1550967 – Running systemd in container causes AVC denials about mounton /proc and write core_pattern

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1550967 - Running systemd in container causes AVC denials about mounton /proc and write core_pattern

Summary: Running systemd in container causes AVC denials about mounton /proc and write...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	docker
Sub Component:
Version:	7.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:	atomic-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-03-02 12:20 UTC by Jan Pazdziora (Red Hat)
Modified:	2019-03-06 01:30 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Previously, the `dontaudit` and `allow` SELinux rules were missing, so the kernel raised a SELinux AVC message. Consequently, some commands did not work as expected. This update adds the missing rules, and the commands now run successfully.
Clone Of:
Environment:
Last Closed:	2018-08-16 16:05:57 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2018:2482	0	None	None	None	2018-08-16 16:06:42 UTC

Description Jan Pazdziora (Red Hat) 2018-03-02 12:20:19 UTC

Description of problem:

Starting simple

docker run --name=systemd -td fedora:26 /usr/sbin/init

causes AVC denials.

Version-Release number of selected component (if applicable):

docker-1.13.1-55.rhel75.git774336d.el7.x86_64
oci-systemd-hook-0.1.15-2.gitc04483d.el7.x86_64
selinux-policy-3.13.1-192.el7.noarch
container-selinux-2.48-1.el7.noarch

How reproducible:

Deterministic.

Steps to Reproduce:
1. docker run --name=systemd -td fedora:26 /usr/sbin/init
2. docker logs systemd
3. grep AVC /var/log/audit/audit.log

Actual results:

Mount failed for selinuxfs on /sys/fs/selinux:  No such file or directory
Failed to set up the root directory for shared mount propagation: Operation not permitted
systemd 233 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN default-hierarchy=hybrid)
Detected architecture x86-64.

Welcome to Fedora 26 (Twenty Six)!

Set hostname to <be23b15136e0>.
Initializing machine ID from random generator.
[  OK  ] Listening on /dev/initctl Compatibility Named Pipe.
[  OK  ] Listening on Journal Socket.
[  OK  ] Reached target Remote File Systems.
[  OK  ] Started Dispatch Password Requests to Console Directory Watch.
[  OK  ] Reached target Swap.
[  OK  ] Started Forward Password Requests to Wall Directory Watch.
[...]

type=AVC msg=audit(1520010316.284:910): avc:  denied  { mounton } for  pid=36237 comm="systemd" path="/proc" dev="proc" ino=1 scontext=system_u:system_r:container_t:s0:c791,c981 tcontext=system_u:object_r:proc_t:s0 tclass=dir
type=AVC msg=audit(1520010316.285:911): avc:  denied  { write } for  pid=36237 comm="systemd" name="core_pattern" dev="proc" ino=181849 scontext=system_u:system_r:container_t:s0:c791,c981 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file

Expected results:

No AVC denials.

Additional info:

Comment 2 Jan Pazdziora (Red Hat) 2018-03-02 12:21:20 UTC

This is very similar to bug 1373746 comment 2.

Comment 3 Jan Pazdziora (Red Hat) 2018-03-02 14:10:41 UTC

Another AVC denials that I see are:

type=AVC msg=audit(1519999311.398:105): avc:  denied  { write } for  pid=13044 comm="systemd" name="memory.use_hierarchy" dev="cgroup" ino=38170 scontext=system_u:system_r:container_t:s0:c671,c1000 tcontext=system_u:object_r:cgroup_t:s0 tclass=file

type=AVC msg=audit(1519999311.446:106): avc:  denied  { write } for  pid=13044 comm="systemd" name="system.slice" dev="cgroup" ino=42428 scontext=system_u:system_r:container_t:s0:c671,c1000 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir

Comment 4 Jan Pazdziora (Red Hat) 2018-03-02 14:11:15 UTC

On RHEL 7.4, only the

type=AVC msg=audit(1519999283.226:114): avc:  denied  { mounton } for  pid=14830 comm="systemd" path="/proc" dev="proc" ino=1 scontext=system_u:system_r:svirt_lxc_net_t:s0:c541,c668 tcontext=system_u:object_r:proc_t:s0 tclass=dir

is shown.

Comment 6 Jan Pazdziora (Red Hat) 2018-03-02 14:13:22 UTC

On Fedora 27 host, I see

type=AVC msg=audit(1520017465.878:172): avc:  denied  { write } for  pid=12280 comm="systemd" name="release_agent" dev="cgroup" ino=7 scontext=system_u:system_r:container_t:s0:c636,c805 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=0

type=AVC msg=audit(1520017528.039:352): avc:  denied  { mounton } for  pid=13217 comm="systemd" path="/proc" dev="proc" ino=1 scontext=system_u:system_r:container_t:s0:c150,c648 tcontext=system_u:object_r:proc_t:s0 tclass=dir permissive=0

