Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1558710

Summary: allow iptables_t container_runtime_t:file read;
Product: Red Hat Enterprise Linux 7 Reporter: Qian Cai <qcai>
Component: container-selinuxAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 7.5-AltCC: jhonce, lsu, lvrabec, mgrepl, mmalik, plautrba, qcai, ssekidde
Target Milestone: rcKeywords: Extras
Target Release: 7.5-Alt   
Hardware: ppc64le   
OS: Linux   
Whiteboard:
Fixed In Version: container-selinux-2.55-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-11 00:03:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
more avc output none

Description Qian Cai 2018-03-20 20:53:36 UTC 
Description of problem:
runc test suite started to generate avc in the latest RHEL-ALT 7.5 rc on ppc64le.

# ausearch -m avc
----
time->Tue Mar 20 16:31:37 2018
type=PROCTITLE msg=audit(1521577897.906:106): proctitle=2F7573722F7362696E2F69707461626C6573002D2D77616974002D74006E6174002D4300504F5354524F5554494E47002D73003137322E31372E302E302F31360021002D6F00646F636B657230002D6A004D415351554552414445
type=SYSCALL msg=audit(1521577897.906:106): arch=c0000015 syscall=11 success=yes exit=0 a0=c420018280 a1=c4204404d0 a2=c4202657a0 a3=0 items=0 ppid=10528 pid=10583 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/usr/sbin/xtables-multi" subj=system_u:system_r:iptables_t:s0 key=(null)
type=AVC msg=audit(1521577897.906:106): avc:  denied  { read } for  pid=10583 comm="iptables" path="net:[4026531872]" dev="nsfs" ino=4026531872 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=file permissive=0

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-192.el7.noarch
container-selinux-2.51-1.el7.noarch

How reproducible:
always
Comment 1 Milos Malik 2018-03-21 08:06:10 UTC 
Could re-run the testsuite in permissive mode? It's likely that more SELinux denials will appear.

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

Please attach all found SELinux denials.
Comment 2 Qian Cai 2018-03-21 13:20:22 UTC 
Created attachment 1411213 [details]
more avc output
Comment 3 Qian Cai 2018-03-21 14:51:22 UTC 
OK, I have done triage. The culprit is introduced by container-selinux
version 2.49-1 from one of those commits.

- Add support for MLS running container runtimes
- Add missing allow rules for running systemd in a container

This avc could simply by reproduced by restarting docker daemon.
Comment 4 Qian Cai 2018-03-21 15:54:38 UTC 
Reverted this commit makes the problem go away.

commit d84132b276ea78d85eb8c6668fa9b9947df85c39
Date:   Fri Mar 2 13:51:51 2018 -0500

    Add support for MLS Policy and features needed by systemd in a container

    Signed-off-by: Daniel J Walsh <dwalsh>

diff --git a/VERSION b/VERSION
index 1c593e1..6e272ad 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.48
+2.49
diff --git a/container.te b/container.te
index c31819a..99340e4 100644
--- a/container.te
+++ b/container.te
@@ -1,4 +1,4 @@
-policy_module(container, 2.48.0)
+policy_module(container, 2.49.0)
 gen_require(`
        class passwd rootok;
        type container_file_t;
@@ -88,7 +88,7 @@ corenet_port(container_port_t)
 #')

 ifdef(`enable_mls',`
-       init_ranged_daemon_domain(container_runtime_t, container_runtime_exec_t, mls_systemhigh)
+       init_ranged_daemon_domain(container_runtime_t, container_runtime_exec_t, s0 - mls_systemhigh)
 ')

 ########################################
@@ -131,6 +131,9 @@ corenet_udp_bind_all_ports(container_runtime_t)
 corenet_tcp_bind_all_ports(container_runtime_t)
 corenet_tcp_connect_all_ports(container_runtime_t)

+mls_file_read_to_clearance(container_runtime_t)
+mls_file_write_to_clearance(container_runtime_t)
+
 container_auth_stream_connect(container_runtime_t)

 manage_blk_files_pattern(container_runtime_t, container_file_t, container_file_t)
@@ -700,6 +703,12 @@ kernel_rw_net_sysctls(container_t)
 kernel_read_messages(container_t)
 kernel_read_network_state(container_t)
 kernel_dontaudit_write_proc_files(container_t)
+kernel_mounton_proc(container_t)
+#kernel_dontaudit_write_usermodehelper_state(container_t)
+gen_require(`
+       type usermodehelper_t;
+')
+dontaudit container_t usermodehelper_t:file write;

 fs_read_cgroup_files(container_t)
Comment 5 Daniel Walsh 2018-03-23 12:14:32 UTC 
There is nothing in these changes which would cause these AVC's.

