Bug 1463549 - ipa-server container has AVCs
ipa-server container has AVCs
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: container-selinux (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Lokesh Mandvekar
: Extras, Regression
Depends On:
Blocks: 1405325
  Show dependency treegraph
Reported: 2017-06-21 04:35 EDT by Martin Bašti
Modified: 2017-09-05 11:27 EDT (History)
9 users (show)

See Also:
Fixed In Version: container-selinux-2.20-2.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-09-05 06:39:36 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Martin Bašti 2017-06-21 04:35:33 EDT
Description of problem:

type=PROCTITLE msg=audit(1497995293.437:166): proctitle=2F7573722F62696E2F73797374656D642D746D7066696C6573002D2D637265617465002D2D72656D6F7665002D2D626F6F74002D2D6578636C7564652D7072656669783D2F646576
type=SYSCALL msg=audit(1497995293.437:166): arch=c000003e syscall=4 success=yes exit=0 a0=7ffdd4428a60 a1=7ffdd4428ba0 a2=7ffdd4428ba0 a3=55fd94c63040 items=0 ppid=22871 pid=22931 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-tmpfile" exe="/usr/bin/systemd-tmpfiles" subj=system_u:system_r:svirt_lxc_net_t:s0:c90,c138 key=(null)
type=SELINUX_ERR msg=audit(1497995293.437:166): op=security_compute_av reason=bounds scontext=system_u:system_r:svirt_lxc_net_t:s0:c90,c138 tcontext=system_u:object_r:cpu_online_t:s0 tclass=file perms=entrypoint

Expected results:
Comment 3 Martin Bašti 2017-07-03 07:38:33 EDT
Also I'm seeing following SELinux errors:

type=SYSCALL msg=audit(1499032492.989:169): arch=c000003e syscall=2 success=yes exit=3 a0=7f1a3c249df0 a1=80000 a2=10000 a3=7ffce423ba40 items=0 ppid=23601 pid=29315 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=system_u:system_r:svirt_lxc_net_t:s0:c441,c701 key=(null)
type=SELINUX_ERR msg=audit(1499032492.989:169): op=security_compute_av reason=bounds scontext=system_u:system_r:svirt_lxc_net_t:s0:c441,c701 tcontext=system_u:object_r:cpu_online_t:s0 tclass=file perms=entrypoint

type=SYSCALL msg=audit(1499032223.801:148): arch=c000003e syscall=2 success=yes exit=4 a0=7f44e2e8b2e0 a1=80000 a2=10000 a3=0 items=0 ppid=21137 pid=22618 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-" subj=system_u:system_r:svirt_lxc_net_t:s0:c231,c779 key=(null)
type=SELINUX_ERR msg=audit(1499032223.801:148): op=security_compute_av reason=bounds scontext=system_u:system_r:svirt_lxc_net_t:s0:c231,c779 tcontext=system_u:object_r:cpu_online_t:s0 tclass=file perms=entrypoint
Comment 4 Jan Pazdziora 2017-07-04 05:12:16 EDT
These are not AVCs, rather SELINUX_ERR. Nonetheless, I also see them in nondeterministic fashing during container image build:

type=PROCTITLE msg=audit(1499118362.269:104): proctitle=2F7573722F62696E2F707974686F6E002F7573722F62696E2F79756D00696E7374616C6C002D2D64697361626C657265706F3D2A002D2D656E61626C657265706F3D7268656C2D372D7365727665722D72706D73002D79006970612D736572766572006970612D7365727665722D646E73006970612D7365727665722D747275
type=SYSCALL msg=audit(1499118362.269:104): arch=c000003e syscall=2 success=yes exit=3 a0=7f6f28b8a2e0 a1=80000 a2=10000 a3=14 items=0 ppid=14190 pid=14221 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="yum" exe="/usr/bin/python2.7" subj=system_u:system_r:svirt_lxc_net_t:s0:c185,c468 key=(null)
type=SELINUX_ERR msg=audit(1499118362.269:104): op=security_compute_av reason=bounds scontext=system_u:system_r:svirt_lxc_net_t:s0:c185,c468 tcontext=system_u:object_r:cpu_online_t:s0 tclass=file perms=entrypoint
Comment 8 Daniel Walsh 2017-07-08 06:14:14 EDT
I actually think these are nothing but noice.  I will push a fix to RHEL that removes the typebounds policy in container-selinux.  The RHEL7 kernel and SELinux userspace do not handle this well yet.
Comment 9 Daniel Walsh 2017-07-08 06:16:44 EDT
Lokesh 532fa20f04f7bb60be2dcf8802d47efda3bc4e10 in container-selinux removes the typebounds call that causes these SELINUX_ERR messages.

We need to get an updated container-selinux package for RHEL out.
Comment 10 Stephen Smalley 2017-07-10 10:11:54 EDT
Was the typebounds not necessary in order to allow a transition under NNP?
Comment 11 Daniel Walsh 2017-07-10 10:34:40 EDT
Yes that works in Fedora but not in RHEL yet.
Comment 19 Luwen Su 2017-08-27 02:06:36 EDT
Typebounds is remove from the container-selinux-2.21-2.gitba103ac.el7.noarch, move to verified.
Comment 21 errata-xmlrpc 2017-09-05 06:39:36 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.