1553412 – SELinux is preventing chown from 'setattr' accesses on the fifo_file .

Bug 1553412 - SELinux is preventing chown from 'setattr' accesses on the fifo_file .

Summary: SELinux is preventing chown from 'setattr' accesses on the fifo_file .

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	container-selinux
Sub Component:
Version:	27
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lokesh Mandvekar
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:5b2c3ca8e3bac12b8c84b7a0069...
Duplicates (1):	1488511 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-03-08 19:53 UTC by David
Modified:	2018-03-30 12:56 UTC (History)
CC List:	11 users (show)
Fixed In Version:	container-selinux-2.55-1.fc27 container-selinux-2.55-1.fc28
Clone Of:
Environment:
Last Closed:	2018-03-27 20:02:44 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description David 2018-03-08 19:53:52 UTC

Description of problem:
SELinux is preventing chown from 'setattr' accesses on the fifo_file .

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that chown should be allowed setattr access on the  fifo_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'chown' --raw | audit2allow -M my-chown
# semodule -X 300 -i my-chown.pp

Additional Information:
Source Context                system_u:system_r:spc_t:s0
Target Context                system_u:system_r:container_runtime_t:s0
Target Objects                 [ fifo_file ]
Source                        chown
Source Path                   chown
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-283.24.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.14.16-300.fc27.x86_64 #1 SMP Wed
                              Jan 31 19:24:27 UTC 2018 x86_64 x86_64
Alert Count                   4
First Seen                    2018-02-09 19:15:56 GMT
Last Seen                     2018-02-11 18:29:43 GMT
Local ID                      3298e3cc-3ced-465f-922b-b2cb13a2d2ee

Raw Audit Messages
type=AVC msg=audit(1518373783.378:446): avc:  denied  { setattr } for  pid=17525 comm="chown" name="" dev="pipefs" ino=261170 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=fifo_file permissive=0


Hash: chown,spc_t,container_runtime_t,fifo_file,setattr

Version-Release number of selected component:
selinux-policy-3.13.1-283.24.fc27.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.6-300.fc27.x86_64
type:           libreport

Potential duplicate: bug 1488511

Comment 1 akiross 2018-03-12 10:02:57 UTC

I have the same issue when starting mongodb on docker:

    docker run --rm -p 27017:27017 mongo

I get this

    chown: changing ownership of '/proc/1/fd/1': Permission denied                                           
    chown: changing ownership of '/proc/1/fd/2': Permission denied

My policy RPM is selinux-policy-3.13.1-283.26.fc27.noarch instead.

Not sure if this could be helpful, but here's a `ls -lZ /proc/1/fd`:

lrwx------. 1 root root system_u:system_r:init_t:s0 64 Mar 12 10:46 0 -> /dev/null                       
lrwx------. 1 root root system_u:system_r:init_t:s0 64 Mar 12 10:46 1 -> /dev/null

Comment 2 Lukas Vrabec 2018-03-12 13:25:21 UTC

*** Bug 1488511 has been marked as a duplicate of this bug. ***

Comment 3 Daniel Walsh 2018-03-12 14:19:27 UTC

What AVC's are you seeing?  And is this causing any issues other then the log messages?

ausearch -m avc -ts recent

Comment 4 akiross 2018-03-12 14:28:18 UTC

In my case, I am not experiencing any issue and mongodb appears to run fine, but I am using very limited functionalities right now.

After running mongo in a new container `ausearch -m avc -ts recent` prints

----
time->Mon Mar 12 15:24:11 2018
type=AVC msg=audit(1520864651.203:1827): avc:  denied  { setattr } for  pid=16375 comm="chown" name="" dev="pipefs" ino=622633 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=fifo_file permissive=0
----
time->Mon Mar 12 15:24:11 2018
type=AVC msg=audit(1520864651.203:1826): avc:  denied  { setattr } for  pid=16375 comm="chown" name="" dev="pipefs" ino=622632 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=fifo_file permissive=0

Comment 5 Daniel Walsh 2018-03-12 15:04:14 UTC

Fixed in container-selinux-2.54

Comment 6 Fedora Update System 2018-03-15 12:44:01 UTC

container-selinux-2.55-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-29bc3c6098

Comment 7 Fedora Update System 2018-03-15 12:44:53 UTC

container-selinux-2.55-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-cdf686cb83

Comment 8 Fedora Update System 2018-03-15 16:29:06 UTC

container-selinux-2.55-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-29bc3c6098

Comment 9 Fedora Update System 2018-03-16 14:43:53 UTC

container-selinux-2.55-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-cdf686cb83

Comment 10 Fedora Update System 2018-03-27 20:02:44 UTC

container-selinux-2.55-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 akiross 2018-03-28 09:22:54 UTC

I am using container-selinux-2.55-1.fc27, but I am still experiencing the issue.

Besides updating, are there any additional steps to be performed?

When running MongoDB, I get the following warning (apparently, it runs fine beside this)

    chown: changing ownership of '/proc/1/fd/1': Permission denied                                           
    chown: changing ownership of '/proc/1/fd/2': Permission denied


And I get the following selinux message:

SELinux is preventing chown from setattr access on the fifo_file .

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that chown should be allowed setattr access on the  fifo_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'chown' --raw | audit2allow -M my-chown
# semodule -X 300 -i my-chown.pp

Additional Information:
Source Context                system_u:system_r:spc_t:s0
Target Context                system_u:system_r:container_runtime_t:s0
Target Objects                 [ fifo_file ]
Source                        chown
Source Path                   chown
Port                          <Unknown>
Host                          sanctuary
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-283.29.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     sanctuary
Platform                      Linux sanctuary 4.15.12-301.fc27.x86_64 #1 SMP Thu
                              Mar 22 19:25:27 UTC 2018 x86_64 x86_64
Alert Count                   14
First Seen                    2018-03-26 15:30:16 CEST
Last Seen                     2018-03-28 11:19:26 CEST
Local ID                      96607e77-d9ea-4d52-84f7-50a5bf684c41

Raw Audit Messages
type=AVC msg=audit(1522228766.581:351): avc:  denied  { setattr } for  pid=15047 comm="chown" name="" dev="pipefs" ino=160788 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=fifo_file permissive=0


Hash: chown,spc_t,container_runtime_t,fifo_file,setattr



# ausearch -m avc -ts recent
----
time->Wed Mar 28 11:17:31 2018
type=AVC msg=audit(1522228651.112:320): avc:  denied  { setattr } for  pid=14768 comm="chown" name="" dev="pipefs" ino=156705 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=fifo_file permissive=0
----
time->Wed Mar 28 11:17:31 2018
type=AVC msg=audit(1522228651.113:321): avc:  denied  { setattr } for  pid=14768 comm="chown" name="" dev="pipefs" ino=156706 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=fifo_file permissive=0
----

Comment 12 akiross 2018-03-28 09:26:27 UTC

Sorry! I was mistaken: I was using docker-engine-selinux, not container-selinux.

I removed the former and replaced it with the latter and issue is gone. Thanks and sorry again.

Comment 13 Fedora Update System 2018-03-30 12:56:52 UTC

container-selinux-2.55-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.