1330141 – openonload applications fail inside containers

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1330141 - openonload applications fail inside containers

Summary: openonload applications fail inside containers

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	docker
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:	atomic-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1342930 1342931
TreeView+	depends on / blocked

Reported:	2016-04-25 12:50 UTC by Jeremy Eder
Modified:	2019-03-06 02:45 UTC (History)
CC List:	17 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1342930 (view as bug list)
Environment:
Last Closed:	2016-11-04 09:07:50 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:2634	0	normal	SHIPPED_LIVE	Moderate: docker security and bug fix update	2016-11-03 20:51:48 UTC

Description Jeremy Eder 2016-04-25 12:50:04 UTC

Description of problem:

Trying to run openonload (a userspace networking stack) in a container.

# docker run -d label:disable --device=/dev/onload --device=/dev/onload_epoll --net=host r7perf_onload onload netserver

type=AVC msg=audit(1461588083.314:5082): avc:  denied  { ioctl } for  pid=13623 comm="netserver" path="onload:[tcp:1:3]" dev="onloadfs" ino=3135700 scontext=system_u:system_r:svirt_lxc_net_t:s0:c671,c870 tcontext=system_u:object_r:unlabeled_t:s0 tclass=sock_file

Disabling selinux for this container as a workaround.

# docker run -d --security-opt label:disable --device=/dev/onload --device=/dev/onload_epoll --net=host r7perf_onload netserver

...

Would we be interested in adding support for this to our policy files or would the vendor have to carry this ?

#============= svirt_lxc_net_t ==============
allow svirt_lxc_net_t unlabeled_t:sock_file ioctl;

Comment 3 Daniel Walsh 2016-05-03 13:18:53 UTC

I think your first example is wrong.

docker run -d --security-opt label:disable --device=/dev/onload --device=/dev/onload_epoll --net=host r7perf_onload onload netserver

Your example is missing the --security-opt flag?  The process inside of the container is still running with a locked down svirt_lxc_net_t?


The problem here is that the device did not get a label that SELinux is allowed to write.

What version of docker are you using?

Comment 4 Jeremy Eder 2016-05-03 13:22:00 UTC

(In reply to Daniel Walsh from comment #3)
> I think your first example is wrong.
> 
> docker run -d --security-opt label:disable --device=/dev/onload
> --device=/dev/onload_epoll --net=host r7perf_onload onload netserver
> 
> Your example is missing the --security-opt flag?  The process inside of the
> container is still running with a locked down svirt_lxc_net_t?

Sorry, first example is just a cut/paste error on my part.

> The problem here is that the device did not get a label that SELinux is
> allowed to write.
> 
> What version of docker are you using?

docker-1.9.1-28.el7.x86_64

Comment 5 Daniel Walsh 2016-05-03 13:26:37 UTC

On the host could you do a 

ls -lZ /dev/onload*

And in a container do it also. probably in permissive mode.

 docker run -ti --device=/dev/onload --device=/dev/onload_epoll --net=host r7perf_onload onload ls -lZ /dev/onload*

Comment 6 Jeremy Eder 2016-05-03 13:55:51 UTC

root@bkr-hv10: ~ # ls -alZ /dev/onload*
crw-rw-rw-. root root unconfined_u:object_r:device_t:s0 /dev/onload
crw-rw-rw-. root root unconfined_u:object_r:device_t:s0 /dev/onload_epoll


root@bkr-hv10: ~ # setenforce 0 ; docker run -ti --device=/dev/onload --device=/dev/onload_epoll --net=host r7perf_onload onload ls -lZ /dev/onload* ; setenforce 1
crw-rw-rw-. root root system_u:object_r:svirt_sandbox_file_t:s0:c35,c543 /dev/onload
crw-rw-rw-. root root system_u:object_r:svirt_sandbox_file_t:s0:c35,c543 /dev/onload_epoll

Comment 7 Daniel Walsh 2016-05-03 14:21:54 UTC

So the containers stuff is doing the right thing, the problem here is these  devices have no labels.  So this is an SELinux issue.  It looks like we need some support for labeling the "onloadfs" file system?

Comment 8 Daniel Walsh 2016-05-03 14:23:27 UTC

type=AVC msg=audit(1461588083.314:5082): avc:  denied  { ioctl } for  pid=13623 comm="netserver" path="onload:[tcp:1:3]" dev="onloadfs" ino=3135700 scontext=system_u:system_r:svirt_lxc_net_t:s0:c671,c870 tcontext=system_u:object_r:unlabeled_t:s0 tclass=sock_file

Since these devices have labels, Could this be a kernel issue?  How does one get a label on this sock_file?

Comment 9 Jeremy Eder 2016-05-03 14:40:00 UTC

onloadfs is created by an out of tree kernel module:

https://github.com/jeremyeder/openonload/blob/af9408f6df1bb19659f70661cfeb58a981b4a053/src/driver/linux_onload/onloadfs.c

This is why I am wondering if we need to ask Solarflare to carry the labeling patch in their distribution.  The other thing is that most of those customers disable selinux, but they'd probably be receptive or at least understanding.

I've cc'd Davor Frank from Solarflare on this BZ.

Comment 10 Stephen Smalley 2016-05-03 14:43:41 UTC

Add a genfscon onloadfs entry to policy?

Comment 11 Daniel Walsh 2016-05-03 15:32:47 UTC

We could try that, and see if it fixes the issue.  Getting an updated policy into rhel could be difficult, but Miroslav, could probably throw together a scratch build.

Comment 12 Stephen Smalley 2016-05-03 15:38:28 UTC

Looks like it should work based on the code referenced above, which calls d_instantiate(), which SELinux already hooks (security_d_instantiate -> selinux_d_instantiate) to set the incore inode security label.  Obviously you'll need to allow access from svirt_lxc_net_t to whatever type is assigned to onloadfs inodes.

Comment 13 Daniel Walsh 2016-05-03 17:32:13 UTC

Sure.  As long as we don't have to give access to unlabeled_t.

Comment 14 Daniel Walsh 2016-06-03 18:55:40 UTC

Added policy for defining onloadfs.

https://github.com/fedora-selinux/selinux-policy/pull/129


Once this is merged, I will add the policy to docker-selinux.

Comment 15 Daniel Walsh 2016-06-07 11:42:29 UTC

Looks like it got merged into rawhide policy.

Lukas can we get this back ported to rhel7?

Comment 16 Lukas Vrabec 2016-06-07 11:51:38 UTC

Yes, 

Fix will be in: selinux-policy-3.13.1-77.el7

BZ from selinux-policy side:
https://bugzilla.redhat.com/show_bug.cgi?id=1342930

Comment 19 Daniel Walsh 2016-09-23 12:39:37 UTC

Looks like this should be fixed in 7.3.

Comment 20 Chris Evich 2016-09-27 18:56:12 UTC

Note: No idea w/n the policy actually works as reported, but it is defined in the latest 7.3 build (snap 5):

# rpm -q selinux-policy
selinux-policy-3.13.1-100.el7.noarch

# strings /etc/selinux/targeted/policy/policy.30 | grep -i onload
onload_fs_t
onloadfs

Comment 21 errata-xmlrpc 2016-11-04 09:07:50 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2634.html

Note You need to log in before you can comment on or make changes to this bug.