If you update container-selinux again, are the messages still there?

time->Tue Mar 20 16:31:37 2018
type=PROCTITLE msg=audit(1521577897.906:106): proctitle=2F7573722F7362696E2F69707461626C6573002D2D77616974002D74006E6174002D4300504F5354524F5554494E47002D73003137322E31372E302E302F31360021002D6F00646F636B657230002D6A004D415351554552414445
type=SYSCALL msg=audit(1521577897.906:106): arch=c0000015 syscall=11 success=yes exit=0 a0=c420018280 a1=c4204404d0 a2=c4202657a0 a3=0 items=0 ppid=10528 pid=10583 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/usr/sbin/xtables-multi" subj=system_u:system_r:iptables_t:s0 key=(null)
type=AVC msg=audit(1521577897.906:106): avc:  denied  { read } for  pid=10583 comm="iptables" path="net:[4026531872]" dev="nsfs" ino=4026531872 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=file permissive=0

Looks like it is allowed in upstream policy and this RHEL7.5 policy
container_read_pid_files(iptables_t)
Comment 6 Qian Cai 2018-03-23 13:16:51 UTC 
OK, agree this may has nothing to do with this commit (some strangeness happened during the bisecting process) but the bottom line is that this can be reproduced easily on the latest bits on power.

# rpm -q container-selinux docker selinux-policy
container-selinux-2.51-1.el7.noarch
docker-1.13.1-58.git87f2fab.el7.ppc64le
selinux-policy-3.13.1-192.el7.noarch

# systemctl restart docker
# ausearch -m avc
time->Fri Mar 23 09:12:45 2018
type=PROCTITLE msg=audit(1521810765.807:2364): proctitle=2F7573722F7362696E2F69707461626C6573002D2D77616974002D4900464F5257415244002D6A00444F434B45522D49534F4C4154494F4E
type=SYSCALL msg=audit(1521810765.807:2364): arch=c0000015 syscall=11 success=yes exit=0 a0=c42018ad60 a1=c4203d95c0 a2=c420776720 a3=0 items=0 ppid=10715 pid=10811 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/usr/sbin/xtables-multi" subj=system_u:system_r:iptables_t:s0 key=(null)
type=AVC msg=audit(1521810765.807:2364): avc:  denied  { read } for  pid=10811 comm="iptables" path="net:[4026531872]" dev="nsfs" ino=4026531872 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=file permissive=0
Comment 7 Qian Cai 2018-03-23 13:41:49 UTC 
Not sure if this is related but there is a message in console looks like new.

bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
Comment 8 Qian Cai 2018-03-23 14:06:28 UTC 
OK, tried to bisect again and it turned out,

container-selinux-2.42-1.gitad8f0f7.el7: GOOD
container-selinux-2.48-1.el7:            BAD

[root@ibm-p8-kvm-05-guest-03 ~]# rpm -q container-selinux
container-selinux-2.42-1.gitad8f0f7.el7.noarch
[root@ibm-p8-kvm-05-guest-03 ~]# semodule -X 200 -r container
libsemanage.semanage_direct_remove_key: Removing last container module (no other container module exists at another priority).
[root@ibm-p8-kvm-05-guest-03 ~]# rpm -ivh --force container-selinux-2.42-1.gitad8f0f7.el7.noarch.rpm 
Preparing...                          ################################# [100%]
Updating / installing...
   1:container-selinux-2:2.42-1.gitad8################################# [100%]
[root@ibm-p8-kvm-05-guest-03 ~]# systemctl restart docker
[root@ibm-p8-kvm-05-guest-03 ~]# ausearch -m AVC
<NO AVC>
[root@ibm-p8-kvm-05-guest-03 ~]# semodule -X 200 -r container
libsemanage.semanage_direct_remove_key: Removing last container module (no other container module exists at another priority).
[root@ibm-p8-kvm-05-guest-03 ~]# rpm -Uvh container-selinux-2.48-1.el7.noarch.rpm 
Preparing...                          ################################# [100%]
        package container-selinux-2:2.48-1.el7.noarch is already installed
[root@ibm-p8-kvm-05-guest-03 ~]# rpm -Uvh container-selinux-2.48-1.el7.noarch.rpm --force
Preparing...                          ################################# [100%]
Updating / installing...
   1:container-selinux-2:2.48-1.el7   ################################# [100%]
[root@ibm-p8-kvm-05-guest-03 ~]# systemctl restart docker
[root@ibm-p8-kvm-05-guest-03 ~]# ausearch -m AVC
<AVC>
Comment 9 Daniel Walsh 2018-03-23 15:02:09 UTC 
Ok I am building container-selinux-2.55.

Should be fixed in  container-selinux-2.55-1.el7
Comment 11 Luwen Su 2018-03-27 10:32:55 UTC 
Tried the container-selinux-2.55-1.el7.noarch, looks fine

# service docker restart
Redirecting to /bin/systemctl restart docker.service
# ausearch -m AVC
<no matches>


selinux-policy-3.13.1-192.el7.noarch
container-selinux-2:2.55-1.el7
Comment 14 errata-xmlrpc 2018-04-11 00:03:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1073