Description of problem: When elfutils-default-yama-scope happens to be upgraded in container, AVC denial about container_t and sysctl_kernel_t. Version-Release number of selected component (if applicable): On host: container-selinux-2:2.65-1.gitbf5b26b.fc28.noarch In container: elfutils-default-yama-scope-0.170-11.fc29.noarch How reproducible: Deterministic. Steps to Reproduce: 1. docker run --rm registry.fedoraproject.org/fedora:rawhide dnf upgrade -y elfutils-default-yama-scope 2. Check audit.log Actual results: Unable to find image 'registry.fedoraproject.org/fedora:rawhide' locally Trying to pull repository registry.fedoraproject.org/fedora ... sha256:521225b1a14aba45bdbce042f42f2f457813b0fdd58989325a7fa5321a223387: Pulling from registry.fedoraproject.org/fedora f5b598b9ce0d: Pulling fs layer f5b598b9ce0d: Verifying Checksum f5b598b9ce0d: Download complete f5b598b9ce0d: Pull complete Digest: sha256:521225b1a14aba45bdbce042f42f2f457813b0fdd58989325a7fa5321a223387 Status: Downloaded newer image for registry.fedoraproject.org/fedora:rawhide MARK-LWD-LOOP -- 2018-07-18 15:24:57 -- Fedora - Rawhide - Developmental packages for t 427 kB/s | 62 MB 02:27 Last metadata expiration check: 0:01:02 ago on Wed Jul 18 19:26:35 2018. Dependencies resolved. ================================================================================ Package Arch Version Repository Size ================================================================================ Upgrading: elfutils-default-yama-scope noarch 0.173-2.fc29 rawhide 14 k Transaction Summary ================================================================================ Upgrade 1 Package Total download size: 14 k Downloading Packages: elfutils-default-yama-scope-0.173-2.fc29.noarch 60 kB/s | 14 kB 00:00 -------------------------------------------------------------------------------- Total 13 kB/s | 14 kB 00:01 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Upgrading : elfutils-default-yama-scope-0.173-2.fc29.noarch 1/2 Running scriptlet: elfutils-default-yama-scope-0.173-2.fc29.noarch 1/2 Cleanup : elfutils-default-yama-scope-0.170-11.fc29.noarch 2/2 Running scriptlet: elfutils-default-yama-scope-0.170-11.fc29.noarch 2/2 Verifying : elfutils-default-yama-scope-0.173-2.fc29.noarch 1/2 Verifying : elfutils-default-yama-scope-0.170-11.fc29.noarch 2/2 Upgraded: elfutils-default-yama-scope.noarch 0.173-2.fc29 Complete! and type=AVC msg=audit(1531942069.455:173): avc: denied { write } for pid=14418 comm="systemd-sysctl" name="ptrace_scope" dev="proc" ino=48216 scontext=system_u:system_r:container_t:s0:c162,c763 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0 Expected results: No AVC denial. Additional info: Scriptlet in elfutils-default-yama-scope does /usr/lib/systemd/systemd-sysctl 10-default-yama-scope.conf >/dev/null 2>&1 || : and /usr/lib/sysctl.d/10-default-yama-scope.conf contains kernel.yama.ptrace_scope = 0
I guess this is reproducer for bug 1435868.
Are these properly namespaced?
I have no idea. I'm merely external observer here.
Ok so this is also mounted readonly, so I think I will just add a dontaudit rule.
Fixed in container-selinux-2.69-1.git452b90d
container-selinux-2.69-1.git452b90d.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-42991b7a1d
It seems to me that elfutils' %post should not attempt to run this sysctl at all, and just leave it to the next reboot. That would also solve this problem (since a container startup wouldn't trigger this).
container-selinux-2.69-1.git452b90d.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-42991b7a1d
(In reply to Frank Ch. Eigler from comment #8) > It seems to me that elfutils' %post should not attempt to run this sysctl at > all, and just leave it to the next reboot. That would also solve this > problem (since a container startup wouldn't trigger this). I've cloned into bug 1609806 for possible elfutils change.
container-selinux-2.69-1.git452b90d.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.