1388621 – [SELinux] Router creation is failing with AVC's

Bug 1388621 - [SELinux] Router creation is failing with AVC's

Summary: [SELinux] Router creation is failing with AVC's

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Containers
Sub Component:
Version:	3.4.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	urgent
Target Milestone:	---
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:	DeShuai Ma
Docs Contact:
URL:
Whiteboard:	aos-scalability-34
Depends On:	1388623
Blocks:
TreeView+	depends on / blocked

Reported:	2016-10-25 18:58 UTC by Prasanth
Modified:	2016-11-22 05:35 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1388623 (view as bug list)
Environment:
Last Closed:	2016-11-07 13:52:20 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Prasanth 2016-10-25 18:58:55 UTC

Description of problem:

I'm seeing the following AVC's while trying to create a router:

Version-Release number of selected component (if applicable):
docker-selinux-1.10.3-46.el7.14.x86_64
docker-1.10.3-46.el7.14.x86_64
selinux-policy-3.13.1-102.el7.noarch
atomic-openshift-3.4.0.15-1.git.0.9c963ec.el7.x86_64

# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.3 (Maipo)

# uname -r
3.10.0-514.el7.x86_64

How reproducible: 100%


Steps to Reproduce:
1. # oadm router storage-project-router --replicas=1
2.
3.

Actual results: Router creation is NOT successful and AVC's are seen


Expected results: Router creation should be successful and NO AVC's should be seen


Additional info:

############
type=AVC msg=audit(1477421059.638:30124): avc:  denied  { transition } for  pid=3075 comm="exe" path="/usr/bin/pod" dev="dm-8" ino=27266165 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c2,c3 tclass=process
type=AVC msg=audit(1477421062.021:30126): avc:  denied  { transition } for  pid=3095 comm="exe" path="/usr/bin/pod" dev="dm-9" ino=27266165 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c4,c9 tclass=process
type=AVC msg=audit(1477421069.356:30130): avc:  denied  { transition } for  pid=3169 comm="exe" path="/usr/bin/pod" dev="dm-8" ino=27266165 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c2,c3 tclass=process


----
type=SYSCALL msg=audit(Wednesday 26 October 2016 A.863:30816) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0xc8205af290 a1=0xc8205af2a0 a2=0xc8200878c0 a3=0x0 items=0 ppid=3803 pid=11016 auid=unset uid=unknown(1001) gid=root euid=unknown(1001) suid=unknown(1001) fsuid=unknown(1001) egid=root sgid=root fsgid=root tty=(none) ses=unset comm=exe exe=/usr/bin/docker-current subj=system_u:system_r:unconfined_service_t:s0 key=(null) 
type=AVC msg=audit(Wednesday 26 October 2016 A.863:30816) : avc:  denied  { transition } for  pid=11016 comm=exe path=/usr/bin/pod dev="dm-6" ino=27266165 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c4,c9 tclass=process 


allow svirt_lxc_net_t unconfined_service_t:process sigchld;
allow unconfined_service_t svirt_lxc_net_t:process transition;
#################

Comment 3 Luis Pabón 2016-10-26 13:36:39 UTC

This is an openshift bug.  Please assign it to that group for assistance.

Comment 4 Ben Bennett 2016-10-26 20:11:54 UTC

Dan, can you take a look at this please?  I am stumped.

Comment 5 Daniel Walsh 2016-10-27 13:28:35 UTC

Looks like docker is running with the wrong label.

ps -eZ | grep docker
ls -lZ /usr/bin/docker*

Comment 6 Ben Bennett 2016-10-27 15:36:55 UTC

Dan, what would cause that?  This is clearly not a networking bug.  Is it misconfiguration or should I send this somewhere else?

Comment 7 Daniel Walsh 2016-10-27 15:50:41 UTC

Did  you run the commands I suggested.

Also 

dnf reinstall docker-selinux

There was a mismatch between the version of docker-selinux and selinux-policy-package which was causing docker-selinux to fail to install, thus leaving the docker daemon running with the wrong type.

Comment 8 Ben Bennett 2016-10-28 14:24:16 UTC

Thanks Dan.

Prasanth, can you please do as Dan suggested?

