1500287 – Running /usr/sbin/ntpd -u ntp:ntp in container produces AVC denial

Bug 1500287 - Running /usr/sbin/ntpd -u ntp:ntp in container produces AVC denial

Summary: Running /usr/sbin/ntpd -u ntp:ntp in container produces AVC denial

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	ntp
Sub Component:
Version:	26
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Lichvar
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1520447
TreeView+	depends on / blocked

Reported:	2017-10-10 10:45 UTC by Jan Pazdziora (Red Hat)
Modified:	2017-12-04 13:51 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Clone Of:
Clones:	1520447 (view as bug list)
Environment:
Last Closed:	2017-10-10 15:40:40 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jan Pazdziora (Red Hat) 2017-10-10 10:45:27 UTC

Description of problem:

Related to https://bugzilla.redhat.com/show_bug.cgi?id=1457312.

Running /usr/sbin/ntpd -u ntp:ntp in container produces AVC denial.

Version-Release number of selected component (if applicable):

container-selinux-2.24-1.fc26.noarch
docker-1.13.1-22.gitb5e3294.fc26.x86_64
selinux-policy-3.13.1-260.10.fc26.noarch

How reproducible:

Deterministic.

Steps to Reproduce:
1. docker run --rm -ti ntpd bash
2. In the container, run /usr/sbin/ntpd -u ntp:ntp
3. Check audit.log for AVC denials.

Actual results:

type=AVC msg=audit(1507632134.832:3173): avc:  denied  { module_request } for  pid=25312 comm="ntpd" kmod="net-pf-0" scontext=system_u:system_r:container_t:s0:c40,c45 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0

Expected results:

No AVC denials.

Additional info:

Note that for some reason, running the ntpd dirrectly as parameter to docker run does not produce the AVC denial.

Comment 1 Daniel Walsh 2017-10-10 12:32:16 UTC

We are not allowing containers to requiest loading of kernel modules. If  a kernel module needs to be loaded, then it needs to be done via the Administrator or by the packager.

I wrote about This here.

https://danwalsh.livejournal.com/77415.html

I think this is loading a kernel module to use ipv6.

The problem is a user could request the loading of any ancient network protocol which could have a vulnerability, and we don't want to allow this by default.

Comment 2 Jan Pazdziora (Red Hat) 2017-10-10 13:19:05 UTC

Thanks. Could we have a boolean to be able to silence the denials? We have domain_kernel_load_modules to (I assume) allow them to pass but maybe we can silence them?

Anyway, reopening and moving to ntp component. What does ntpd need net-pf-0 for? Based on https://medium.com/cri-o/cri-o-has-builtin-selinux-support-6ff45b707cf0, it's AF_UNSPEC -- could it be avoided altogether?

Comment 3 Miroslav Lichvar 2017-10-10 15:40:40 UTC

This seems to be a bug in ntpd. It calls socket() on a sockaddr which was zeroed with memset().

Upstream bug report: http://bugs.ntp.org/show_bug.cgi?id=3437

Comment 4 Jan Pazdziora (Red Hat) 2017-10-11 06:40:47 UTC

Awesome. Miroslav, thanks a bunch for the quick turnaround.

Comment 5 Jan Pazdziora (Red Hat) 2017-10-11 07:01:40 UTC

Um, to close the loop here, the ntpd container image used in comment 0 was built from Dockerfile

FROM fedora:26
RUN dnf install -y ntp

Note You need to log in before you can comment on or make changes to this bug.