Bug 1460779 - adding /dev/net/tun to a container with --cap-add=NET_ADMIN fails
Summary: adding /dev/net/tun to a container with --cap-add=NET_ADMIN fails
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: container-selinux
Version: 25
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lokesh Mandvekar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-06-12 17:15 UTC by Brian (bex) Exelbierd
Modified: 2017-06-23 01:56 UTC (History)
6 users (show)

Fixed In Version: container-selinux-2.19-1.fc26 container-selinux-2.19-1.fc25
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-06-22 13:35:22 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Brian (bex) Exelbierd 2017-06-12 17:15:28 UTC 
Description of problem:

Adding /dev/net/tun to a container and giving the privilege NET_ADMIN should allow the device to be used.  It doesn't.

Version-Release number of selected component (if applicable):

Fedora 25 Container

How reproducible:

always

Steps to Reproduce and failed results:
1. docker run z --device /dev/net/tun -p 1194:1194/udp --cap-add=NET_ADMIN -it -v ... bex-openvpn bash
2. (in the container) # openvpn config file
...
Mon Jun 12 17:08:57 2017 ERROR: Cannot ioctl TUNSETIFF tun: Permission denied (errno=13)
Mon Jun 12 17:08:57 2017 Exiting due to fatal error

3. in the base system's journal
setroubleshoot[1009]: SELinux is preventing openvpn from create access on the tun_socket Unknown. For complete SELinux messages. run sealert -l b8b2caa6-3f51-4f03-8b18-748f3b073ba3
python3[1009]: SELinux is preventing openvpn from create access on the tun_socket Unknown.
                                                          
                                                          *****  Plugin catchall (100. confidence) suggests   **************************
                                                          
                                                          If you believe that openvpn should be allowed create access on the Unknown tun_socket by default.
                                                          Then you should report this as a bug.
                                                          You can generate a local policy module to allow this access.
                                                          Do
                                                          allow this access for now by executing:
                                                          # ausearch -c 'openvpn' --raw | audit2allow -M my-openvpn
                                                          # semodule -X 300 -i my-openvpn.pp

# sealert -l b8b2caa6-3f51-4f03-8b18-748f3b073ba3
SELinux is preventing openvpn from create access on the tun_socket Unknown.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that openvpn should be allowed create access on the Unknown tun_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'openvpn' --raw | audit2allow -M my-openvpn
# semodule -X 300 -i my-openvpn.pp


Additional Information:
Source Context                system_u:system_r:container_t:s0:c77,c594
Target Context                system_u:system_r:container_t:s0:c77,c594
Target Objects                Unknown [ tun_socket ]
Source                        openvpn
Source Path                   openvpn
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-225.11.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     dhcp129-113.brq.redhat.com
Platform                      Linux dhcp129-113.brq.redhat.com
                              4.10.10-200.fc25.x86_64 #1 SMP Thu Apr 13 01:11:51
                              UTC 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2017-06-12 18:03:24 CEST
Last Seen                     2017-06-12 18:03:24 CEST
Local ID                      b8b2caa6-3f51-4f03-8b18-748f3b073ba3

Raw Audit Messages
type=AVC msg=audit(1497283404.276:5236): avc:  denied  { create } for  pid=928 comm="openvpn" scontext=system_u:system_r:container_t:s0:c77,c594 tcontext=system_u:system_r:container_t:s0:c77,c594 tclass=tun_socket permissive=0


Hash: openvpn,container_t,container_t,tun_socket,create



Expected results:

openvpn starts
Comment 1 Daniel Walsh 2017-06-12 18:16:03 UTC 
Fixed in container-selinux-2.19
Comment 2 Brian (bex) Exelbierd 2017-06-12 18:46:47 UTC 
Could this get built for F25 as we don't seem to have later fedora images in docker hub?  This would allow me to test it.
Comment 3 Daniel Walsh 2017-06-12 19:45:21 UTC 
Building it now.
Comment 4 Daniel Walsh 2017-06-12 19:45:40 UTC 
 https://koji.fedoraproject.org/koji/taskinfo?taskID=20001990
Comment 5 Brian (bex) Exelbierd 2017-06-13 07:11:28 UTC 
I have not been able to verify this works.  I tested it by building a container that specifically dnf installed the rpm from the koji build above.

Using just --cap-add=NET_ADMIN still gets me the same error.

Is this the wrong way to test this?
Comment 6 Daniel Walsh 2017-06-13 14:30:56 UTC 
The RPM needs to be installed on the host, not in the container.
Comment 7 Brian (bex) Exelbierd 2017-06-13 14:34:08 UTC 
(In reply to Daniel Walsh from comment #6)
> The RPM needs to be installed on the host, not in the container.

HAHAHA.

Well know that that is sorted out it works for me.  Let me know if it hits bodhi so I can add some karma.
Comment 8 Daniel Walsh 2017-06-13 21:17:49 UTC 
I have released a new version for Fedora 26, but want to wait til tomorrow for F25, since there is a previous version of container-selinux out that needs one more karma or day so that I can push it.
Comment 9 Fedora Update System 2017-06-14 11:48:14 UTC 
container-selinux-2.19-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-ddc47a53ee
Comment 10 Fedora Update System 2017-06-14 11:48:21 UTC 
container-selinux-2.19-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-607d2c542d
Comment 11 Daniel Walsh 2017-06-14 13:30:32 UTC 
Brian, you can test and update karma now.
Comment 12 Brian (bex) Exelbierd 2017-06-14 14:11:32 UTC 
(In reply to Daniel Walsh from comment #11)
> Brian, you can test and update karma now.

karma'ed

Thank you again for the speedy fix on this!
Comment 13 Fedora Update System 2017-06-15 10:58:19 UTC 
container-selinux-2.19-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-ddc47a53ee
Comment 14 Fedora Update System 2017-06-15 13:59:57 UTC 
container-selinux-2.19-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-607d2c542d
Comment 15 Fedora Update System 2017-06-22 13:35:22 UTC 
container-selinux-2.19-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2017-06-23 01:56:41 UTC 
container-selinux-2.19-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.