1353626 – broken yum install in spc_t on 7.2.5: avc denied { transition } spc_t -> rpm_script_t

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1353626 - broken yum install in spc_t on 7.2.5: avc denied { transition } spc_t -> rpm_script_t

Summary: broken yum install in spc_t on 7.2.5: avc denied { transition } spc_t -> rpm_...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	atomic
Sub Component:
Version:	7.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Lokesh Mandvekar
QA Contact:	atomic-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-07-07 15:21 UTC by Colin Walters
Modified:	2016-11-04 09:06 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-04 09:06:31 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2628	0	normal	SHIPPED_LIVE	atomic bug fix and enhancement update	2016-11-03 18:17:14 UTC

Description Colin Walters 2016-07-07 15:21:33 UTC

# atomic host status
  TIMESTAMP (UTC)         VERSION     ID             OSNAME               REFSPEC                                                   
* 2016-06-18 15:21:12     7.2.5       9bfe1fb650     rhel-atomic-host     rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
# rpm -q docker-latest docker
docker-latest-1.10.3-44.el7.x86_64
docker-1.10.3-44.el7.x86_64
# atomic run centos/tools
root@host-172-16-171-63 /]# yum -y install trousers
...
Running transaction
error: %pre(trousers-0.3.13-1.el7.x86_64) scriptlet failed, exit status 127
Error in PREIN scriptlet in rpm package trousers-0.3.13-1.el7.x86_64
  Verifying  : trousers-0.3.13-1.el7.x86_64                                                                                                                                                                                                                                           1/1 

Failed:
  trousers.x86_64 0:0.3.13-1.el7    

On the host I see:

Jul 07 15:15:16 host-172-16-171-63 kernel: type=1400 audit(1467904516.377:28034): avc:  denied  { transition } for  pid=31609 comm="yum" path="/usr/bin/bash" dev="dm-4" ino=201328663 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process

Comment 1 Colin Walters 2016-07-07 15:39:18 UTC

I think what's happening here is that, ordinarily:

# docker run --rm -ti centos bash
# yum -y install /usr/sbin/getenforce
# getenforce
Disabled

However, inside a SPC, we mount /host, which ends up pulling in /host/sys/fs/selinux into the visible namespace,

# atomic run centos/tools
# getenforce
Enforcing

And looking at strace I can see this:

statfs("/sys/fs/selinux", {f_type="SYSFS_MAGIC", f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0
statfs("/selinux", 0x7ffc189c8d70)      = -1 ENOENT (No such file or directory)
brk(0)                                  = 0x198a000
brk(0x19ab000)                          = 0x19ab000
open("/proc/filesystems", O_RDONLY)     = 3
fstat(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f74d3979000
read(3, "nodev\tsysfs\nnodev\trootfs\nnodev\tb"..., 1024) = 392
stat("/etc/sysconfig/64bit_strstr_via_64bit_strstr_sse2_unaligned", 0x7ffc189c8c50) = -1 ENOENT (No such file or directory)
close(3)                                = 0
munmap(0x7f74d3979000, 4096)            = 0
open("/proc/mounts", O_RDONLY)          = 3
fstat(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f74d3979000
read(3, "rootfs / rootfs rw 0 0\n/dev/mapp"..., 1024) = 1024
read(3, "group/cpuacct,cpu cgroup rw,nosu"..., 1024) = 1024
read(3, "ae83bedbab09933f6832b7000372 /ho"..., 1024) = 1024
read(3, "host/var/lib/docker/devicemapper"..., 1024) = 1024
read(3, "er/mnt/43471a878cf339022b82f9e53"..., 1024) = 1024
read(3, "2b7000372/rootfs/sys/fs/cgroup/b"..., 1024) = 1024
read(3, "latime,attr2,inode64,noquota 0 0"..., 1024) = 1024
read(3, "atime,xattr,release_agent=/usr/l"..., 1024) = 1024
read(3, "inuxfs rw,relatime 0 0\ndebugfs /"..., 1024) = 1024
statfs("/host/sys/fs/selinux", {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0
statfs("/host/sys/fs/selinux", {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0
stat("/host/sys/fs/selinux", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
close(3)                                = 0

You can see how libselinux worked out to look at /host/sys/fs/selinux presumably because it's looking for a selinuxfs mount anywhere it can find in /proc/mounts.

Comment 3 Daniel Walsh 2016-07-07 19:42:17 UTC

We can fix the issue, but this could be a potential problem. In that we don't want labeling and load_policy to work within a container.  For example if you are running a rhel6 system and you update selinux-policy package we don't want this to update the policy on the host, even though this is an SPC.

Comment 4 Daniel Walsh 2016-07-07 19:56:42 UTC

# docker run -it --rm --name tools1 -v /sys/fs/selinux:/sys/fs/selinux:ro  --privileged --ipc=host --net=host --pid=host -e HOST=/host -e NAME=tools -e IMAGE=centos/tools -v /run:/run -v /var/log:/var/log -v /etc/localtime:/etc/localtime -v /:/host centos/tools
# getenforce 
Disabled

So mounting in /sys/fs/selinux as ro fixes the problem.  I will add this to --spc

https://github.com/projectatomic/atomic/pull/455

Comment 5 Daniel Walsh 2016-08-17 13:35:26 UTC

Fixed in atomic-1.11.

Comment 6 Lokesh Mandvekar 2016-09-07 05:36:02 UTC

Dan, moving this to atomic as per Comment 5.

Comment 8 Alex Jia 2016-09-19 03:36:23 UTC

the  -v /sys/fs/selinux:/sys/fs/selinux:ro has been added into atomic-1.12.2-2.el7.x86_64, and I can successfully run centos/tools image, so moving the bug to VERIFIED status.

[root@hp-dl360g9-04 /]# atomic run centos/tools
Using default tag: latest
Trying to pull repository docker.io/centos/tools ... 
latest: Pulling from docker.io/centos/tools
3d8673bd162a: Pull complete 
fe5ec1faff9a: Pull complete 
355a87ce8b4b: Pull complete 
038c4c85b886: Pull complete 
Digest: sha256:969858ac9feb2dbef50f0c8a12306aa1512ef7b23c98e11aecbb02f3191784c5
Status: Downloaded newer image for docker.io/centos/tools:latest
docker run -it --name tools --privileged --ipc=host --net=host --pid=host -e HOST=/host -e NAME=tools -e IMAGE=centos/tools -v /sys/fs/selinux:/sys/fs/selinux:ro -v /run:/run -v /var/log:/var/log -v /etc/localtime:/etc/localtime -v /:/host centos/tools

This container uses privileged security switches:

INFO: --ipc=host 
      Processes in this container can see and possibly interact with all semaphores and shared memory segments on the host as well as disables SELinux within the container.

INFO: --net=host 
      Processes in this container can listen to ports (and possibly rawip traffic) on the host's network.

INFO: --pid=host 
      Processes in this container can see and interact with all processes on the host and disables SELinux within the container.

INFO: --privileged 
      This container runs without separation and should be considered the same as root on your system.

For more information on these switches and their security implications, consult the manpage for 'docker run'.

[root@hp-dl360g9-04 /]# getenforce
Disabled

Comment 10 errata-xmlrpc 2016-11-04 09:06:31 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2628.html

Note You need to log in before you can comment on or make changes to this bug.