1328959 – rkt AVCs on rawhide

Bug 1328959 - rkt AVCs on rawhide

Summary: rkt AVCs on rawhide

Keywords:
Status:	CLOSED DUPLICATE of bug 1178944
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-04-20 17:53 UTC by Robin Powell
Modified:	2016-04-26 14:08 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-04-22 17:58:10 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Robin Powell 2016-04-20 17:53:41 UTC

I'm aware rkt support is a work in progress, so these may all be fixed somewhere, but:

This is everything in my audit log with "dontaudit off", "setenforce 0" when running: rkt run --insecure-options=image --interactive docker://busybox

type=NETFILTER_CFG msg=audit(1461174117.702:6110): table=nat family=2 entries=80
type=NETFILTER_CFG msg=audit(1461174117.715:6111): table=nat family=2 entries=82
type=NETFILTER_CFG msg=audit(1461174117.735:6112): table=nat family=2 entries=83
type=NETFILTER_CFG msg=audit(1461174117.738:6113): table=nat family=2 entries=84
type=LOGIN msg=audit(1461174118.307:6114): pid=3231 uid=0 subj=staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 old-auid=1000 auid=4294967295 old-ses=19 ses=4294967295 res=1
type=USER_AVC msg=audit(1461174118.323:6115): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="
/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1461174118.327:6116): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="
/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1461174118.340:6117): avc:  denied  { entrypoint } for  pid=3232 comm="systemd-nspawn" path="/usr/lib/systemd/systemd" dev="overlay" ino=263237 scontext=sy
stem_u:system_r:svirt_lxc_net_t:s0:c142,c457 tcontext=staff_u:object_r:rkt_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1461174118.341:6118): avc:  denied  { read } for  pid=3232 comm="systemd" name="libselinux.so.1" dev="vda2" ino=927328 scontext=system_u:system_r:svirt_lxc
_net_t:s0:c142,c457 tcontext=staff_u:object_r:rkt_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1461174118.341:6119): avc:  denied  { open } for  pid=3232 comm="systemd" path="/usr/lib/libselinux.so.1" dev="overlay" ino=263274 scontext=system_u:system
_r:svirt_lxc_net_t:s0:c142,c457 tcontext=staff_u:object_r:rkt_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1461174118.341:6120): avc:  denied  { getattr } for  pid=3232 comm="systemd" path="/usr/lib/libselinux.so.1" dev="vda2" ino=927328 scontext=system_u:system
_r:svirt_lxc_net_t:s0:c142,c457 tcontext=staff_u:object_r:rkt_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1461174118.341:6121): avc:  denied  { execute } for  pid=3232 comm="systemd" path="/usr/lib/libselinux.so.1" dev="overlay" ino=263274 scontext=system_u:sys
tem_r:svirt_lxc_net_t:s0:c142,c457 tcontext=staff_u:object_r:rkt_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1461174118.343:6122): avc:  denied  { write } for  pid=3232 comm="systemd" name="core_pattern" dev="proc" ino=262870 scontext=system_u:system_r:svirt_lxc_n
et_t:s0:c142,c457 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=1
type=AVC msg=audit(1461174118.345:6123): avc:  denied  { write } for  pid=3232 comm="systemd" name="machine-id" dev="vda2" ino=927446 scontext=system_u:system_r:svirt_lxc_net
_t:s0:c142,c457 tcontext=staff_u:object_r:rkt_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1461174118.345:6124): avc:  denied  { write } for  pid=3232 comm="systemd" name="max_dgram_qlen" dev="proc" ino=262883 scontext=system_u:system_r:svirt_lxc
_net_t:s0:c142,c457 tcontext=system_u:object_r:sysctl_net_unix_t:s0 tclass=file permissive=1
type=AVC msg=audit(1461174118.345:6125): avc:  denied  { read } for  pid=3232 comm="systemd" name="usr" dev="vda2" ino=927290 scontext=system_u:system_r:svirt_lxc_net_t:s0:c1
42,c457 tcontext=staff_u:object_r:rkt_var_lib_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1461174118.352:6126): avc:  denied  { execute_no_trans } for  pid=3242 comm="(journald)" path="/usr/lib/systemd/systemd-journald" dev="overlay" ino=263244
scontext=system_u:system_r:svirt_lxc_net_t:s0:c142,c457 tcontext=staff_u:object_r:rkt_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1461174118.445:6131): avc:  denied  { write } for  pid=3248 comm="prepare-app" name="dev" dev="vda2" ino=541319 scontext=system_u:system_r:svirt_lxc_net_t:
