Bug 1540634 - SELinux is preventing moc from 'map' accesses on the fifo_file fifo_file.
Summary: SELinux is preventing moc from 'map' accesses on the fifo_file fifo_file.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: container-selinux
Version: 27
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lokesh Mandvekar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:1299083d7cad9784a4d32e5133b...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-01-31 15:04 UTC by Laurent Rineau
Modified: 2018-02-20 17:16 UTC (History)
11 users (show)

Fixed In Version: container-selinux-2.48-1.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-02-20 17:16:34 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Laurent Rineau 2018-01-31 15:04:36 UTC 
Description of problem:
(I copy-paste here a message I send to selinux.org on Fri, 19 Jan 2018 17:19:16 +0100.)

In an automated test process, I have a docker container based on 
Fedora Rawhide, with Docker running on F27. That container runs a compilation 
process involving Qt 5.10 (from rawhide).

That compilation fails, and I have the following AVC:

type=AVC msg=audit(1516334348.971:1059): avc:  denied  { map } for  pid=4046 
comm="moc" path="pipe:[3343646]" dev="pipefs" ino=3343646 
scontext=system_u:system_r:container_t:s0:c273,c916 
tcontext=system_u:system_r:container_runtime_t:s0 tclass=fifo_file 
permissive=0

When Rawhide had Qt 5.9.3, it was working (no AVC, and successul compilation 
test).

What do you suggest? The tool audit2allow says that I would need that module:

    module qt5.10 1.0;
    
    require {
            type container_runtime_t;
            type container_t;
            class fifo_file map;
    }
    
    #============= container_t ==============
    allow container_t container_runtime_t:fifo_file map;


Is that permission dangerous? Why is it not in the policy?

Actually, I have no idea what mean mapping a fifo file. From why I know it 
makes no sense.
SELinux is preventing moc from 'map' accesses on the fifo_file fifo_file.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that moc should be allowed map access on the fifo_file fifo_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'moc' --raw | audit2allow -M my-moc
# semodule -X 300 -i my-moc.pp

Additional Information:
Source Context                system_u:system_r:container_t:s0:c730,c988
Target Context                system_u:system_r:container_runtime_t:s0
Target Objects                fifo_file [ fifo_file ]
Source                        moc
Source Path                   moc
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.14.13-300.fc27.x86_64 #1 SMP Thu
                              Jan 11 04:00:01 UTC 2018 x86_64 x86_64
Alert Count                   8
First Seen                    2018-01-24 21:11:24 CET
Last Seen                     2018-01-24 21:11:36 CET
Local ID                      e242d0bf-a031-416b-b190-5c2dfb7c163b

Raw Audit Messages
type=AVC msg=audit(1516824696.449:1146): avc:  denied  { map } for  pid=43900 comm="moc" path="pipe:[4612204]" dev="pipefs" ino=4612204 scontext=system_u:system_r:container_t:s0:c730,c988 tcontext=system_u:system_r:container_runtime_t:s0 tclass=fifo_file permissive=0


Hash: moc,container_t,container_runtime_t,fifo_file,map


Additional info:
component:      selinux-policy
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.14.14-300.fc27.x86_64
type:           libreport
Comment 1 Milos Malik 2018-02-01 07:40:18 UTC 
The map permission is a new permission recognized by kernel and policy. We are still in a process of identification of which domains need that permission when accessing various objects on the file-system.

More info can be found at:
 * https://patchwork.kernel.org/patch/9713531/

Could you tell us, which policy version is installed on your machine?
Comment 2 Milos Malik 2018-02-01 07:41:34 UTC 
# rpm -qa selinux-policy\* container\* | sort
Comment 3 Laurent Rineau 2018-02-01 08:52:43 UTC 
Thanks Milos for the link. Here is the list of packages on the machine:

    container-selinux-2.42-1.fc27.noarch
    container-storage-setup-0.8.0-2.git1d27ecf.fc27.noarch
    selinux-policy-3.13.1-283.21.fc27.noarch
    selinux-policy-devel-3.13.1-283.21.fc27.noarch
    selinux-policy-doc-3.13.1-283.21.fc27.noarch
    selinux-policy-sandbox-3.13.1-283.21.fc27.noarch
    selinux-policy-targeted-3.13.1-283.21.fc27.noarch
Comment 4 Fedora Update System 2018-02-15 19:08:01 UTC 
container-selinux-2.48-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-c6b68a1cb0
Comment 5 Fedora Update System 2018-02-16 16:27:49 UTC 
container-selinux-2.48-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-c6b68a1cb0
Comment 6 Fedora Update System 2018-02-20 17:16:34 UTC 
container-selinux-2.48-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.