Bug 1301693 - SELinux is preventing /usr/sbin/mdadm from 'getattr' accesses on the directory /dev/mqueue.
SELinux is preventing /usr/sbin/mdadm from 'getattr' accesses on the director...
Status: CLOSED EOL
Product: Fedora
Classification: Fedora
Component: docker (Show other bugs)
23
x86_64 Unspecified
medium Severity medium
: ---
: ---
Assigned To: Mrunal Patel
Fedora Extras Quality Assurance
abrt_hash:66cd108e19b1c16a1e88941d68f...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-25 12:29 EST by Raman Gupta
Modified: 2016-12-20 13:11 EST (History)
21 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-12-20 13:11:57 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Raman Gupta 2016-01-25 12:29:40 EST
Description of problem:
When doing lvm operations (I think it was lvremove) with an md raid array as the underlying physical storage.
SELinux is preventing /usr/sbin/mdadm from 'getattr' accesses on the directory /dev/mqueue.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that mdadm should be allowed getattr access on the mqueue directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mdadm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:mdadm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:svirt_sandbox_file_t:s0:c72,c169
Target Objects                /dev/mqueue [ dir ]
Source                        mdadm
Source Path                   /usr/sbin/mdadm
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           mdadm-3.3.4-2.fc23.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-158.2.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.3.3-303.fc23.x86_64 #1 SMP Tue
                              Jan 19 18:31:55 UTC 2016 x86_64 x86_64
Alert Count                   10
First Seen                    2016-01-25 12:14:41 EST
Last Seen                     2016-01-25 12:27:14 EST
Local ID                      a47e9def-a19e-4090-9e45-7ae663a398c5

Raw Audit Messages
type=AVC msg=audit(1453742834.509:8430): avc:  denied  { getattr } for  pid=12316 comm="mdadm" path="/dev/mqueue" dev="mqueue" ino=10135 scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c72,c169 tclass=dir permissive=0


type=SYSCALL msg=audit(1453742834.509:8430): arch=x86_64 syscall=newfstatat success=no exit=EACCES a0=4 a1=207171b a2=7ffdfec21780 a3=100 items=0 ppid=12315 pid=12316 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=mdadm exe=/usr/sbin/mdadm subj=system_u:system_r:mdadm_t:s0-s0:c0.c1023 key=(null)

Hash: mdadm,mdadm_t,svirt_sandbox_file_t,dir,getattr

Version-Release number of selected component:
selinux-policy-3.13.1-158.2.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.3.3-303.fc23.x86_64
type:           libreport
Comment 1 Miroslav Grepl 2016-01-29 08:24:00 EST
Are you playing with containers?
Comment 2 Daniel Walsh 2016-01-29 08:32:49 EST
This looks like you mounted /dev/mqueue into the container with the :Z option?
restorecon -F /dev/mqueue

Should fix the issue.  Not a good idea to relabel devices inside of containers.
What were you trying to do and why?
Comment 3 Raman Gupta 2016-01-30 09:16:31 EST
(In reply to Daniel Walsh from comment #2)
> This looks like you mounted /dev/mqueue into the container with the :Z
> option?

No, I don't think so. See below.

> restorecon -F /dev/mqueue
> 
> Should fix the issue.  Not a good idea to relabel devices inside of
> containers.
> What were you trying to do and why?

I can reproduce this simply be restarting the docker daemon. I have a few third-party containers, but none are running. I don't think any of them are mounting /dev/mqueue, at least not according to their Dockerfiles. Though I haven't followed their dependency chains all the way down.

In the host:

# ls -ldZ /dev/mqueue
drwxrwxrwt. 2 root root system_u:object_r:svirt_sandbox_file_t:s0:c529,c734 40 Jan 28 07:56 /dev/mqueue

# restorecon -nvrF /dev/mqueue
restorecon:  Warning no default label for /dev/mqueue
Comment 4 Daniel Walsh 2016-01-31 22:39:42 EST
Ok this looks like a bug.  I see it on my system also.

# chcon -t device_t -l s0 /dev/mqueue
# ls -lZd /dev/mqueue
drwxrwxrwt. 2 root root system_u:object_r:device_t:s0 40 Jan 28 13:43 /dev/mqueue
# docker run -ti fedora echo hello
hello
# ls -lZd /dev/mqueue
drwxrwxrwt. 2 root root system_u:object_r:svirt_sandbox_file_t:s0:c195,c1001 40 Jan 28 13:43 /dev/mqueue


So this looks like docker is labeling /dev/mqueue on the host rather then in the container.
Comment 5 Daniel Walsh 2016-01-31 22:57:59 EST
Turns out that /dev/mqueu inside of the container and on the host are the same.