s0:c142,c457 tcontext=staff_u:object_r:rkt_var_lib_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1461174118.445:6132): avc:  denied  { relabelto } for  pid=3248 comm="prepare-app" name="#ffff88001a575840" dev="vda2" ino=927464 scontext=system_u:system_
r:svirt_lxc_net_t:s0:c142,c457 tcontext=staff_u:object_r:rkt_var_lib_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1461174118.445:6133): avc:  denied  { setattr } for  pid=3248 comm="prepare-app" name="#ffff88001a575840" dev="vda2" ino=927464 scontext=system_u:system_r:
svirt_lxc_net_t:s0:c142,c457 tcontext=staff_u:object_r:rkt_var_lib_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1461174118.445:6134): avc:  denied  { rename } for  pid=3248 comm="prepare-app" name="#ffff88001a575840" dev="vda2" ino=927464 scontext=system_u:system_r:s
virt_lxc_net_t:s0:c142,c457 tcontext=staff_u:object_r:rkt_var_lib_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1461174118.445:6135): avc:  denied  { reparent } for  pid=3248 comm="prepare-app" name="#ffff88001a575840" dev="vda2" ino=927464 scontext=system_u:system_r
:svirt_lxc_net_t:s0:c142,c457 tcontext=staff_u:object_r:rkt_var_lib_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1461174118.445:6136): avc:  denied  { add_name } for  pid=3248 comm="prepare-app" name="net" scontext=system_u:system_r:svirt_lxc_net_t:s0:c142,c457 tconte
xt=staff_u:object_r:rkt_var_lib_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1461174118.445:6137): avc:  denied  { create } for  pid=3248 comm="prepare-app" name="net" scontext=system_u:system_r:svirt_lxc_net_t:s0:c142,c457 tcontext
=system_u:object_r:rkt_var_lib_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1461174118.446:6138): avc:  denied  { create } for  pid=3248 comm="prepare-app" name="hosts" scontext=system_u:system_r:svirt_lxc_net_t:s0:c142,c457 tconte
xt=system_u:object_r:rkt_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1461174118.446:6139): avc:  denied  { write open } for  pid=3248 comm="prepare-app" path="/opt/stage2/busybox/rootfs/etc/hosts" dev="overlay" ino=262927 sc
ontext=system_u:system_r:svirt_lxc_net_t:s0:c142,c457 tcontext=system_u:object_r:rkt_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1461174118.446:6140): avc:  denied  { getattr } for  pid=3248 comm="prepare-app" name="hosts" dev="vda2" ino=927474 scontext=system_u:system_r:svirt_lxc_net_t:s0:c142,c457 tcontext=system_u:object_r:rkt_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1461174118.447:6141): avc:  denied  { write } for  pid=3248 comm="prepare-app" name="net" dev="vda2" ino=927465 scontext=system_u:system_r:svirt_lxc_net_t:s0:c142,c457 tcontext=system_u:object_r:rkt_var_lib_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1461174118.447:6142): avc:  denied  { add_name } for  pid=3248 comm="prepare-app" name="tun" scontext=system_u:system_r:svirt_lxc_net_t:s0:c142,c457 tcontext=system_u:object_r:rkt_var_lib_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1461174118.447:6143): avc:  denied  { create } for  pid=3248 comm="prepare-app" name="ptmx" scontext=system_u:system_r:svirt_lxc_net_t:s0:c142,c457 tcontext=system_u:object_r:rkt_var_lib_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1461174118.475:6144): avc:  denied  { append } for  pid=3254 comm="appexec" path="/rkt/env/keep_env" dev="overlay" ino=263546 scontext=system_u:system_r:svirt_lxc_net_t:s0:c142,c457 tcontext=system_u:object_r:rkt_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1461174118.475:6145): avc:  denied  { read } for  pid=3254 comm="appexec" name="keep_env" dev="vda2" ino=927485 scontext=system_u:system_r:svirt_lxc_net_t:s0:c142,c457 tcontext=system_u:object_r:rkt_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1461174118.476:6146): avc:  denied  { ioctl } for  pid=3254 comm="sh" path="/etc/passwd" dev="overlay" ino=262098 ioctlcmd=5401 scontext=system_u:system_r:svirt_lxc_net_t:s0:c142,c457 tcontext=staff_u:object_r:rkt_var_lib_t:s0 tclass=file permissive=1
type=USER_AVC msg=audit(1461174121.606:6147): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1461174121.607:6148): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Comment 1 Robin Powell 2016-04-20 17:54:18 UTC

