1423502 – Update of oci-systemd-hook leads to AVC denied messages

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1423502 - Update of oci-systemd-hook leads to AVC denied messages

Summary: Update of oci-systemd-hook leads to AVC denied messages

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	oci-systemd-hook
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	David Darrah/Red Hat QE
QA Contact:	Martin Jenner
Docs Contact:
URL:
Whiteboard:
Depends On:	1419040
Blocks:	1186913 1420851
TreeView+	depends on / blocked

Reported:	2017-02-17 13:17 UTC by Robert Scheck
Modified:	2020-12-14 08:11 UTC (History)
CC List:	11 users (show)
Fixed In Version:	oci-systemd-hook-0.1.6-1.gitfe22236.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-11-22 15:24:25 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	projectatomic oci-systemd-hook issues 46	None	closed	Recent changes to /var/log mounting breaks containers expecting build to populate /var/log	2020-09-14 15:28:50 UTC
Github	projectatomic oci-systemd-hook pull 42	None	closed	Fix /var/log and /tmp mount volume mounts to show up in container	2020-09-14 15:28:51 UTC
Red Hat Bugzilla	1419040	unspecified	CLOSED	The change to /var/log mounting breaks the running of services that require a folder in /var/log created at docker build...	2021-02-22 00:41:40 UTC

Description Robert Scheck 2017-02-17 13:17:28 UTC

Description of problem:
Aside of the issues caused by the update of oci-systemd-hook as mentioned
at https://bugzilla.redhat.com/show_bug.cgi?id=1419040 the same update also
leads to new SELinux AVC denied messages, such as e.g.:

