Bug 1419288 - container-selinux-2.5-1.fc25 causes AVC denials with bind-mounted files
Summary: container-selinux-2.5-1.fc25 causes AVC denials with bind-mounted files
Alias: None
Product: Fedora
Classification: Fedora
Component: container-selinux
Version: 25
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Lokesh Mandvekar
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2017-02-04 22:01 UTC by Alexander Groß
Modified: 2017-03-02 01:21 UTC (History)
8 users (show)

Fixed In Version: container-selinux-2.9-1.fc25
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-03-02 01:21:02 UTC
Type: Bug

Attachments (Terms of Use)

Description Alexander Groß 2017-02-04 22:01:26 UTC
# Description of problem:

I use docker-compose to orchestrate containers, e.g. a database and a web application. The web application container must wait until the database is up before running. I use https://github.com/vishnubob/wait-for-it to do the waiting and bind-mount the script into the container. Since installing container-selinux-2.5-1.fc25 docker fails to execute the wait script because access is denied by SELinux. The behavior is the same on two machines tested (all running Fedora 25 patched to latest).

Version-Release number of selected component (if applicable):

container-selinux-2.2-2.fc25 works.

# How reproducible:

Every time, downgrading to 2.2-2 removes the error.

# Steps to Reproduce:

The simplest way to reproduce is to emulate docker-compose with a docker invocation.

1. git clone https://github.com/vishnubob/wait-for-it.git /usr/local/src/wait-for-it
2. docker run --entrypoint="/wait-for-it.sh" -v /usr/local/src/wait-for-it/wait-for-it.sh:/wait-for-it.sh:ro agross/stress
   (agross/stress is just an example image)

# Actual results (docker run output):

panic: standard_init_linux.go:178: exec user process caused "permission denied" [recovered]
        panic: standard_init_linux.go:178: exec user process caused "permission denied"

# Expected results  (docker run output):

Error: you need to provide a host and port to test.
    wait-for-it.sh host:port [-s] [-t timeout] [-- command args]
    -h HOST | --host=HOST       Host or IP under test
    -p PORT | --port=PORT       TCP port under test
                                Alternatively, you specify the host and port as host:port
    -s | --strict               Only execute subcommand if the test succeeds
    -q | --quiet                Don't output any status messages
    -t TIMEOUT | --timeout=TIMEOUT
                                Timeout in seconds, zero for no timeout
    -- COMMAND ARGS             Execute command with args after the test finishes

# Additional info:

$ audit2why < /var/log/audit/audit.log
type=AVC msg=audit(1486244245.275:7129): avc:  denied  { entrypoint } for  pid=20532 comm="exe" path="/wait-for-it.sh" dev="dm-0" ino=50618329 scontext=system_u:system_r:container_t:s0:c116,c857 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file permissive=0

        Was caused by:
                Unknown - would be allowed by active policy
                Possible mismatch between this policy and the one under which the audit message was generated.

                Possible mismatch between current in-memory boolean settings vs. permanent ones.

$ ls /usr/local/src/wait-for-it/wait-for-it.sh -laZ
-rwxr-xr-x. 1 root root unconfined_u:object_r:usr_t:s0 3658 Aug 25 20:25 /usr/local/src/wait-for-it/wait-for-it.sh

As suggested (https://bodhi.fedoraproject.org/updates/container-selinux-2.5-1.fc25#comment-557261) I also tried to chcon wait-for-it.sh and bind-mounting with the "Z" flag, but to no avail.

Comment 1 Stephen Smalley 2017-02-06 14:29:24 UTC
Add this to policy:
typebounds container_runtime_exec_t usr_t;

Comment 2 Daniel Walsh 2017-02-13 15:19:39 UTC
Fixed in container-selinux-2.8 in updates testing.  Please update to this package and if it fixes your problem, update the karma

Comment 3 Alexander Groß 2017-02-13 18:07:21 UTC
Seems like container-selinux-2.8 is not available (yet?)

dnf update --enablerepo=updates-testing container-selinux
 container-selinux noarch 2:2.6-1.fc25 updates-testing


Comment 4 Daniel Walsh 2017-02-27 17:13:03 UTC
Ok I just fired off a build 

Comment 5 Fedora Update System 2017-02-27 17:18:34 UTC
container-selinux-2.9-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-018d2c13f7

Comment 6 Alexander Groß 2017-02-27 18:11:34 UTC
container-selinux 2.9 is still not available for me on testing, but I can confirm that 2.6 also works on two machines.

Comment 7 Fedora Update System 2017-03-01 02:52:51 UTC
container-selinux-2.9-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-018d2c13f7

Comment 8 Fedora Update System 2017-03-02 01:21:02 UTC
container-selinux-2.9-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.