1671794 – SELinux is preventing libvirt_lxc from 'entrypoint' accesses on the file /etc/libvirt-sandbox/scratch/.libs/libvirt-sandbox-init-lxc.

Bug 1671794 - SELinux is preventing libvirt_lxc from 'entrypoint' accesses on the file /etc/libvirt-sandbox/scratch/.libs/libvirt-sandbox-init-lxc.

Summary: SELinux is preventing libvirt_lxc from 'entrypoint' accesses on the file /etc...

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	virt-bootstrap
Sub Component:
Version:	29
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Fabiano Fidêncio
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:e932c1537194f06e40e78023c1f...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-02-01 16:43 UTC by Michael Hampton
Modified:	2019-07-06 06:55 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-07-06 06:55:35 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Michael Hampton 2019-02-01 16:43:46 UTC

Description of problem:
Ran as root:

virt-bootstrap docker://fedora /var/lib/libvirt/filesystems/fedora-29

The result was:

INFO    : Checking cached layers
INFO    : Extracting container layers
INFO    : Extracting layer (1/1) with size: 85.70 MiB
Traceback (most recent call last):
  File "/usr/bin/virt-bootstrap", line 11, in <module>
    load_entry_point('virt-bootstrap==1.1.0', 'console_scripts', 'virt-bootstrap')()
  File "/usr/lib/python3.7/site-packages/virtBootstrap/virt_bootstrap.py", line 334, in main
    progress_cb=args.status_only)
  File "/usr/lib/python3.7/site-packages/virtBootstrap/virt_bootstrap.py", line 148, in bootstrap
    progress=prog).unpack(dest)
  File "/usr/lib/python3.7/site-packages/virtBootstrap/sources/docker_source.py", line 307, in unpack
    utils.untar_layers(self.layers, dest, self.progress)
  File "/usr/lib/python3.7/site-packages/virtBootstrap/utils.py", line 344, in untar_layers
    safe_untar(tar_file, dest_dir)
  File "/usr/lib/python3.7/site-packages/virtBootstrap/utils.py", line 287, in safe_untar
    execute(virt_sandbox + params)
  File "/usr/lib/python3.7/site-packages/virtBootstrap/utils.py", line 264, in execute
    raise subprocess.CalledProcessError(proc.returncode, cmd_str)
subprocess.CalledProcessError: Command 'virt-sandbox -c lxc:/// --name=bootstrap_2307045 -m host-bind:/mnt=/var/lib/libvirt/filesystems/dc1 -- /bin/tar xf /var/cache/virt-bootstrap/docker_images/0be2a68855d7bbbba01b447a79c873f137e6fb47362e79f2fd79c72575c9b73a -C /mnt --exclude dev/* --overwrite --absolute-names --acls --xattrs --selinux' returned non-zero exit status 1.
SELinux is preventing libvirt_lxc from 'entrypoint' accesses on the file /etc/libvirt-sandbox/scratch/.libs/libvirt-sandbox-init-lxc.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/etc/libvirt-sandbox/scratch/.libs/libvirt-sandbox-init-lxc default label should be etc_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /etc/libvirt-sandbox/scratch/.libs/libvirt-sandbox-init-lxc

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that libvirt_lxc should be allowed entrypoint access on the libvirt-sandbox-init-lxc file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'libvirt_lxc' --raw | audit2allow -M my-libvirtlxc
# semodule -X 300 -i my-libvirtlxc.pp

Additional Information:
Source Context                system_u:system_r:container_t:s0:c703,c967
Target Context                unconfined_u:object_r:virt_lxc_var_run_t:s0
Target Objects                /etc/libvirt-sandbox/scratch/.libs/libvirt-
                              sandbox-init-lxc [ file ]
Source                        libvirt_lxc
Source Path                   libvirt_lxc
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.2-47.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.19.15-300.fc29.x86_64 #1 SMP Mon
                              Jan 14 16:32:35 UTC 2019 x86_64 x86_64
Alert Count                   1
First Seen                    2019-02-01 11:39:54 EST
Last Seen                     2019-02-01 11:39:54 EST
Local ID                      29cd8957-be89-46f2-95f5-070d8e337efb

Raw Audit Messages
type=AVC msg=audit(1549039194.626:35250): avc:  denied  { entrypoint } for  pid=2306241 comm="libvirt_lxc" path="/etc/libvirt-sandbox/scratch/.libs/libvirt-sandbox-init-lxc" dev="tmpfs" ino=19863480 scontext=system_u:system_r:container_t:s0:c703,c967 tcontext=unconfined_u:object_r:virt_lxc_var_run_t:s0 tclass=file permissive=0


Hash: libvirt_lxc,container_t,virt_lxc_var_run_t,file,entrypoint

Version-Release number of selected component:
selinux-policy-3.14.2-47.fc29.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.7
hashmarkername: setroubleshoot
kernel:         4.19.15-300.fc29.x86_64
type:           libreport

Comment 1 Michael Hampton 2019-02-01 16:50:27 UTC

Setting SELinux to permissive allowed me to collect a variety of AVCs when running the command again.

