Bug 1461488 - AVC denial on runc with user namespace
AVC denial on runc with user namespace
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.4-Alt
ppc64le Linux
high Severity high
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
: Extras
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-14 10:58 EDT by CAI Qian
Modified: 2017-08-01 11:28 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-01 11:28:52 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description CAI Qian 2017-06-14 10:58:48 EDT
Description of problem:
Trying to run runc with user namespace failed.

# runc run root
nsenter: failed to unshare namespaces: Operation not permitted
container_linux.go:262: starting container process caused "process_linux.go:247: running exec setns process for init caused \"exit status 34\""

# ausearch -m AVC
----
time->Wed Jun 14 10:33:20 2017
type=PROCTITLE msg=audit(1497450800.110:461): proctitle=2F70726F632F73656C662F65786500696E6974
type=SYSCALL msg=audit(1497450800.110:461): arch=c0000015 syscall=282 success=no exit=-1 a0=7c020000 a1=10377a10 a2=0 a3=0 items=0 ppid=24779 pid=24788 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=19 comm="runc:[1:CHILD]" exe="/usr/bin/runc" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1497450800.110:461): avc:  denied  { sys_admin } for  pid=24788 comm="runc:[1:CHILD]" capability=21  scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0

# audit2allow -a


#============= unconfined_t ==============
allow unconfined_t self:cap_userns sys_admin;

I suppose that selinux policy need to deal with those new caps from the 4.10 kernel, cap_userns and cap2_userns.

Version-Release number of selected component (if applicable):
Pegas-7.4-20170425.0
kernel-4.10.0-11.el7.ppc64le
libselinux-utils-2.5-11.el7.ppc64le
libselinux-python-2.5-11.el7.ppc64le
libselinux-2.5-11.el7.ppc64le
selinux-policy-3.13.1-144.el7.noarch
selinux-policy-targeted-3.13.1-144.el7.noarch
container-selinux-2.12-2.gite7096ce.el7.noarch

How reproducible:
always

Steps to Reproduce:
1. Set up runc with user namespace like,
https://fedorapeople.org/cgit/caiqian/public_git/runctst.git/tree/runctst.py#n707

Actual results:
Have AVC denial.

Expected results:
No AVC denial.

Additional info:
This works fine in RHEL 7.4.
Comment 1 Daniel Walsh 2017-06-14 11:04:04 EDT
This is an SELinux policy issue.  Unconfined_t should have access to all user namespace capabilties.
Comment 2 Daniel Walsh 2017-06-14 11:04:40 EDT
Lukas this one is critical to fix.
Comment 3 CAI Qian 2017-06-14 11:06:06 EDT
FYI, more stuff has been denied right now.

# audit2allow -a


#============= unconfined_t ==============
allow unconfined_t self:cap_userns { dac_override dac_read_search setgid setpcap setuid sys_admin sys_ptrace sys_resource };
Comment 5 Milos Malik 2017-06-14 12:50:44 EDT
Could you attach the list of all AVCs in raw form, which are triggered by your scenario?

