Bug 1477138 - SELinux prevents systemd from running properly in a container
SELinux prevents systemd from running properly in a container
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: container-selinux (Show other bugs)
26
Unspecified Unspecified
high Severity high
: ---
: ---
Assigned To: Tom Sweeney
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-01 06:15 EDT by Matus Marhefka
Modified: 2017-12-21 06:07 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-12-21 06:07:45 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matus Marhefka 2017-08-01 06:15:20 EDT
Description of problem:
SELinux prevents systemd from running properly in a container when host is running with SELinux in enforcing mode.


Version-Release number of selected component (if applicable):
container-selinux-2.21-1.fc26.noarch
selinux-policy-3.13.1-260.3.fc26.noarch
selinux-policy-targeted-3.13.1-260.3.fc26.noarch
docker-common-1.13.1-19.git27e468e.fc26.x86_64
docker-1.13.1-19.git27e468e.fc26.x86_64
oci-systemd-hook-0.1.11-1.git1ac958a.fc26.x86_64
oci-register-machine-0-3.10.gitcbf1b8f.fc26.x86_64


How reproducible:
always


Steps to Reproduce:
# cat Dockerfile 
FROM fedora:26
STOPSIGNAL SIGRTMIN+3
ENV container=docker
CMD [ "/sbin/init" ]

# docker build -t systemd .
# cont=$(docker run -dt systemd)
# docker exec -it $cont systemctl status
Failed to connect to bus: No such file or directory

# getenforce
Enforcing
# ausearch -m avc -ts today | grep -i "type=avc" | grep '\"systemd\"'
type=AVC msg=audit(1501578837.670:20375): avc:  denied  { write } for  pid=2231 comm="systemd" name="release_agent" dev="cgroup" ino=7 scontext=system_u:system_r:container_t:s0:c240,c382 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=0
type=AVC msg=audit(1501578837.670:20376): avc:  denied  { write } for  pid=2231 comm="systemd" name="docker-d6699348b51cd157591eef57b8fc194646f876f17a24366820c56401f4633710.scope" dev="cgroup" ino=406 scontext=system_u:system_r:container_t:s0:c240,c382 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0

There are also AVCs for systemd-journal:
# ausearch -m avc -ts today | grep -i "type=avc" | grep '\"systemd-journal\"'
...
type=AVC msg=audit(1501581783.907:46682): avc:  denied  { create } for  pid=429 comm="systemd-journal" name="7cc549d8ba134b3697e9682db1ca87d7" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:container_log_t:s0 tclass=dir permissive=0
...

With SELinux in permissive mode:
# setenforce 0
# cont=$(docker run -dt systemd)
# docker exec -it $cont systemctl status
● 9055fae39e63
    State: running
     Jobs: 0 queued
   Failed: 0 units
    Since: Tue 2017-08-01 10:05:14 UTC; 59s ago
   CGroup: /system.slice/docker-9055fae39e63d80df16c35f729cce53a5d7d5af31ee9f426645748ff6c7e8834.scope
           ├─35 systemctl status
           ├─39 systemctl status
           ├─init.scope
           │ └─1 /sbin/init
           └─system.slice
             ├─dbus.service
             │ └─32 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activati
on --syslog-only
             └─systemd-journald.service
               └─18 /usr/lib/systemd/systemd-journald



Actual results:
systemd is prevented from running in a container with SELinux in enforcing mode.

Expected results:
systemd is running properly in a container with SELinux in enforcing mode.
Comment 1 Daniel Walsh 2017-08-01 08:33:13 EDT
Tom this looks like the journal is being stored with the label container_log_t, not a container specific log type (container_file_t).
Comment 2 Daniel Walsh 2017-08-01 08:34:14 EDT
Antonio did you patches to the kernel make it in, so that containers are able to set labeles on cgroupfs_t?
Comment 3 Daniel Walsh 2017-08-01 08:34:57 EDT
Lukas, is policy in F26 allowing labels on cgroupfs?
Comment 4 Lukas Vrabec 2017-09-27 06:09:12 EDT
Dan, 

We support it in Rawhide only for now.
Comment 5 Matus Marhefka 2017-10-30 08:00:23 EDT
Tom, can we expect this to be fixed in F26?
Comment 7 Tom Sweeney 2017-10-30 15:19:54 EDT
Matus, I'm not sure if Antonio's patches made it into F26.  Dan do you know?
Comment 8 Daniel Walsh 2017-10-30 15:42:05 EDT
We don't have fixes in F26 yet for this. But turning on the containers_manage_cgroup boolean should be enough.

Note You need to log in before you can comment on or make changes to this bug.