1439370 – unable to umount bind mount inside containers

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1439370 - unable to umount bind mount inside containers

Summary: unable to umount bind mount inside containers

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	container-selinux
Sub Component:
Version:	7.3
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Lokesh Mandvekar
QA Contact:	Martin Jenner
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-04-05 20:02 UTC by Qian Cai
Modified:	2017-10-19 15:20 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-10-19 15:20:49 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2969	0	normal	SHIPPED_LIVE	container-selinux bug fix and enhancement update	2017-10-19 18:54:24 UTC

Description Qian Cai 2017-04-05 20:02:00 UTC

Description of problem:
# getenforce 
Enforcing
# docker run -it --rm --cap-add SYS_ADMIN rhel7 bash
[root@ba596a31233d /]# mount -o bind /mnt/ /mnt/
[root@ba596a31233d /]# umount /mnt/
umount: /mnt: block devices not permitted on fs

Once "setenforce 0", it works fine.

Version-Release number of selected component (if applicable):
# rpm -qa | grep selinux
libselinux-2.5-6.el7.x86_64
selinux-policy-3.13.1-102.el7_3.16.noarch
selinux-policy-targeted-3.13.1-102.el7_3.16.noarch
container-selinux-2.10-2.el7.noarch
libselinux-python-2.5-6.el7.x86_64
libselinux-utils-2.5-6.el7.x86_64
RHEL/Atomic Host 7.3.4

How reproducible:
always


Additional info:

Comment 2 Qian Cai 2017-04-05 20:04:59 UTC

BTW, this is no AVC messages in logs.

Comment 3 Milos Malik 2017-04-06 10:11:16 UTC

Maybe there are dontaudit rules involved. Please run "semodule -DB" and then repeat your scenario. Do you see any AVCs now?

Comment 4 Qian Cai 2017-04-06 13:33:20 UTC

Yes.

----
time->Thu Apr  6 09:32:26 2017
type=SYSCALL msg=audit(1491485546.339:1973): arch=c000003e syscall=166 success=no exit=-13 a0=555e7f186a00 a1=0 a2=1 a3=7ffd0e7ee8c0 items=0 ppid=30429 pid=30469 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=4294967295 comm="umount" exe="/usr/bin/umount" subj=system_u:system_r:svirt_lxc_net_t:s0:c350,c905 key=(null)
type=AVC msg=audit(1491485546.339:1973): avc:  denied  { unmount } for  pid=30469 comm="umount" scontext=system_u:system_r:svirt_lxc_net_t:s0:c350,c905 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c350,c905 tclass=filesystem

Comment 5 Daniel Walsh 2017-04-10 12:45:09 UTC

I don't know why the mount worked.  Since container_t is not allowed to mount container_file_t?  That should have broken.  Being able to mount and umount of container_file_t, is a questionable allow.  If all it would allow is the bind mount then we would be pretty safe, but I am not sure.

Comment 6 Daniel Walsh 2017-04-10 12:48:36 UTC

Eric, Paul and Stephen, how dangerous would it be to add

allow container_t container_file_t:filesystem { mount umount} and then rely on seccomp and SYS_ADMIN capability to control this access?

Comment 7 Stephen Smalley 2017-04-10 13:15:42 UTC

(In reply to Daniel Walsh from comment #5)
> I don't know why the mount worked.  Since container_t is not allowed to
> mount container_file_t?  That should have broken.  Being able to mount and
> umount of container_file_t, is a questionable allow.  If all it would allow
> is the bind mount then we would be pretty safe, but I am not sure.

1) Looks like the domain is svirt_lxc_net_t, not container_t, per the AVC message for unmount.

2) You allow that domain mounton permission, which is all that is required (in addition to sys_admin capability) in order to perform a bind mount.
sesearch -A -s svirt_lxc_net_t -p mounton
Found 1 semantic av rules:
 allow svirt_sandbox_domain svirt_sandbox_file_t : dir { ioctl read write create getattr setattr lock unlink link rename mounton add_name remove_name reparent search rmdir open };

You also allow this between container_t and container_file_t in Fedora, via two different rules.

Comment 8 Stephen Smalley 2017-04-10 13:24:16 UTC

(In reply to Daniel Walsh from comment #6)
> Eric, Paul and Stephen, how dangerous would it be to add
> 
> allow container_t container_file_t:filesystem { mount umount} and then rely
> on seccomp and SYS_ADMIN capability to control this access?

At that point you are no longer using SELinux to restrict the container, right, at least wrt mounting.  Obviously that is no longer a MAC solution.

sys_admin is required in policy in order to mount.  With the cap_userns patches (not in RHEL7 AFAIK, it is commit 8e4ff6f228e4722cac74db716e308d1da33d744f upstream), you can allow self:cap_userns sys_admin; to permit it within a container without allowing it in the init/global namespace; however, you do not appear to be leveraging this even in Fedora yet (i.e. you are still allowing container_t self:capability ...; allow container_t self:capability2 ...; even though it should only require allow container_t self:cap_userns ...; allow container_t self:cap2_userns ...;).  That would be a MAC solution; you would then know that a container could never exercise those capabilities on the init/global namespace.

Comment 9 Daniel Walsh 2017-04-10 16:12:01 UTC

We are not running containers by default with user namespace yet.  No file system support is blocking this.  Currently we don't do much control over capabilities from an SELinux point of view, we pretty much allow all caps, since it is difficult to work with --cap-add and --cap-drop with SELinux types as we can with caps and seccomp rules.

Handling mount is something we currently partially control.  But I am not sure it is worth it from a container perspective.  I could add a boolean to allow containers to mount/remount/umount container_file_t file systems.

Comment 10 Daniel Walsh 2017-10-09 13:18:30 UTC

Fixed in container-selinux-2.28

Comment 12 Alex Jia 2017-10-10 04:03:33 UTC

This bug has been verified in container-selinux-2.28-1.git85ce147.el7.noarch.

[ajia@localhost ~]$ rpm -qa|grep selinux
libselinux-python-2.5-11.el7.x86_64
selinux-policy-3.13.1-166.el7.noarch
selinux-policy-targeted-3.13.1-166.el7.noarch
libselinux-2.5-11.el7.x86_64
container-selinux-2.28-1.git85ce147.el7.noarch
libselinux-utils-2.5-11.el7.x86_64

[ajia@localhost ~]$ sudo getenforce
Enforcing

[ajia@localhost ~]$ sudo docker run -it --rm --cap-add SYS_ADMIN rhel7 bash
[root@48c52b60baa1 /]# mount -o bind /mnt/ /mnt/
[root@48c52b60baa1 /]# umount /mnt/
[root@48c52b60baa1 /]# df
Filesystem            1K-blocks    Used Available Use% Mounted on
overlay                52403200 6595468  45807732  13% /
tmpfs                   3976040       0   3976040   0% /dev
tmpfs                   3976040       0   3976040   0% /sys/fs/cgroup
/dev/mapper/rhel-root  52403200 6595468  45807732  13% /etc/hosts
shm                       65536       0     65536   0% /dev/shm
tmpfs                   3976040       0   3976040   0% /sys/firmware

Comment 14 errata-xmlrpc 2017-10-19 15:20:49 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2969

Note You need to log in before you can comment on or make changes to this bug.