Bug 1403254 - Running systemd in container produces AVC denial about writing to max_dgram_qlen
Summary: Running systemd in container produces AVC denial about writing to max_dgram_qlen
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.3
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
Mirek Jahoda
URL:
Whiteboard:
Depends On: 1373746
Blocks: 1408126
TreeView+ depends on / blocked
 
Reported: 2016-12-09 14:11 UTC by Jan Pazdziora
Modified: 2017-08-01 15:17 UTC (History)
23 users (show)

Fixed In Version: selinux-policy-3.13.1-117.el7
Doc Type: Bug Fix
Doc Text:
Due to missing policy rules, SELinux denied running systemd in a container. The rules to allow containers to write to "unix_sysctls" and to use file descriptors leaked to them from parent processes were added, and the SELinux denials no longer occur.
Clone Of: 1373746
: 1408126 (view as bug list)
Environment:
Last Closed: 2017-08-01 15:17:42 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1861 0 normal SHIPPED_LIVE selinux-policy bug fix update 2017-08-01 17:50:24 UTC

Comment 1 Jan Pazdziora 2016-12-09 14:13:19 UTC
It looks like the bug is now in RHEL 7.3(.1) as well. Running

# docker run --rm -ti -e container=docker -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /run --tmpfs /tmp fedora:24 /usr/sbin/init

produces AVC denials

type=AVC msg=audit(1481292675.651:396): avc:  denied  { write } for  pid=8350 comm="systemd" name="core_pattern" dev="proc" ino=146479 scontext=system_u:system_r:svirt_lxc_net_t:s0:c662,c859 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file
type=AVC msg=audit(1481292675.654:397): avc:  denied  { write } for  pid=8350 comm="systemd" name="max_dgram_qlen" dev="proc" ino=145343 scontext=system_u:system_r:svirt_lxc_net_t:s0:c662,c859 tcontext=system_u:object_r:sysctl_net_unix_t:s0 tclass=file

This is with

docker-1.10.3-59.el7.x86_64
selinux-policy-3.13.1-102.el7.noarch
container-selinux-1.10.3-59.el7.x86_64

Comment 4 Daniel Walsh 2016-12-09 15:05:07 UTC
Looks like I added a commit to virt.te to take care of this back in Augues.

commit 1014781f4b6f08bef0a1ffda852d3bcd97ea506b
Author: Dan Walsh <dwalsh@redhat.com>
Date:   Mon Aug 22 10:06:39 2016 -0400

    Fixes for containers
    
    Allow containers to attempt to write to unix_sysctls.
    Allow cotainers to use the FD's leaked to them from parent
    processes.


Are you sure you have the latest policy installed?

The dontaudit of usermodehelper happened back in March.

8c42cec0f7 virt.te                         (Dan Walsh          2016-03-07 10:50:07 -0500 1360) kernel_dontaudit_write_usermodehelper_state(svirt_sandbox_domain)

Lukas what version of virt.te do we have for rhel7.3?\

Comment 13 errata-xmlrpc 2017-08-01 15:17:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861


Note You need to log in before you can comment on or make changes to this bug.