Bug 1469716 - 7.4 rc: avc deny running .Net in docker
7.4 rc: avc deny running .Net in docker
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: container-selinux (Show other bugs)
7.4
x86_64 Linux
high Severity high
: rc
: ---
Assigned To: Lokesh Mandvekar
atomic-bugs@redhat.com
: Extras
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-11 13:27 EDT by CAI Qian
Modified: 2017-08-01 20:23 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-01 20:23:00 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description CAI Qian 2017-07-11 13:27:02 EDT
Description of problem:
# docker run docker.io/microsoft/dotnet /usr/share/dotnet/dotnet --help

# ausearch -m avc
time->Tue Jul 11 13:23:28 2017
type=PROCTITLE msg=audit(1499793808.896:374): proctitle=2F7573722F73686172652F646F746E65742F646F746E6574002D2D68656C70
type=SYSCALL msg=audit(1499793808.896:374): arch=c000003e syscall=124 success=no exit=-13 a0=1 a1=4 a2=1 a3=7fffde512100 items=0 ppid=19326 pid=19343 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dotnet" exe="/usr/share/dotnet/dotnet" subj=system_u:system_r:svirt_lxc_net_t:s0:c696,c974 key=(null)
type=AVC msg=audit(1499793808.896:374): avc:  denied  { getsession } for  pid=19343 comm="dotnet" scontext=system_u:system_r:svirt_lxc_net_t:s0:c696,c974 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c696,c974 tclass=process

# audit2allow -a
allow svirt_lxc_net_t self:process getsession;

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-166.el7.noarch
libselinux-2.5-11.el7.x86_64
libselinux-utils-2.5-11.el7.x86_64
libselinux-python-2.5-11.el7.x86_64
selinux-policy-3.13.1-166.el7.noarch
container-selinux-2.19-2.1.el7.noarch
docker-1.12.6-40.1.gitf55a118.el7.x86_64

How reproducible:
always
Comment 2 CAI Qian 2017-07-11 13:57:43 EDT
Looks like this one has been taken care of in upstream already.

https://github.com/projectatomic/container-selinux/commit/c5fd77fc2496e04c2722d23860842b58a72d0178
Comment 3 CAI Qian 2017-07-11 14:09:53 EDT
Same avc deny running our software collection images.

# docker run registry.access.redhat.com/dotnet/dotnetcore-10-rhel7 dotnet --help

[   75.265024] type=1400 audit(1499796422.188:7): avc:  denied  { getsession } for  pid=11564 comm="dotnet" scontext=system_u:system_r:svirt_lxc_net_t:s0:c787,c837 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c787,c837 tclass=process
[   75.269935] type=1401 audit(1499796422.193:8): op=security_compute_av reason=bounds scontext=system_u:system_r:svirt_lxc_net_t:s0:c787,c837 tcontext=system_u:object_r:cpu_online_t:s0 tclass=file perms=entrypoint
[   75.286475] type=1400 audit(1499796422.210:9): avc:  denied  { getsession } for  pid=11564 comm="dotnet" scontext=system_u:system_r:svirt_lxc_net_t:s0:c787,c837 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c787,c837 tclass=process
Comment 4 Daniel Walsh 2017-07-11 14:33:22 EDT
Yes this should be fixed in container-selinux-2.20 release or later.
Comment 6 Luwen Su 2017-07-24 05:59:08 EDT
Looks fine in 

# rpm -q docker container-selinux
docker-1.12.6-48.git0fdc778.el7.x86_64
container-selinux-2.21-1.el7.noarch


# docker run registry.access.redhat.com/dotnet/dotnetcore-10-rhel7 dotnet --help
.NET Command Line Tools (1.0.0-preview2-003159)
Usage: dotnet [host-options] [command] [arguments] [common-options]

Arguments:
  [command]             The command to execute
  [arguments]           Arguments to pass to the command
  [host-options]        Options specific to dotnet (host)
  [common-options]      Options common to all commands

Common options:
  -v|--verbose          Enable verbose output
  -h|--help             Show help 

Host options (passed before the command):
  -v|--verbose          Enable verbose output
  --version             Display .NET CLI Version Number
  --info                Display .NET CLI Info

Common Commands:
  new           Initialize a basic .NET project
  restore       Restore dependencies specified in the .NET project
  build         Builds a .NET project
  publish       Publishes a .NET project for deployment (including the runtime)
  run           Compiles and immediately executes a .NET project
  test          Runs unit tests using the test runner specified in the project
  pack          Creates a NuGet package
Comment 8 errata-xmlrpc 2017-08-01 20:23:00 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2372

Note You need to log in before you can comment on or make changes to this bug.