# touch /var/lib/docker/containers/db4497550cd75e3670762514f8b25658a9d2624ab9396957dad3cdcf5087092d/mqueue/dan

# ls -lZ /var/lib/docker/containers/db4497550cd75e3670762514f8b25658a9d2624ab9396957dad3cdcf5087092d/mqueue /dev/mqueue/
/dev/mqueue/:
total 0
-rw-r--r--. 1 root root unconfined_u:object_r:user_tmp_t:s0 80 Feb  1 04:57 dan

/var/lib/docker/containers/db4497550cd75e3670762514f8b25658a9d2624ab9396957dad3cdcf5087092d/mqueue:
total 0
-rw-r--r--. 1 root root unconfined_u:object_r:user_tmp_t:s0 80 Feb  1 04:57 dan
Comment 6 Daniel Walsh 2016-01-31 23:08:19 EST
So the bug is that we are treating the mqueue the same was as we do with tmpfs.  But mqueue is only one device per namespace.  

If I go and mount mqueu on /mnt

# mount -t mqueue mqueu /mnt

# ls -lZ /mnt/
total 0
-rw-r--r--. 1 root root unconfined_u:object_r:user_tmp_t:s0 80 Feb  1 04:57 dan

We are always mount the same mqueu mount point into all containers and then changing the label for the latest container.  This causes two problems, all containers could talk via /dev/mqueu, but SELinux will block access to all but the last container.
Comment 7 Daniel Walsh 2016-01-31 23:24:56 EST
I think we should remove the sharing of /dev/mqueue between containers for now, until we figure out some other way to handle this.
Comment 8 Daniel Walsh 2016-01-31 23:25:27 EST
Openen and issue upstream

https://github.com/docker/docker/issues/19871
Comment 9 Mrunal Patel 2016-02-08 05:59:18 EST
Dan, so can this be solved by a selinux labeling scheme that allows sharing the same mqueue between a group of containers?
Comment 10 Daniel Walsh 2016-02-08 11:29:32 EST
I don't think so,  This is not an SELinux issue. this is a mnt namespace issue.  You get one mqueue per mount namespace.  So to share this between containers you would need to mount the mqueue inside of containers1s namespace and then somehow bind mount from containers1s mount namespace into container2s mount namespace. 

If you wanted to really hack this out, you would need to make container2s a child of container1s so that it could see the mount point.  

The reason this worked before is that you were mounting mqueue and tmpfs on the parent to the containers namespaces.
Comment 11 Madd Sauer 2016-02-13 08:01:52 EST
Description of problem:
add a P-ATA disk via converter (PATA to USB) onto a USB 3 Serial Bus

Version-Release number of selected component:
selinux-policy-3.13.1-158.2.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.8-300.fc23.x86_64
type:           libreport
Comment 12 Daniel Walsh 2016-02-22 14:07:52 EST
Fixed in docker-1.10.1-8
Comment 13 Laurent Rineau 2016-04-07 05:15:14 EDT
Docker-1.9 was recently pushed to CentOS 7, and now I have the same issue.

cgal ~ $ ls -lZd /dev/mqueue                                           
drwxrwxrwt. root root system_u:object_r:svirt_sandbox_file_t:s0:c526,c725 /dev/mqueue

Here are the packages versions I run:

kernel-3.10.0-327.10.1.el7.x86_64
selinux-policy-3.13.1-60.el7_2.3.noarch
selinux-policy-targeted-3.13.1-60.el7_2.3.noarch
docker-1.9.1-25.el7.centos.x86_64

And here is the SEtroubleshot mail I received:
===============================================================
SELinux is preventing /usr/sbin/mdadm from getattr access on the directory /dev/mqueue.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that mdadm should be allowed getattr access on the mqueue directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mdadm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:mdadm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:svirt_sandbox_file_t:s0:c526,c72
                              5
Target Objects                /dev/mqueue [ dir ]
Source                        mdadm
Source Path                   /usr/sbin/mdadm
Port                          <Unknown>
Host                          cgal.geometryfactory.com
Source RPM Packages           mdadm-3.3.2-7.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-60.el7_2.3.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     cgal.geometryfactory.com
Platform                      Linux cgal.geometryfactory.com
                              3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16
                              17:03:50 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-04-07 08:38:01 CEST
Last Seen                     2016-04-07 08:38:01 CEST
Local ID                      328d1d0f-403c-4d50-a550-4c701bf3c643

