RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1469716 - 7.4 rc: avc deny running .Net in docker
Summary: 7.4 rc: avc deny running .Net in docker
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: container-selinux
Version: 7.4
Hardware: x86_64
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Lokesh Mandvekar
QA Contact: atomic-bugs@redhat.com
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-07-11 17:27 UTC by Qian Cai
Modified: 2017-08-02 00:23 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-02 00:23:00 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2372 0 normal SHIPPED_LIVE container-selinux bug fix update 2017-08-08 22:54:57 UTC

Description Qian Cai 2017-07-11 17:27:02 UTC 
Description of problem:
# docker run docker.io/microsoft/dotnet /usr/share/dotnet/dotnet --help

# ausearch -m avc
time->Tue Jul 11 13:23:28 2017
type=PROCTITLE msg=audit(1499793808.896:374): proctitle=2F7573722F73686172652F646F746E65742F646F746E6574002D2D68656C70
type=SYSCALL msg=audit(1499793808.896:374): arch=c000003e syscall=124 success=no exit=-13 a0=1 a1=4 a2=1 a3=7fffde512100 items=0 ppid=19326 pid=19343 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dotnet" exe="/usr/share/dotnet/dotnet" subj=system_u:system_r:svirt_lxc_net_t:s0:c696,c974 key=(null)
type=AVC msg=audit(1499793808.896:374): avc:  denied  { getsession } for  pid=19343 comm="dotnet" scontext=system_u:system_r:svirt_lxc_net_t:s0:c696,c974 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c696,c974 tclass=process

# audit2allow -a
allow svirt_lxc_net_t self:process getsession;

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-166.el7.noarch
libselinux-2.5-11.el7.x86_64
libselinux-utils-2.5-11.el7.x86_64
libselinux-python-2.5-11.el7.x86_64
selinux-policy-3.13.1-166.el7.noarch
container-selinux-2.19-2.1.el7.noarch
docker-1.12.6-40.1.gitf55a118.el7.x86_64

How reproducible:
always
Comment 2 Qian Cai 2017-07-11 17:57:43 UTC 
Looks like this one has been taken care of in upstream already.

https://github.com/projectatomic/container-selinux/commit/c5fd77fc2496e04c2722d23860842b58a72d0178
Comment 3 Qian Cai 2017-07-11 18:09:53 UTC 
Same avc deny running our software collection images.

# docker run registry.access.redhat.com/dotnet/dotnetcore-10-rhel7 dotnet --help

[   75.265024] type=1400 audit(1499796422.188:7): avc:  denied  { getsession } for  pid=11564 comm="dotnet" scontext=system_u:system_r:svirt_lxc_net_t:s0:c787,c837 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c787,c837 tclass=process
[   75.269935] type=1401 audit(1499796422.193:8): op=security_compute_av reason=bounds scontext=system_u:system_r:svirt_lxc_net_t:s0:c787,c837 tcontext=system_u:object_r:cpu_online_t:s0 tclass=file perms=entrypoint
[   75.286475] type=1400 audit(1499796422.210:9): avc:  denied  { getsession } for  pid=11564 comm="dotnet" scontext=system_u:system_r:svirt_lxc_net_t:s0:c787,c837 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c787,c837 tclass=process
Comment 4 Daniel Walsh 2017-07-11 18:33:22 UTC 
Yes this should be fixed in container-selinux-2.20 release or later.
Comment 6 Luwen Su 2017-07-24 09:59:08 UTC 
Looks fine in 

# rpm -q docker container-selinux
docker-1.12.6-48.git0fdc778.el7.x86_64
container-selinux-2.21-1.el7.noarch


# docker run registry.access.redhat.com/dotnet/dotnetcore-10-rhel7 dotnet --help
.NET Command Line Tools (1.0.0-preview2-003159)
Usage: dotnet [host-options] [command] [arguments] [common-options]

Arguments:
  [command]             The command to execute
  [arguments]           Arguments to pass to the command
  [host-options]        Options specific to dotnet (host)
  [common-options]      Options common to all commands

Common options:
  -v|--verbose          Enable verbose output
  -h|--help             Show help 

Host options (passed before the command):
  -v|--verbose          Enable verbose output
  --version             Display .NET CLI Version Number
  --info                Display .NET CLI Info

Common Commands:
  new           Initialize a basic .NET project
  restore       Restore dependencies specified in the .NET project
  build         Builds a .NET project
  publish       Publishes a .NET project for deployment (including the runtime)
  run           Compiles and immediately executes a .NET project
  test          Runs unit tests using the test runner specified in the project
  pack          Creates a NuGet package
Comment 8 errata-xmlrpc 2017-08-02 00:23:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2372
Note You need to log in before you can comment on or make changes to this bug.