# ausearch -m avc -m user_avc -i -ts today
Comment 6 CAI Qian 2017-06-14 16:11:44 EDT
# ausearch -m avc -m user_avc -i -ts today
----
type=USER_AVC msg=audit(06/14/2017 12:50:51.730:98) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(06/14/2017 12:50:51.730:99) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=3)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=PROCTITLE msg=audit(06/14/2017 16:09:58.996:155) : proctitle=/proc/self/exe init 
type=SYSCALL msg=audit(06/14/2017 16:09:58.996:155) : arch=ppc64le syscall=unshare success=no exit=EPERM(Operation not permitted) a0=CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET a1=0x10377a10 a2=0x0 a3=0x0 items=0 ppid=4781 pid=4790 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=runc:[1:CHILD] exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/14/2017 16:09:58.996:155) : avc:  denied  { sys_admin } for  pid=4790 comm=runc:[1:CHILD] capability=sys_admin  scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0
Comment 7 CAI Qian 2017-06-14 16:14:47 EDT
----
type=USER_AVC msg=audit(06/14/2017 16:13:22.751:180) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=PROCTITLE msg=audit(06/14/2017 16:13:24.871:181) : proctitle=/proc/self/exe init 
type=SYSCALL msg=audit(06/14/2017 16:13:24.871:181) : arch=ppc64le syscall=unshare success=yes exit=0 a0=CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET a1=0x10377a10 a2=0x0 a3=0x0 items=0 ppid=5754 pid=5763 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=runc:[1:CHILD] exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/14/2017 16:13:24.871:181) : avc:  denied  { sys_admin } for  pid=5763 comm=runc:[1:CHILD] capability=sys_admin  scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 
----
type=PROCTITLE msg=audit(06/14/2017 16:13:25.901:182) : proctitle=/proc/self/exe init 
type=SYSCALL msg=audit(06/14/2017 16:13:25.901:182) : arch=ppc64le syscall=setuid success=yes exit=0 a0=root a1=0x0 a2=0x1b0 a3=0x0 items=0 ppid=5754 pid=5764 auid=root uid=test gid=root euid=test suid=test fsuid=test egid=root sgid=root fsgid=root tty=(none) ses=1 comm=runc:[2:INIT] exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/14/2017 16:13:25.901:182) : avc:  denied  { setuid } for  pid=5764 comm=runc:[2:INIT] capability=setuid  scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 
----
type=PROCTITLE msg=audit(06/14/2017 16:13:25.901:183) : proctitle=/proc/self/exe init 
type=SYSCALL msg=audit(06/14/2017 16:13:25.901:183) : arch=ppc64le syscall=setgid success=yes exit=0 a0=root a1=0x0 a2=0x0 a3=0x0 items=0 ppid=5754 pid=5764 auid=root uid=test gid=test euid=test suid=test fsuid=test egid=test sgid=test fsgid=test tty=(none) ses=1 comm=runc:[2:INIT] exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/14/2017 16:13:25.901:183) : avc:  denied  { setgid } for  pid=5764 comm=runc:[2:INIT] capability=setgid  scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 
----
type=PROCTITLE msg=audit(06/14/2017 16:13:25.901:184) : proctitle=runc run -b /etc root 
type=SYSCALL msg=audit(06/14/2017 16:13:25.901:184) : arch=ppc64le syscall=readlinkat success=yes exit=12 a0=0xffffffffffffff9c a1=0xc420164080 a2=0xc42017c000 a3=0x80 items=0 ppid=4836 pid=5754 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=runc exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/14/2017 16:13:25.901:184) : avc:  denied  { sys_ptrace } for  pid=5754 comm=runc capability=sys_ptrace  scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 
----
type=PROCTITLE msg=audit(06/14/2017 16:13:25.921:185) : proctitle=/proc/self/exe init 
type=SYSCALL msg=audit(06/14/2017 16:13:25.921:185) : arch=ppc64le syscall=mkdirat success=yes exit=0 a0=0xffffffffffffff9c a1=0xc420132630 a2=0755 a3=0x0 items=0 ppid=5754 pid=5764 auid=root uid=test gid=test euid=test suid=test fsuid=test egid=test sgid=test fsgid=test tty=(none) ses=1 comm=runc:[2:INIT] exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/14/2017 16:13:25.921:185) : avc:  denied  { dac_override } for  pid=5764 comm=runc:[2:INIT] capability=dac_override  scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 
----
type=PROCTITLE msg=audit(06/14/2017 16:13:26.051:186) : proctitle=runc run -b /etc root 
type=SYSCALL msg=audit(06/14/2017 16:13:26.051:186) : arch=ppc64le syscall=prlimit64 success=yes exit=0 a0=0x1684 a1=0x7 a2=0xc4200ce380 a3=0xc4200ce380 items=0 ppid=4836 pid=5754 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=runc exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/14/2017 16:13:26.051:186) : avc:  denied  { sys_resource } for  pid=5754 comm=runc capability=sys_resource  scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 
----
type=PROCTITLE msg=audit(06/14/2017 16:13:26.051:187) : proctitle=/proc/self/exe init 
type=SYSCALL msg=audit(06/14/2017 16:13:26.051:187) : arch=ppc64le syscall=openat success=yes exit=6 a0=0xffffffffffffff9c a1=0xc42012f190 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=0 ppid=5754 pid=5764 auid=root uid=test gid=test euid=test suid=test fsuid=test egid=test sgid=test fsgid=test tty=(none) ses=1 comm=runc:[2:INIT] exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/14/2017 16:13:26.051:187) : avc:  denied  { dac_read_search } for  pid=5764 comm=runc:[2:INIT] capability=dac_read_search  scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 
----
type=PROCTITLE msg=audit(06/14/2017 16:13:26.051:188) : proctitle=/proc/self/exe init 
type=SYSCALL msg=audit(06/14/2017 16:13:26.051:188) : arch=ppc64le syscall=prctl success=yes exit=0 a0=PR_CAPBSET_DROP a1=chown a2=0x0 a3=0x0 items=0 ppid=5754 pid=5764 auid=root uid=test gid=test euid=test suid=test fsuid=test egid=test sgid=test fsgid=test tty=(none) ses=1 comm=runc:[2:INIT] exe=/usr/bin/runc subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/14/2017 16:13:26.051:188) : avc:  denied  { setpcap } for  pid=5764 comm=runc:[2:INIT] capability=setpcap  scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
Comment 10 errata-xmlrpc 2017-08-01 11:28:52 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861

Note You need to log in before you can comment on or make changes to this bug.