Bug 1467432 - AVCs reported during weekly openscap-docker verification
AVCs reported during weekly openscap-docker verification
Status: ON_QA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: container-selinux (Show other bugs)
7.4
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Lokesh Mandvekar
atomic-bugs@redhat.com
: Extras
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-03 17:07 EDT by Marek Haicman
Modified: 2017-08-21 11:07 EDT (History)
3 users (show)

See Also:
Fixed In Version: container-selinux-2.20-2.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Marek Haicman 2017-07-03 17:07:37 EDT
Description of problem:
During verification of openscap-docker-7.3.6-4 following AVCs were encountered:

---
time->Mon Jul  3 11:38:01 2017
type=USER_AVC msg=audit(1499096281.893:57): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Mon Jul  3 11:38:01 2017
type=USER_AVC msg=audit(1499096281.893:58): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=3)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Mon Jul  3 11:39:00 2017
type=SYSCALL msg=audit(1499096340.605:152): arch=c000003e syscall=2 success=yes exit=3 a0=7fdfcf9972e0 a1=80000 a2=10000 a3=7ffd2a3180b0 items=0 ppid=13520 pid=13536 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpm" exe="/usr/bin/rpm" subj=system_u:system_r:svirt_lxc_net_t:s0:c14,c293 key=(null)
type=SELINUX_ERR msg=audit(1499096340.605:152): op=security_compute_av reason=bounds scontext=system_u:system_r:svirt_lxc_net_t:s0:c14,c293 tcontext=system_u:object_r:cpu_online_t:s0 tclass=file perms=entrypoint
----
time->Mon Jul  3 11:38:58 2017
type=SYSCALL msg=audit(1499096338.506:143): arch=c000003e syscall=2 success=yes exit=3 a0=7f320c6782e0 a1=80000 a2=10000 a3=7ffe8d03b470 items=0 ppid=13323 pid=13338 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpm" exe="/usr/bin/rpm" subj=system_u:system_r:svirt_lxc_net_t:s0:c640,c917 key=(null)
type=SELINUX_ERR msg=audit(1499096338.506:143): op=security_compute_av reason=bounds scontext=system_u:system_r:svirt_lxc_net_t:s0:c640,c917 tcontext=system_u:object_r:cpu_online_t:s0 tclass=file perms=entrypoint


And later, during call of atomic scan command:
----
time->Mon Jul  3 11:39:26 2017
type=SYSCALL msg=audit(1499096366.823:192): arch=c000003e syscall=2 success=yes exit=8 a0=7f035f530537 a1=80000 a2=1b6 a3=24 items=0 ppid=14940 pid=14954 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="oscapd-evaluate" exe="/usr/bin/python2.7" subj=system_u:system_r:svirt_lxc_net_t:s0:c159,c968 key=(null)
type=SELINUX_ERR msg=audit(1499096366.823:192): op=security_compute_av reason=bounds scontext=system_u:system_r:svirt_lxc_net_t:s0:c159,c968 tcontext=system_u:object_r:locale_t:s0 tclass=file perms=entrypoint
----
time->Mon Jul  3 11:39:26 2017
type=SYSCALL msg=audit(1499096366.873:193): arch=c000003e syscall=2 success=yes exit=3 a0=1ba3560 a1=0 a2=1b6 a3=24 items=0 ppid=14940 pid=14954 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="oscapd-evaluate" exe="/usr/bin/python2.7" subj=system_u:system_r:svirt_lxc_net_t:s0:c159,c968 key=(null)
type=SELINUX_ERR msg=audit(1499096366.873:193): op=security_compute_av reason=bounds scontext=system_u:system_r:svirt_lxc_net_t:s0:c159,c968 tcontext=system_u:object_r:etc_t:s0 tclass=file perms=entrypoint


Running '/usr/sbin/sestatus'
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

Version-Release number of selected component (if applicable):
container-selinux-2.19-2.1.el7.noarch
(regression, as previous version container-selinux-2.12-2.gite7096ce.el7.noarch does not report anything)

How reproducible:
Reliably

Steps to Reproduce:
1. atomic scan --scan_type cve rhel7
2.
3.

Actual results:
AVCs are reported

Expected results:
No AVCs

Additional info:
Comment 2 Daniel Walsh 2017-07-17 12:30:12 EDT
Lokesh the latest container-selinux for RHEL-1.12 should fix these.
Comment 3 Lokesh Mandvekar 2017-07-17 14:48:43 EDT
Dan, so there hasn't been any new errata for 7.4.0 yet, so what's going into 7.4.0 so far is still container-selinux-2.19-2.1 which was shipped with 7.3.6 extras. There have been 2 new builds in brew after that for 2.20, but those are not in errata yet.
Comment 4 Daniel Walsh 2017-07-17 14:56:27 EDT
Well we need them out ASAP, Not a blocker, but we definitely need it in 7.4.1 release if not sooner.
Comment 5 Lokesh Mandvekar 2017-07-17 15:09:10 EDT
ok, and same goes for Bug 1464455, right?

Note You need to log in before you can comment on or make changes to this bug.