1403254 – Running systemd in container produces AVC denial about writing to max_dgram_qlen

Bug 1403254 - Running systemd in container produces AVC denial about writing to max_dgram_qlen

Summary: Running systemd in container produces AVC denial about writing to max_dgram_qlen

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:	Mirek Jahoda
URL:
Whiteboard:
Depends On:	1373746
Blocks:	1408126
TreeView+	depends on / blocked

Reported:	2016-12-09 14:11 UTC by Jan Pazdziora
Modified:	2017-08-01 15:17 UTC (History)
CC List:	23 users (show)
Fixed In Version:	selinux-policy-3.13.1-117.el7
Doc Type:	Bug Fix
Doc Text:	Due to missing policy rules, SELinux denied running systemd in a container. The rules to allow containers to write to "unix_sysctls" and to use file descriptors leaked to them from parent processes were added, and the SELinux denials no longer occur.
Clone Of:	1373746
Clones:	1408126 (view as bug list)
Environment:
Last Closed:	2017-08-01 15:17:42 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:1861	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2017-08-01 17:50:24 UTC

Comment 1 Jan Pazdziora 2016-12-09 14:13:19 UTC

It looks like the bug is now in RHEL 7.3(.1) as well. Running

# docker run --rm -ti -e container=docker -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /run --tmpfs /tmp fedora:24 /usr/sbin/init

produces AVC denials

type=AVC msg=audit(1481292675.651:396): avc:  denied  { write } for  pid=8350 comm="systemd" name="core_pattern" dev="proc" ino=146479 scontext=system_u:system_r:svirt_lxc_net_t:s0:c662,c859 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file
type=AVC msg=audit(1481292675.654:397): avc:  denied  { write } for  pid=8350 comm="systemd" name="max_dgram_qlen" dev="proc" ino=145343 scontext=system_u:system_r:svirt_lxc_net_t:s0:c662,c859 tcontext=system_u:object_r:sysctl_net_unix_t:s0 tclass=file

This is with

docker-1.10.3-59.el7.x86_64
selinux-policy-3.13.1-102.el7.noarch
container-selinux-1.10.3-59.el7.x86_64

Comment 4 Daniel Walsh 2016-12-09 15:05:07 UTC

Looks like I added a commit to virt.te to take care of this back in Augues.

commit 1014781f4b6f08bef0a1ffda852d3bcd97ea506b
Author: Dan Walsh <dwalsh>
Date:   Mon Aug 22 10:06:39 2016 -0400

    Fixes for containers
    
    Allow containers to attempt to write to unix_sysctls.
    Allow cotainers to use the FD's leaked to them from parent
    processes.


Are you sure you have the latest policy installed?

The dontaudit of usermodehelper happened back in March.

8c42cec0f7 virt.te                         (Dan Walsh          2016-03-07 10:50:07 -0500 1360) kernel_dontaudit_write_usermodehelper_state(svirt_sandbox_domain)

Lukas what version of virt.te do we have for rhel7.3?\

Comment 13 errata-xmlrpc 2017-08-01 15:17:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861

Note You need to log in before you can comment on or make changes to this bug.

adimania
admiller
amurdaca
dominick.grift
dwalsh
extras-qa
ichavero
jcajka
jchaloup
jpazdziora
lsm5
lvrabec
marianne
mgrepl
miminar
mjahoda
mmalik
nalin
plautrba
pvrabec
riek
ssekidde
vbatts