Comment 9 Prasanth 2016-10-31 17:55:07 UTC

(In reply to Daniel Walsh from comment #5)
> Looks like docker is running with the wrong label.
> 
> ps -eZ | grep docker
> ls -lZ /usr/bin/docker*


# ps -eZ | grep docker
system_u:system_r:unconfined_service_t:s0 1251 ? 00:00:27 docker-current

# ls -lZ /usr/bin/docker*
-rwxr-xr-x. root root system_u:object_r:docker_exec_t:s0 /usr/bin/docker
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/docker-current
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/docker-storage-setup

Comment 10 Prasanth 2016-10-31 17:57:57 UTC

(In reply to Daniel Walsh from comment #7)
> Did  you run the commands I suggested.
> 
> Also 
> 
> dnf reinstall docker-selinux
> 
> There was a mismatch between the version of docker-selinux and
> selinux-policy-package which was causing docker-selinux to fail to install,
> thus leaving the docker daemon running with the wrong type.


############
Resolving Dependencies
--> Running transaction check
---> Package docker-selinux.x86_64 0:1.10.3-46.el7.14 will be reinstalled
--> Finished Dependency Resolution

Dependencies Resolved

==========================================================================
 Package        Arch   Version            Repository                 Size
==========================================================================
Reinstalling:
 docker-selinux x86_64 1.10.3-46.el7.14   rhel-7-server-extras-rpms  79 k

Transaction Summary
==========================================================================
Reinstall  1 Package

Total download size: 79 k
Installed size: 27 k
Is this ok [y/d/N]: y
Downloading packages:
docker-selinux-1.10.3-46.el7.14.x86_64.rpm           |  79 kB   00:01     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : docker-selinux-1.10.3-46.el7.14.x86_64                 1/1 
Re-declaration of boolean virt_sandbox_use_fusefs
Failed to create node
Bad boolean declaration at /etc/selinux/targeted/tmp/modules/100/virt/cil:159
/usr/sbin/semodule:  Failed!
libsemanage.semanage_direct_install_info: Overriding docker module at lower priority 100 with module at priority 400.
  Verifying  : docker-selinux-1.10.3-46.el7.14.x86_64                 1/1 

Installed:
  docker-selinux.x86_64 0:1.10.3-46.el7.14                                

Complete!
#############

Comment 11 Daniel Walsh 2016-10-31 18:00:19 UTC

I think you are supposed to be using docker-1.10.3-57.el7

Comment 12 Prasanth 2016-11-02 14:12:10 UTC

(In reply to Daniel Walsh from comment #11)
> I think you are supposed to be using docker-1.10.3-57.el7

The above build was not yet available in the puddles and hence it failed to update to the latest. However, I tried manually upgrading to this build as suggested and following are the results:

########
# ps -eZ | grep docker
system_u:system_r:docker_t:s0     1305 ?        00:06:10 docker-current


# ls -lZ /usr/bin/docker*
-rwxr-xr-x. root root system_u:object_r:docker_exec_t:s0 /usr/bin/docker
-rwxr-xr-x. root root system_u:object_r:docker_exec_t:s0 /usr/bin/docker-current
-rwxr-xr-x. root root system_u:object_r:docker_exec_t:s0 /usr/bin/docker-storage-setup
-rwx------. root root system_u:object_r:docker_exec_t:s0 /usr/bin/docker-v1.10-migrator-helper
-rwx------. root root system_u:object_r:docker_exec_t:s0 /usr/bin/docker-v1.10-migrator-local
########

I'll now try creating a router and then see how it goes.

Comment 13 Prasanth 2016-11-07 12:06:59 UTC

I've re-tested this using the latest RHEL-7.3 GA bits and looks like the router creation works well with SELinux in Enforcing mode.

#######
selinux-policy-3.13.1-102.el7_3.4.noarch
docker-selinux-1.10.3-57.el7.x86_64



NAME                        REVISION   DESIRED   CURRENT   TRIGGERED BY
dc/storage-project-router   1          1         1         config

NAME                          DESIRED   CURRENT   READY     AGE
rc/storage-project-router-1   1         1         1         4m

NAME                         CLUSTER-IP       EXTERNAL-IP   PORT(S)                   AGE
svc/storage-project-router   172.30.131.240   <none>        80/TCP,443/TCP,1936/TCP   4m

NAME                                READY     STATUS    RESTARTS   AGE
po/storage-project-router-1-uuomp   1/1       Running   0          4m


# oc get pods
NAME                             READY     STATUS    RESTARTS   AGE
storage-project-router-1-uuomp   1/1       Running   0          1m
#######

Note You need to log in before you can comment on or make changes to this bug.