Note that running that stuff past audit2allow is how I hit https://bugzilla.redhat.com/show_bug.cgi?id=1328956 , so that may also be relevant.

Comment 2 Daniel Walsh 2016-04-21 04:59:14 UTC

I think rkt right now will only work without overlayfs.  Since overlayfs does not properly support SELInux labeling.

Comment 3 Robin Powell 2016-04-22 06:49:24 UTC

Ah, OK; yes, it works fine with --no-overlay (running as root/unconfined_t).

While it seems implausible, let me know if there's anything I can do to help.

Comment 4 Robin Powell 2016-04-22 06:56:30 UTC

FWIW, here's the AVCs I get in that case (launching rkt as root/unconfined_t, dontaudit off, setenforce 0 (although note that it works just fine with setenforce 1 AFAICT, that was just to get AVCs)):


type=NETFILTER_CFG msg=audit(1461307931.081:11296): table=nat family=2 entries=20
type=NETFILTER_CFG msg=audit(1461307931.083:11297): table=nat family=2 entries=22
type=NETFILTER_CFG msg=audit(1461307931.085:11298): table=nat family=2 entries=23
type=NETFILTER_CFG msg=audit(1461307931.087:11299): table=nat family=2 entries=24
type=LOGIN msg=audit(1461307931.613:11300): pid=25523 uid=0 subj=staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 old-auid=1000 auid=4294967295 old-ses=233 ses=4294967295 res=1
type=USER_AVC msg=audit(1461307931.625:11301): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1461307931.628:11302): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1461307931.643:11303): avc:  denied  { write } for  pid=25524 comm="systemd" name="core_pattern" dev="proc" ino=596807 scontext=system_u:system_r:svirt_lxc_net_t:s0:c180,c298 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=1
type=AVC msg=audit(1461307931.645:11304): avc:  denied  { write } for  pid=25524 comm="systemd" name="max_dgram_qlen" dev="proc" ino=596822 scontext=system_u:system_r:svirt_lxc_net_t:s0:c180,c298 tcontext=system_u:object_r:sysctl_net_unix_t:s0 tclass=file permissive=1
type=USER_AVC msg=audit(1461307939.220:11306): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1461307939.222:11307): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'


None of these seem to be causing any serious issues, and systemd is in fact running in the container.

Comment 5 Daniel Walsh 2016-04-22 17:58:10 UTC

This is a kernel issue, which we have existing bugzilla for it.

https://bugzilla.redhat.com/show_bug.cgi?id=1178944

*** This bug has been marked as a duplicate of bug 1178944 ***

Comment 6 Robin Powell 2016-04-22 18:03:52 UTC

I find it mildly annoying that the only non-duplicate bug in that chain, I can't actually see (Access Denied), so I've no way to get notified when it's fixed.

Comment 7 Robin Powell 2016-04-22 18:07:17 UTC

... Also, Firefox helpfully "remembered" that I'd closed a previous bug as NOTABUG, and made this bug one too when I commented.  -____-  Sorry about that.

*** This bug has been marked as a duplicate of bug 1178944 ***

Comment 8 Daniel Walsh 2016-04-26 14:08:16 UTC

Robin sorry about that, but be assured that if we get this to work and merged in to upstream kernel, we will make a lot of noise.

Note You need to log in before you can comment on or make changes to this bug.