type=SYSCALL msg=audit(1487262984.032:1147): arch=c000003e syscall=56 success=yes exit=12238 a0=6c028011 a1=7ffee0566900 a2=7ffee0567a30 a3=0 items=0 ppid=12229 pid=12237 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="exe" exe="/usr/libexec/docker/docker-runc-current" subj=system_u:system_r:container_runtime_t:s0 key=(null)
type=AVC msg=audit(1487262984.262:1148): avc:  denied  { remount } for  pid=12279 comm="(e-db-dir)" scontext=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c330,c944 tclass=filesystem
type=SYSCALL msg=audit(1487262984.262:1148): arch=c000003e syscall=165 success=no exit=-13 a0=0 a1=7ff1252ec0c0 a2=0 a3=1026 items=0 ppid=12238 pid=12279 auid=4294967295 uid=0 gid=27 euid=0 suid=0 fsuid=0 egid=27 sgid=27 fsgid=27 tty=(none) ses=4294967295 comm="(e-db-dir)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 key=(null)
type=AVC msg=audit(1487262984.307:1149): avc:  denied  { remount } for  pid=12311 comm="(qld_safe)" scontext=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c330,c944 tclass=filesystem
type=SYSCALL msg=audit(1487262984.307:1149): arch=c000003e syscall=165 success=no exit=-13 a0=0 a1=7ff12532a160 a2=0 a3=1026 items=0 ppid=12238 pid=12311 auid=4294967295 uid=0 gid=27 euid=0 suid=0 fsuid=0 egid=27 sgid=27 fsgid=27 tty=(none) ses=4294967295 comm="(qld_safe)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 key=(null)
type=AVC msg=audit(1487262984.307:1150): avc:  denied  { remount } for  pid=12312 comm="(it-ready)" scontext=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c330,c944 tclass=filesystem
type=SYSCALL msg=audit(1487262984.307:1150): arch=c000003e syscall=165 success=no exit=-13 a0=0 a1=7ff12532a2c0 a2=0 a3=1026 items=0 ppid=12238 pid=12312 auid=4294967295 uid=0 gid=27 euid=0 suid=0 fsuid=0 egid=27 sgid=27 fsgid=27 tty=(none) ses=4294967295 comm="(it-ready)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 key=(null)
type=AVC msg=audit(1487262986.357:1151): avc:  denied  { remount } for  pid=12530 comm="(extcloud)" scontext=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c330,c944 tclass=filesystem
type=SYSCALL msg=audit(1487262986.357:1151): arch=c000003e syscall=165 success=no exit=-13 a0=0 a1=7ff12532a2b0 a2=0 a3=1026 items=0 ppid=12238 pid=12530 auid=4294967295 uid=0 gid=27 euid=0 suid=0 fsuid=0 egid=27 sgid=27 fsgid=27 tty=(none) ses=4294967295 comm="(extcloud)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 key=(null)
type=AVC msg=audit(1487262986.382:1152): avc:  denied  { remount } for  pid=12538 comm="(extcloud)" scontext=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c330,c944 tclass=filesystem
type=SYSCALL msg=audit(1487262986.382:1152): arch=c000003e syscall=165 success=no exit=-13 a0=0 a1=7ff125328bb0 a2=0 a3=1026 items=0 ppid=12238 pid=12538 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(extcloud)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 key=(null)
type=AVC msg=audit(1487262986.409:1153): avc:  denied  { mount } for  pid=12543 comm="systemd-logind" name="/" dev="tmpfs" ino=169409 scontext=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1487262986.409:1153): arch=c000003e syscall=165 success=no exit=-13 a0=7f7f651fab98 a1=7f7f65e3ed60 a2=7f7f651fab98 a3=6 items=0 ppid=12238 pid=12543 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 key=(null)
type=VIRT_CONTROL msg=audit(1487262986.596:1154): pid=7210 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='auid=0 exe=? hostname=? reason=api op=exec vm=? vm-pid=? user=root  exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success'
type=VIRT_CONTROL msg=audit(1487262986.597:1155): pid=7210 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='user=root auid=0 exe=? hostname=? reason=api op=start vm=? vm-pid=?  exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success'
type=VIRT_CONTROL msg=audit(1487262986.597:1156): pid=7210 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='vm-pid=? user=root auid=0 exe=? hostname=? reason=api op=resize vm=?  exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1487262986.665:1157): avc:  denied  { mount } for  pid=12543 comm="systemd-logind" name="/" dev="tmpfs" ino=167357 scontext=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1487262986.665:1157): arch=c000003e syscall=165 success=no exit=-13 a0=7f7f651fab98 a1=7f7f65e3ecc0 a2=7f7f651fab98 a3=6 items=0 ppid=12238 pid=12543 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 key=(null)
type=AVC msg=audit(1487262986.862:1158): avc:  denied  { mount } for  pid=12543 comm="systemd-logind" name="/" dev="tmpfs" ino=167397 scontext=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1487262986.862:1158): arch=c000003e syscall=165 success=no exit=-13 a0=7f7f651fab98 a1=7f7f65e3ecc0 a2=7f7f651fab98 a3=6 items=0 ppid=12238 pid=12543 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 key=(null)
type=AVC msg=audit(1487262987.062:1159): avc:  denied  { mount } for  pid=12543 comm="systemd-logind" name="/" dev="tmpfs" ino=167424 scontext=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1487262987.062:1159): arch=c000003e syscall=165 success=no exit=-13 a0=7f7f651fab98 a1=7f7f65e3ecc0 a2=7f7f651fab98 a3=6 items=0 ppid=12238 pid=12543 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 key=(null)
type=AVC msg=audit(1487262987.257:1160): avc:  denied  { mount } for  pid=12543 comm="systemd-logind" name="/" dev="tmpfs" ino=167447 scontext=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1487262987.257:1160): arch=c000003e syscall=165 success=no exit=-13 a0=7f7f651fab98 a1=7f7f65e3ecc0 a2=7f7f651fab98 a3=6 items=0 ppid=12238 pid=12543 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 key=(null)
type=AVC msg=audit(1487262987.450:1161): avc:  denied  { remount } for  pid=12674 comm="(httpd)" scontext=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c330,c944 tclass=filesystem
type=SYSCALL msg=audit(1487262987.450:1161): arch=c000003e syscall=165 success=no exit=-13 a0=0 a1=7ff125332260 a2=0 a3=1026 items=0 ppid=12238 pid=12674 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(httpd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 key=(null)

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-102.el7_3.13.noarch
selinux-policy-targeted-3.13.1-102.el7_3.13.noarch
container-selinux-1.12.5-14.el7.x86_64
oci-systemd-hook-0.1.4-9.git671c428.el7.x86_64

How reproducible:
See bug #1419040 #c0 or also reproducer at initial description at GitHub at
https://github.com/projectatomic/oci-systemd-hook/issues/46

Actual results:
allow svirt_lxc_net_t tmpfs_t:filesystem { mount remount unmount };
allow svirt_lxc_net_t svirt_sandbox_file_t:filesystem { remount };

Expected results:
No AVC denied messages.

Comment 1 Robert Scheck 2017-02-17 13:21:17 UTC

Cross-filed case 01794554 on the Red Hat customer portal.

Comment 3 Daniel Walsh 2017-02-20 16:07:50 UTC

These are systemd doing things that we are attempting to get oci-systemd-hook to do for it. Basically we are not going to allow file systems to be mounted within the container.

