1540963 – In container, attempt to write to /dev/stdout in systemd service fails with AVC denial

Bug 1540963 - In container, attempt to write to /dev/stdout in systemd service fails with AVC denial

Summary: In container, attempt to write to /dev/stdout in systemd service fails with A...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	docker
Sub Component:
Version:	30
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-02-01 12:14 UTC by Jan Pazdziora
Modified:	2019-12-17 13:17 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1540956
Environment:
Last Closed:	2019-12-17 13:17:44 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jan Pazdziora 2018-02-01 12:14:37 UTC

Description of problem:

In program which is run as systemd service in container, we try to write to stdout. For some reasons, the bash script is actually doing equivalent of

    echo Test > /dev/stdout

It fails.

Version-Release number of selected component (if applicable):

docker-1.13.1-44.git584d391.fc27.x86_64
selinux-policy-3.13.1-283.21.fc27.noarch
container-selinux-2.42-1.fc27.noarch

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have Dockerfile:

FROM fedora:27
ADD test-service /usr/bin/
ADD test-service.service /etc/systemd/system/
RUN systemctl enable test-service

2. Have test-service:

#!/bin/bash
echo This is test service.
ls -la /dev/std* /dev/console
( echo This is test service with stdout. ) > /dev/stdout

3. Run # chmod a+x test-service
4. Have test-service.service:

[Unit]
Description=Test proc AVC denials
[Service]
Type=oneshot
ExecStart=/usr/bin/test-service
[Install]
WantedBy=multi-user.target

5. Build container: docker build -t systemd .
6. Run the container: docker run --name systemd systemd /usr/sbin/init
7. Check audit.log.
8. From another terminal, run: docker exec systemd journalctl _COMM=test-service -l

Actual results:

type=AVC msg=audit(1517487204.639:23310): avc:  denied  { mounton } for  pid=19121 comm="systemd" path="/proc" dev="proc" ino=1 scontext=system_u:system_r:container_t:s0:c562,c959 tcontext=system_u:object_r:proc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1517487204.979:23324): avc:  denied  { write } for  pid=19170 comm="test-service" name="fd" dev="proc" ino=1625213 scontext=system_u:system_r:container_t:s0:c562,c959 tcontext=system_u:system_r:container_t:s0:c562,c959 tclass=dir permissive=0

-- Logs begin at Thu 2018-02-01 12:13:24 UTC, end at Thu 2018-02-01 12:13:53 UTC. --
Feb 01 12:13:24 2769242e3664 test-service[23]: This is test service.
Feb 01 12:13:24 2769242e3664 test-service[23]: ls: cannot access '/dev/console': No such file or directory
Feb 01 12:13:24 2769242e3664 test-service[23]: lrwxrwxrwx. 1 root root 15 Feb  1 12:13 /dev/stderr -> /proc/self/fd/2
Feb 01 12:13:24 2769242e3664 test-service[23]: lrwxrwxrwx. 1 root root 15 Feb  1 12:13 /dev/stdin -> /proc/self/fd/0
Feb 01 12:13:24 2769242e3664 test-service[23]: lrwxrwxrwx. 1 root root 15 Feb  1 12:13 /dev/stdout -> /proc/self/fd/1
Feb 01 12:13:24 2769242e3664 test-service[23]: /usr/bin/test-service: line 4: /dev/stdout: No such device or address

Expected results:

No AVC denials.

-- Logs begin at Thu 2018-02-01 12:13:24 UTC, end at Thu 2018-02-01 12:13:53 UTC. --
Feb 01 12:13:24 2769242e3664 test-service[23]: This is test service.
Feb 01 12:13:24 2769242e3664 test-service[23]: ls: cannot access '/dev/console': No such file or directory
Feb 01 12:13:24 2769242e3664 test-service[23]: lrwxrwxrwx. 1 root root 15 Feb  1 12:13 /dev/stderr -> /proc/self/fd/2
Feb 01 12:13:24 2769242e3664 test-service[23]: lrwxrwxrwx. 1 root root 15 Feb  1 12:13 /dev/stdin -> /proc/self/fd/0
Feb 01 12:13:24 2769242e3664 test-service[23]: lrwxrwxrwx. 1 root root 15 Feb  1 12:13 /dev/stdout -> /proc/self/fd/1
Feb 01 12:13:24 2769242e3664 test-service[23]: This is test service with stdout.

Additional info:

Comment 1 Jan Pazdziora 2018-02-01 12:16:33 UTC

On RHEL 7, things fail as well but the AVC denial is different and the error is about Permission denied, not No such device or address -- see bug 1540956.

Comment 2 Ben Cotton 2018-11-27 13:41:37 UTC

This message is a reminder that Fedora 27 is nearing its end of life.
On 2018-Nov-30  Fedora will stop maintaining and issuing updates for
Fedora 27. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora  'version' of '27'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 27 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 3 Ben Cotton 2018-11-30 23:37:21 UTC

Fedora 27 changed to end-of-life (EOL) status on 2018-11-30. Fedora 27 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 4 Jan Pazdziora 2018-12-13 11:38:52 UTC

On Fedora 28 with docker-1.13.1-61.git9cb56fd.fc28.x86_64, there is no AVC denial logged but the journalctl output looks the same:

