Comment 2 Britt Houser 2015-12-17 07:04 EST
Created attachment 1106714 [details]
Output of sealert
Comment 3 Britt Houser 2015-12-17 07:25:15 EST
Just for t-shooting, I also upgraded to rhel7.2 packaging, but still see the violation:

# rpm -qa | grep selinux
libselinux-python-2.2.2-6.el7.x86_64
libselinux-2.2.2-6.el7.x86_64
libselinux-utils-2.2.2-6.el7.x86_64
selinux-policy-3.13.1-60.el7.noarch
docker-selinux-1.8.2-10.el7.x86_64
selinux-policy-targeted-3.13.1-60.el7.noarch
Comment 4 Miroslav Grepl 2016-01-04 07:37:33 EST
Where is 

"ip netns exec $pid ip link set dev mgmt-in name mgmt"

placed?

Thank you.
Comment 5 Britt Houser 2016-01-04 09:14:22 EST
The "ip netns exec $pid ip link set dev mgmt-in name mgmt" command is executed outside of the container namespace.  Is that what you're asking?
Comment 9 errata-xmlrpc 2016-11-03 22:26:23 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html

Note You need to log in before you can comment on or make changes to this bug.