Raw Audit Messages
type=AVC msg=audit(1460011081.574:1960863): avc:  denied  { getattr } for  pid=7230 comm="mdadm" path="/dev/mqueue" dev="mqueue" ino=7307 scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c526,c725 tclass=dir


type=SYSCALL msg=audit(1460011081.574:1960863): arch=x86_64 syscall=newfstatat success=no exit=EACCES a0=4 a1=1aa13ab a2=7ffccb6e53a0 a3=100 items=0 ppid=7182 pid=7230 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=47177 comm=mdadm exe=/usr/sbin/mdadm subj=system_u:system_r:mdadm_t:s0-s0:c0.c1023 key=(null)

Hash: mdadm,mdadm_t,svirt_sandbox_file_t,dir,getattr
===============================================================

Is there a workaround, instead of waiting that Docker-1.10 is pushed to CentOS?
Comment 14 Daniel Walsh 2016-04-07 08:08:02 EDT
You could have run restorecon -F /dev/mdadm on the device in mdadm init script.

Antonio we should look to see if there is an easy fix for this in docker-1.9.
Comment 15 Laurent Rineau 2016-04-07 08:11:01 EDT
(In reply to Daniel Walsh from comment #14)
> You could have run restorecon -F /dev/mdadm on the device in mdadm init
> script.

That is not the file `/dev/mdadm`:

cgal ~ $ sudo restorecon -n -F /dev/mdadm
[sudo] password for lrineau on cgal: 
restorecon:  lstat(/dev/mdadm) failed:  No such file or directory

And the directory `/dev/mqueue` does not have a default label:

cgal ~ $ sudo restorecon -n -F /dev/mqueue 
restorecon:  Warning no default label for /dev/mqueue
Comment 16 Daniel Walsh 2016-04-07 16:04:52 EDT
Sorry about the typo

Wonderful.  I guess it should be tmpfs_t.

chcon -t tmpfs_t -l s0 /dev/mqueu
Will fix it.

Or just ignore the AVC, until this is fix, or add a dontaudit rule.  I don't think mdadm actually uses the /dev/mqueue.  It is just listing the files/directories on /dev.
Comment 17 Laurent Rineau 2016-04-08 06:10:53 EDT
I did changed the context, with `chcon -t tmpfs_t -l s0 /dev/mqueue`, and it did change the context.

But it was changed back the next time I started a container:

cgal ~ $ stat /dev/mqueue                                                      
  File: ‘/dev/mqueue’
  Size: 40              Blocks: 0          IO Block: 4096   directory
Device: eh/14d  Inode: 7307        Links: 2
Access: (1777/drwxrwxrwt)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:svirt_sandbox_file_t:s0:c9,c496
Access: 2016-04-08 10:41:15.000000000 +0200
Modify: 2016-03-21 17:33:22.584997262 +0100
Change: 2016-04-08 10:46:45.000000000 +0200
 Birth: -
cgal ~ $ date -d $(docker inspect --format='{{.State.StartedAt}}' 1f96d575232b)
Fri Apr  8 10:46:45 CEST 2016

I have used:

cgal ~ $ sudo ausearch -m AVC -ts today | audit2allow -D -M local
cgal ~ $ cat local.te 

module local 1.0;

require {
        type svirt_sandbox_file_t;
        type mdadm_t;
        type svirt_lxc_net_t;
        type proc_t;
        class dir { getattr mounton };
}

#============= mdadm_t ==============
dontaudit mdadm_t svirt_sandbox_file_t:dir getattr;

#============= svirt_lxc_net_t ==============
dontaudit svirt_lxc_net_t proc_t:dir mounton;
cgal ~ $ sudo semodule -i local.pp

The `dontaudit` rule about mounton is another bug: bug #1322845.
Comment 18 Fedora End Of Life 2016-11-24 10:11:23 EST
This message is a reminder that Fedora 23 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 23. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '23'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 23 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 19 Fedora End Of Life 2016-12-20 13:11:57 EST
Fedora 23 changed to end-of-life (EOL) status on 2016-12-20. Fedora 23 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.