-- Logs begin at Thu 2018-12-13 11:35:04 UTC, end at Thu 2018-12-13 11:36:04 UTC. --
Dec 13 11:35:04 c1b013994f27 test-service[25]: This is test service.
Dec 13 11:35:04 c1b013994f27 test-service[25]: ls: cannot access '/dev/console': No such file or directory
Dec 13 11:35:04 c1b013994f27 test-service[25]: lrwxrwxrwx. 1 root root 15 Dec 13 11:35 /dev/stderr -> /proc/self/fd/2
Dec 13 11:35:04 c1b013994f27 test-service[25]: lrwxrwxrwx. 1 root root 15 Dec 13 11:35 /dev/stdin -> /proc/self/fd/0
Dec 13 11:35:04 c1b013994f27 test-service[25]: lrwxrwxrwx. 1 root root 15 Dec 13 11:35 /dev/stdout -> /proc/self/fd/1
Dec 13 11:35:04 c1b013994f27 test-service[25]: /usr/bin/test-service: line 4: /dev/stdout: No such device or address

Comment 5 Ben Cotton 2019-05-02 19:22:47 UTC

This message is a reminder that Fedora 28 is nearing its end of life.
On 2019-May-28 Fedora will stop maintaining and issuing updates for
Fedora 28. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora 'version' of '28'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 28 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 6 Jan Pazdziora 2019-05-09 19:41:31 UTC

On Fedora 29 with

docker-1.13.1-67.git1185cfd.fc29.x86_64
container-selinux-2.100-1.git3b78187.fc29.noarch


the AVC denial

type=AVC msg=audit(1557430803.187:607): avc:  denied  { mounton } for  pid=12919 comm="systemd" path="/proc" dev="proc" ino=1 scontext=system_u:system_r:container_t:s0:c436,c737 tcontext=system_u:object_r:proc_t:s0 tclass=dir permissive=0

is back and the journalctl output is the same:

May 09 19:40:03 901b94ccc075 test-service[25]: This is test service.
May 09 19:40:03 901b94ccc075 test-service[25]: ls: cannot access '/dev/console': No such file or directory
May 09 19:40:03 901b94ccc075 test-service[25]: lrwxrwxrwx. 1 root root 15 May  9 19:40 /dev/stderr -> /proc/self/fd/2
May 09 19:40:03 901b94ccc075 test-service[25]: lrwxrwxrwx. 1 root root 15 May  9 19:40 /dev/stdin -> /proc/self/fd/0
May 09 19:40:03 901b94ccc075 test-service[25]: lrwxrwxrwx. 1 root root 15 May  9 19:40 /dev/stdout -> /proc/self/fd/1
May 09 19:40:03 901b94ccc075 test-service[25]: /usr/bin/test-service: line 4: /dev/stdout: No such device or address

Comment 7 Daniel Walsh 2019-05-12 10:55:08 UTC

This has never been allwed in policy, as far as I have seen, so I am thinking something changed in Systemd or in Docker, which has not been updated.
The question is why is systemd attempting to mount something on /proc?

Comment 8 Ben Cotton 2019-10-31 19:21:15 UTC

This message is a reminder that Fedora 29 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 29 on 2019-11-26.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '29'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 29 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 9 Jan Pazdziora 2019-11-01 10:35:35 UTC

On Fedora 31 with

docker-1.13.1-68.git47e2230.fc30.x86_64
container-selinux-2.117.0-1.gitbfde70a.fc31.noarch

on the host and container based on registry.fedoraproject.org/fedora:30 the AVC denials is gone and the journalctl output is the same:

Nov 01 10:33:09 debc35e15224 test-service[27]: This is test service.
Nov 01 10:33:09 debc35e15224 test-service[27]: ls: cannot access '/dev/console': No such file or directory
Nov 01 10:33:09 debc35e15224 test-service[27]: lrwxrwxrwx. 1 root root 15 Nov  1 10:33 /dev/stderr -> /proc/self/fd/2
Nov 01 10:33:09 debc35e15224 test-service[27]: lrwxrwxrwx. 1 root root 15 Nov  1 10:33 /dev/stdin -> /proc/self/fd/0
Nov 01 10:33:09 debc35e15224 test-service[27]: lrwxrwxrwx. 1 root root 15 Nov  1 10:33 /dev/stdout -> /proc/self/fd/1
Nov 01 10:33:09 debc35e15224 test-service[27]: /usr/bin/test-service: line 4: /dev/stdout: No such device or address

Comment 10 Daniel Walsh 2019-11-01 13:37:36 UTC

Not likely to fix any issues with Docker.  We are dropping support.  Does this happen in Podman?

Comment 11 Jan Pazdziora 2019-12-17 13:15:44 UTC

With

podman-1.6.2-2.fc31.x86_64
container-selinux-2.123.0-2.fc31.noarch

and container based on registry.fedoraproject.org/fedora:31, there is no AVC denials and the journactl output is the same:

# podman exec systemd journalctl _COMM=test-service -l
-- Logs begin at Tue 2019-12-17 13:13:24 UTC, end at Tue 2019-12-17 13:13:24 UTC. --
Dec 17 13:13:24 17b0f8dd6a9d test-service[22]: This is test service.
Dec 17 13:13:24 17b0f8dd6a9d test-service[22]: ls: cannot access '/dev/console': No such file or directory
Dec 17 13:13:24 17b0f8dd6a9d test-service[22]: lrwxrwxrwx. 1 root root 15 Dec 17 13:13 /dev/stderr -> /proc/self/fd/2
Dec 17 13:13:24 17b0f8dd6a9d test-service[22]: lrwxrwxrwx. 1 root root 15 Dec 17 13:13 /dev/stdin -> /proc/self/fd/0
Dec 17 13:13:24 17b0f8dd6a9d test-service[22]: lrwxrwxrwx. 1 root root 15 Dec 17 13:13 /dev/stdout -> /proc/self/fd/1
Dec 17 13:13:24 17b0f8dd6a9d test-service[22]: /usr/bin/test-service: line 4: /dev/stdout: No such device or address

Note You need to log in before you can comment on or make changes to this bug.