Comment 4 Robert Scheck 2017-02-20 16:46:37 UTC

Not sure if I get you, Daniel. These mounting attempts should be either
allow'ed or dontaudit'ed. They result from updated oci-systemd-hook. In
the end, https://github.com/projectatomic/oci-systemd-hook/pull/42 is
the cause.

Comment 5 Daniel Walsh 2017-02-20 19:10:40 UTC

oci-systemd-hook should not be running as container_t, (svirt_lxc_net_t),  These avc's are caused by systemd inside of the container attempting to mount file systems which we want to prevent.  So we don't want SELinux to allow or cover this up.  We want to fix oci-systemd-hook to setup the environment in such a way that systemd will not attempt to mount.

Comment 6 Daniel Walsh 2017-03-12 12:17:23 UTC

Tom could you check to see if this is fixed with the lates oci-systemd-hook

Comment 7 Tom Sweeney 2017-03-25 20:37:12 UTC

(In reply to Daniel Walsh from comment #6)
> Tom could you check to see if this is fixed with the lates oci-systemd-hook

Seems to be fixed oci-systemd-hook-0.1.6-1.gitfe22236.el7.  Test results follow.  Dan I'll touch base Monday with you to close.

[root@rhel73bz ~]# cat > Dockerfile.mariadb << EOF
> FROM centos:latest
> STOPSIGNAL SIGRTMIN+3
>  
> RUN yum -y install mariadb-server && yum clean all
>  
> RUN systemctl enable mariadb
>  
> VOLUME /var/lib/mysql
>  
> CMD ["/sbin/init"]
> EOF
[root@rhel73bz ~]# 
[root@rhel73bz ~]# docker volume create --name localtest-mdb
localtest-mdb
[root@rhel73bz ~]# docker build -f Dockerfile.mariadb -t localtest-mdb .
Sending build context to Docker daemon 14.85 kB
Step 1 : FROM centos:latest
 ---> 98d35105a391
Step 2 : STOPSIGNAL SIGRTMIN+3
 ---> Using cache
 ---> d21037da37ed
Step 3 : RUN yum -y install mariadb-server && yum clean all
 ---> Using cache
 ---> 4440f237aa2b
Step 4 : RUN systemctl enable mariadb
 ---> Using cache
 ---> 007cbeb7dcff
Step 5 : VOLUME /var/lib/mysql
 ---> Using cache
 ---> dc7109037dbf
Step 6 : CMD /sbin/init
 ---> Using cache
 ---> 53e981575dd6
Successfully built 53e981575dd6
[root@rhel73bz ~]# docker run -dt -v localtest-mdb:/var/lib/mysql --name localtest-mdb localtest-mdb
8f5f9735e44d3b517c009d7ee7e6a234ea701da21b70b1308756df38cdbfb53e
[root@rhel73bz ~]# docker exec -t localtest-mdb /bin/bash -c 'for i in {1..30}; do if systemctl is-active mariadb ; then break  ; else sleep 1 ; fi done;'
inactive
inactive
activating
activating
activating
activating
active
[root@rhel73bz ~]# docker exec -t localtest-mdb mysql -e "GRANT ALL PRIVILEGES ON *.* TO 'testuser'@'%' IDENTIFIED BY 'testpassword' WITH GRANT OPTION;"
[root@rhel73bz ~]# docker stop localtest-mdb
localtest-mdb
[root@rhel73bz ~]# docker rm localtest-mdb
localtest-mdb
[root@rhel73bz ~]# uname -a
Linux rhel73bz.localdomain 3.10.0-625.el7.x86_64 #1 SMP Thu Mar 23 11:04:30 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux
[root@rhel73bz ~]# cat /proc/version
Linux version 3.10.0-625.el7.x86_64 (mockbuild.eng.bos.redhat.com) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC) ) #1 SMP Thu Mar 23 11:04:30 EDT 2017
[root@rhel73bz ~]# rpm -qa | grep oci-systemd-hook
oci-systemd-hook-0.1.6-1.gitfe22236.el7.x86_64

Comment 8 Tom Sweeney 2017-03-27 13:41:29 UTC

I've tested with the latest patch (see previous comment) and the problem has been resolved.  I've changed the status to ON_QA pending any approval they may need to do.

Comment 9 David Darrah/Red Hat QE 2017-03-28 20:47:10 UTC

Verified on RHEL with latest build as above.

Note You need to log in before you can comment on or make changes to this bug.