On Fedora 26 host, I see

type=AVC msg=audit(1520017359.544:172): avc:  denied  { write } for  pid=12197 comm="systemd" name="release_agent" dev="cgroup" ino=7 scontext=system_u:system_r:container_t:s0:c57,c418 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=0

type=AVC msg=audit(1520017359.544:173): avc:  denied  { write } for  pid=12197 comm="systemd" name="cgroup.procs" dev="cgroup" ino=724 scontext=system_u:system_r:container_t:s0:c57,c418 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=0

type=AVC msg=audit(1520017418.594:185): avc:  denied  { mounton } for  pid=13123 comm="systemd" path="/proc" dev="proc" ino=1 scontext=system_u:system_r:container_t:s0:c353,c701 tcontext=system_u:object_r:proc_t:s0 tclass=dir permissive=0

Comment 8 Daniel Walsh 2018-03-02 18:41:34 UTC

The write to cgroup requires the boolean be set.  We don't have labeled cgroups yet.

The write to userhelper, I will fix.

The mounton /proc, is strange. I guess we can allow it.

Comment 9 Jan Pazdziora (Red Hat) 2018-03-03 14:18:34 UTC

Ah, container_manage_cgroup. Starting the container did not outright fail so it did not kick me to add it. I confirm that with the boolean set, the container_t/cgroup_t AVC denials is gone.

Comment 11 Daniel Walsh 2018-03-04 15:47:19 UTC

Attempt another fix in container-selinux-2.49-1.el7

Comment 14 Daniel Walsh 2018-03-12 15:33:35 UTC

I would think we would just wait for RHEL7.5 at this point.

Comment 16 Luwen Su 2018-08-05 17:30:28 UTC

Package version:
container-selinux-2.68-1.el7.noarch
docker-1.13.1-74.git6e3bb8e.el7.x86_64

Pre-requires:
# getsebool -a | grep -i container
container_connect_any --> off
container_manage_cgroup --> on
logrotate_read_inside_containers --> off

#docker run --name=systemd -td rhel7 /usr/sbin/init

No avc logs. 

Docker logs see below:
# docker logs systemd
systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
Detected virtualization other.
Detected architecture x86-64.

Welcome to Red Hat Enterprise Linux Server 7.5 (Maipo)!

Set hostname to <de5509bcee50>.
Initializing machine ID from random generator.
Cannot add dependency job for unit sys-fs-fuse-connections.mount, ignoring: Unit is masked.
Cannot add dependency job for unit getty.target, ignoring: Unit is masked.
Cannot add dependency job for unit systemd-logind.service, ignoring: Unit is masked.
[  OK  ] Reached target Remote File Systems.
[  OK  ] Reached target Local Encrypted Volumes.
[  OK  ] Reached target Swap.
[  OK  ] Reached target Paths.
[  OK  ] Created slice Root Slice.
[  OK  ] Listening on /dev/initctl Compatibility Named Pipe.
[  OK  ] Listening on Delayed Shutdown Socket.
[  OK  ] Listening on Journal Socket.
[  OK  ] Created slice System Slice.
[  OK  ] Reached target Slices.
         Starting Journal Service...
         Starting Load/Save Random Seed...
         Starting Rebuild Hardware Database...
[  OK  ] Reached target Local File Systems (Pre).
[  OK  ] Reached target Local File Systems.
         Starting Rebuild Journal Catalog...
[  OK  ] Started Journal Service.
         Starting Flush Journal to Persistent Storage...
[  OK  ] Started Load/Save Random Seed.
[  OK  ] Started Rebuild Hardware Database.
[  OK  ] Started Rebuild Journal Catalog.
         Starting Update is Completed...
[  OK  ] Started Update is Completed.
[  OK  ] Started Flush Journal to Persistent Storage.
         Starting Create Volatile Files and Directories...
[  OK  ] Started Create Volatile Files and Directories.
         Starting Update UTMP about System Boot/Shutdown...
[  OK  ] Started Update UTMP about System Boot/Shutdown.
[  OK  ] Reached target System Initialization.
[  OK  ] Listening on D-Bus System Message Bus Socket.
[  OK  ] Reached target Sockets.
[  OK  ] Reached target Basic System.
         Starting Permit User Sessions...
[  OK  ] Started D-Bus System Message Bus.
         Starting D-Bus System Message Bus...
[  OK  ] Reached target Timers.
[  OK  ] Started Permit User Sessions.
         Starting Cleanup of Temporary Directories...
[  OK  ] Reached target Multi-User System.
         Starting Update UTMP about System Runlevel Changes...
[  OK  ] Started Cleanup of Temporary Directories.
[  OK  ] Started Update UTMP about System Runlevel Changes.

Comment 17 Lokesh Mandvekar 2018-08-09 10:58:26 UTC

Dan, could you please write the 'Doc Text' for this bug. Please select Doc Type as 'Bug Fix', it will display the template.

Comment 19 errata-xmlrpc 2018-08-16 16:05:57 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2482

Note You need to log in before you can comment on or make changes to this bug.