# semanage permissive -a container_t

# virt-bootstrap docker://fedora /var/lib/libvirt/filesystems/dc1
INFO    : Checking cached layers
INFO    : Extracting container layers
INFO    : Extracting layer (1/1) with size: 85.70 MiB
INFO    : Download and extract completed!
INFO    : Files are stored in: /var/lib/libvirt/filesystems/dc1

# ausearch -se container_t --raw
type=AVC msg=audit(1549039582.349:35294): avc:  denied  { entrypoint } for  pid=2308728 comm="libvirt_lxc" path="/etc/libvirt-sandbox/scratch/.libs/libvirt-sandbox-init-lxc" dev="tmpfs" ino=19869514 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=unconfined_u:object_r:virt_lxc_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1549039582.350:35295): avc:  denied  { read write } for  pid=2308728 comm="libvirt-sandbox" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:container_file_t:s0:c337,c817 tclass=chr_file permissive=1
type=AVC msg=audit(1549039582.350:35296): avc:  denied  { map } for  pid=2308728 comm="libvirt-sandbox" path="/etc/libvirt-sandbox/scratch/.libs/libvirt-sandbox-init-lxc" dev="tmpfs" ino=19869514 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=unconfined_u:object_r:virt_lxc_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1549039582.350:35297): avc:  denied  { read } for  pid=2308728 comm="libvirt-sandbox" path="/etc/libvirt-sandbox/scratch/.libs/libvirt-sandbox-init-lxc" dev="tmpfs" ino=19869514 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=unconfined_u:object_r:virt_lxc_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1549039582.350:35298): avc:  denied  { execute } for  pid=2308728 comm="libvirt-sandbox" path="/etc/libvirt-sandbox/scratch/.libs/libvirt-sandbox-init-lxc" dev="tmpfs" ino=19869514 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=unconfined_u:object_r:virt_lxc_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1549039582.350:35299): avc:  denied  { open } for  pid=2308728 comm="libvirt-sandbox" path="/etc/libvirt-sandbox/scratch/.libs/ld.so" dev="tmpfs" ino=19869492 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=unconfined_u:object_r:virt_lxc_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1549039582.350:35300): avc:  denied  { execute_no_trans } for  pid=2308728 comm="libvirt-sandbox" path="/etc/libvirt-sandbox/scratch/.libs/ld.so" dev="tmpfs" ino=19869492 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=unconfined_u:object_r:virt_lxc_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1549039582.355:35309): avc:  denied  { read } for  pid=2308728 comm="ld.so" name="passwd" dev="dm-1" ino=757405 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1549039582.355:35310): avc:  denied  { open } for  pid=2308728 comm="ld.so" path="/var/lib/sss/mc/passwd" dev="dm-1" ino=757405 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1549039582.355:35311): avc:  denied  { map } for  pid=2308728 comm="ld.so" path="/var/lib/sss/mc/passwd" dev="dm-1" ino=757405 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1549039582.355:35312): avc:  denied  { write } for  pid=2308728 comm="ld.so" name="nss" dev="dm-1" ino=35182816 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1549039582.355:35313): avc:  denied  { connectto } for  pid=2308728 comm="ld.so" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1549039582.358:35315): avc:  denied  { read write } for  pid=2308728 comm="ld.so" name="1" dev="devpts" ino=4 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:container_file_t:s0:c337,c817 tclass=chr_file permissive=1
type=AVC msg=audit(1549039582.358:35316): avc:  denied  { open } for  pid=2308728 comm="ld.so" path="/dev/tty2" dev="devpts" ino=4 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:container_file_t:s0:c337,c817 tclass=chr_file permissive=1
type=AVC msg=audit(1549039582.358:35317): avc:  denied  { ioctl } for  pid=2308728 comm="ld.so" path="/dev/pts/0" dev="devpts" ino=3 ioctlcmd=0x5401 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:container_file_t:s0:c337,c817 tclass=chr_file permissive=1
type=AVC msg=audit(1549039582.361:35318): avc:  denied  { getattr } for  pid=2308728 comm="ld.so" path="/dev/pts/2" dev="devpts" ino=5 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:container_file_t:s0:c337,c817 tclass=chr_file permissive=1
type=AVC msg=audit(1549039582.363:35319): avc:  denied  { read } for  pid=2308745 comm="tar" name="0be2a68855d7bbbba01b447a79c873f137e6fb47362e79f2fd79c72575c9b73a" dev="dm-1" ino=134244215 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=1
type=AVC msg=audit(1549039582.363:35320): avc:  denied  { open } for  pid=2308745 comm="tar" path="/var/cache/virt-bootstrap/docker_images/0be2a68855d7bbbba01b447a79c873f137e6fb47362e79f2fd79c72575c9b73a" dev="dm-1" ino=134244215 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=1
type=AVC msg=audit(1549039582.365:35321): avc:  denied  { ioctl } for  pid=2308746 comm="gzip" path="/var/cache/virt-bootstrap/docker_images/0be2a68855d7bbbba01b447a79c873f137e6fb47362e79f2fd79c72575c9b73a" dev="dm-1" ino=134244215 ioctlcmd=0x5401 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=1
