Bug 1469661 - allow svirt_lxc_net_t container_share_t:file execmod
allow svirt_lxc_net_t container_share_t:file execmod
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: container-selinux (Show other bugs)
All Linux
high Severity high
: rc
: ---
Assigned To: Lokesh Mandvekar
: Extras
Depends On:
Blocks: 1473538
  Show dependency treegraph
Reported: 2017-07-11 11:13 EDT by CAI Qian
Modified: 2017-08-01 20:23 EDT (History)
8 users (show)

See Also:
Fixed In Version: container-selinux-2.21-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-08-01 20:23:00 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description CAI Qian 2017-07-11 11:13:37 EDT
Description of problem:
# docker run -it --rm docker.io/ppc64le/debian dpkg --list
dpkg: error while loading shared libraries: cannot restore segment prot after reloc: Permission denied

# ausearch -m avc
time->Tue Jul 11 09:26:00 2017
type=PROCTITLE msg=audit(1499779560.826:2078): proctitle=64706B67002D2D6C697374
type=SYSCALL msg=audit(1499779560.826:2078): arch=c0000015 syscall=125 success=no exit=-13 a0=5eff0000 a1=50000 a2=5 a3=7fbc0 items=0 ppid=44022 pid=44064 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=4294967295 comm="dpkg" exe="/usr/bin/dpkg" subj=system_u:system_r:svirt_lxc_net_t:s0:c635,c815 key=(null)
type=AVC msg=audit(1499779560.826:2078): avc:  denied  { execmod } for  pid=44064 comm="dpkg" path="/usr/bin/dpkg" dev="dm-0" ino=75708698 scontext=system_u:system_r:svirt_lxc_net_t:s0:c635,c815 tcontext=system_u:object_r:container_share_t:s0 tclass=file

# audit2allow -a
#============= svirt_lxc_net_t ==============

#!!!! The file '/usr/bin/dpkg' is mislabeled on your system.  
#!!!! Fix with $ restorecon -R -v /usr/bin/dpkg
allow svirt_lxc_net_t container_share_t:file execmod;

Version-Release number of selected component (if applicable):

How reproducible:
Comment 2 CAI Qian 2017-07-11 13:05:26 EDT
This is only reproducible on docker overlay/overlay2 backend. I suspect it could be reproduced in x86_64 as well by using libraries which require execmod. For example,  running .NET on RHEL 7 with Docker.
Comment 3 CAI Qian 2017-07-11 13:09:32 EDT
We have already fixed in non overlay/overlay2 case.

# sesearch -s svirt_lxc_net_t -t svirt_sandbox_file_t -c file -p execmod -A -C
Found 1 semantic av rules:
   allow svirt_sandbox_domain svirt_sandbox_file_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute execute_no_trans execmod open } ;

but in overlay/overlay2 case, all files labeled container_share_t.

# ls -ldZ /var/lib/docker/overlay2/
drwx------. root root system_u:object_r:container_share_t:s0 /var/lib/docker/overlay2/
Comment 4 CAI Qian 2017-07-19 10:25:24 EDT
This is confirmed by developers can be reproduced in x86_64 as well.
Comment 5 Daniel Walsh 2017-07-19 13:02:30 EDT
Lokesh 333854a550c008aa76484db08cfdb67ecfa90bc6 fixes this in git, we need a new build.
Comment 8 Luwen Su 2017-07-24 06:25:41 EDT
The label of overlay is not changed, but the dotnet container works fine on x86_64 platform.


# docker run docker.io/microsoft/dotnet /usr/share/dotnet/dotnet --help
.NET Command Line Tools (1.0.4)
Usage: dotnet [host-options] [command] [arguments] [common-options]

  [command]             The command to execute
  [arguments]           Arguments to pass to the command
  [host-options]        Options specific to dotnet (host)
  [common-options]      Options common to all commands

Common options:
  -v|--verbose          Enable verbose output
  -h|--help             Show help 

Host options (passed before the command):
  -d|--diagnostics      Enable diagnostic output
  --version             Display .NET CLI Version Number
  --info                Display .NET CLI Info

  new           Initialize .NET projects.
  restore       Restore dependencies specified in the .NET project.
  build         Builds a .NET project.
  publish       Publishes a .NET project for deployment (including the runtime).
  run           Compiles and immediately executes a .NET project.
  test          Runs unit tests using the test runner specified in the project.
  pack          Creates a NuGet package.
  migrate       Migrates a project.json based project to a msbuild based project.
  clean         Clean build output(s).
  sln           Modify solution (SLN) files.

Project modification commands:
  add           Add items to the project
  remove        Remove items from the project
  list          List items in the project

Advanced Commands:
  nuget         Provides additional NuGet commands.
  msbuild       Runs Microsoft Build Engine (MSBuild).
  vstest        Runs Microsoft Test Execution Command Line Tool.

#sesearch -s svirt_lxc_net_t -t svirt_sandbox_file_t -c file -p execmod -A -C
Found 1 semantic av rules:
   allow svirt_sandbox_domain svirt_sandbox_file_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute execute_no_trans execmod open } ; 

# ls -aZ /var/lib/docker/overlay
drwx------. root root system_u:object_r:container_share_t:s0 .
drwx--x--x. root root system_u:object_r:container_var_lib_t:s0 ..
drwx------. root root system_u:object_r:container_share_t:s0 0e528a331a1cac764a93572682312dc2cd22df1fad57f802b260ad01b3fc582f
drwx------. root root system_u:object_r:container_share_t:s0 3dff686e7781ab75a05611ef4ab365922e8123859e31dc8ae32037c26a42436a
Comment 10 errata-xmlrpc 2017-08-01 20:23:00 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.