type=AVC msg=audit(1549039582.366:35322): avc:  denied  { write } for  pid=2308745 comm="tar" name="dc1" dev="zfs" ino=45070 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=unconfined_u:object_r:virt_var_lib_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1549039582.366:35323): avc:  denied  { add_name } for  pid=2308745 comm="tar" name="bin" scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=unconfined_u:object_r:virt_var_lib_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1549039582.366:35324): avc:  denied  { create } for  pid=2308745 comm="tar" name="bin" scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1549039582.366:35325): avc:  denied  { setattr } for  pid=2308745 comm="tar" name="bin" dev="zfs" ino=38477 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1549039582.366:35326): avc:  denied  { create } for  pid=2308745 comm="tar" name="boot" scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1549039582.366:35327): avc:  denied  { setattr } for  pid=2308745 comm="tar" name="boot" dev="zfs" ino=38480 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1549039582.367:35328): avc:  denied  { write } for  pid=2308745 comm="tar" name="etc" dev="zfs" ino=38486 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1549039582.367:35329): avc:  denied  { add_name } for  pid=2308745 comm="tar" name=".pwd.lock" scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1549039582.367:35330): avc:  denied  { create } for  pid=2308745 comm="tar" name=".pwd.lock" scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1549039582.367:35331): avc:  denied  { write open } for  pid=2308745 comm="tar" path="/mnt/etc/.pwd.lock" dev="zfs" ino=38489 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1549039582.367:35332): avc:  denied  { setattr } for  pid=2308745 comm="tar" name=".pwd.lock" dev="zfs" ino=38489 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1549039582.466:35333): avc:  denied  { dac_override } for  pid=2308745 comm="tar" capability=1  scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:system_r:container_t:s0:c337,c817 tclass=capability permissive=1
type=AVC msg=audit(1549039582.470:35334): avc:  denied  { chown } for  pid=2308745 comm="tar" capability=0  scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:system_r:container_t:s0:c337,c817 tclass=capability permissive=1
type=AVC msg=audit(1549039582.470:35335): avc:  denied  { fowner } for  pid=2308745 comm="tar" capability=3  scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:system_r:container_t:s0:c337,c817 tclass=capability permissive=1
type=AVC msg=audit(1549039582.470:35336): avc:  denied  { fsetid } for  pid=2308745 comm="tar" capability=4  scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:system_r:container_t:s0:c337,c817 tclass=capability permissive=1
type=AVC msg=audit(1549039583.311:35337): avc:  denied  { dac_override } for  pid=2308745 comm="tar" capability=1  scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:system_r:container_t:s0:c337,c817 tclass=capability permissive=1
type=AVC msg=audit(1549039585.146:35338): avc:  denied  { chown } for  pid=2308745 comm="tar" capability=0  scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:system_r:container_t:s0:c337,c817 tclass=capability permissive=1
type=AVC msg=audit(1549039585.147:35339): avc:  denied  { fsetid } for  pid=2308745 comm="tar" capability=4  scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:system_r:container_t:s0:c337,c817 tclass=capability permissive=1
type=AVC msg=audit(1549039586.422:35340): avc:  denied  { fowner } for  pid=2308745 comm="tar" capability=3  scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:system_r:container_t:s0:c337,c817 tclass=capability permissive=1
type=AVC msg=audit(1549039586.520:35341): avc:  denied  { sys_admin } for  pid=2308728 comm="ld.so" capability=21  scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:system_r:container_t:s0:c337,c817 tclass=capability permissive=1
type=AVC msg=audit(1549039586.520:35342): avc:  denied  { unmount } for  pid=2308728 comm="ld.so" scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(1549039586.673:35343): avc:  denied  { dac_read_search } for  pid=2308728 comm="ld.so" capability=2  scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:system_r:container_t:s0:c337,c817 tclass=capability permissive=1

Comment 2 Daniel Walsh 2019-02-01 18:42:43 UTC

What exactly are you trying to do.  It looks like you are running a something in container that should not be contained.

Comment 3 Michael Hampton 2019-02-01 18:52:10 UTC

I agree it probably shouldn't be contained, but it is virt-bootstrap that is spawning the container. I don't know why it wants to do that just to copy some files around.

Comment 4 Radostin Stoyanov 2019-06-04 10:56:34 UTC

The idea is that virt-bootstrap is downloading a container image from a registry using skopeo, then it extracts each layer to a specified destination directory. In order to improve security when extracting the container image layers, tar is being called within a constrained environment created with virt-sandbox (using lxc:/// or qemu:///session).

Comment 5 Daniel Walsh 2019-06-10 10:14:14 UTC

Sure, then it should run the container without SELinux separation


podman run --security-opt lable=disabled ...

Comment 6 Daniel Walsh 2019-06-10 10:15:16 UTC

Oops

podman run --security-opt label=disable ...

Comment 7 Radostin Stoyanov 2019-07-06 06:55:35 UTC

Thank you for reporting this issue. It should be fixed in the next release.

Note You need to log in before you can comment on or make changes to this bug.