Bug 1943617 - mount overlay in a user namespace doesn't work when a selinux label is specified
Summary: mount overlay in a user namespace doesn't work when a selinux label is specified
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 34
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-03-26 15:58 UTC by Giuseppe Scrivano
Modified: 2023-09-15 01:04 UTC (History)
21 users (show)

Fixed In Version: kernel-5.12.9-200.fc33 kernel-5.12.9-300.fc34
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-06-08 01:07:07 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Giuseppe Scrivano 2021-03-26 15:58:49 UTC 
1. Please describe the problem:

overlay mounts from a user namespace don't work when a context= option is specified.

There is a patch accepted into selinux/next but it won't hit a release until 5.13, thus blocking us from testing rootless containers with native overlay mounts:

https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/commit/?h=next&id=7fa2e79a6bb924fa4b2de5766dab31f0f47b5ab6

2. What is the Version-Release number of the kernel:

5.11.7-300.fc34.x86_64

3. Did it work previously in Fedora? If so, what kernel version did the issue
   *first* appear?  Old kernels are available for download at
   https://koji.fedoraproject.org/koji/packageinfo?packageID=8 :


4. Can you reproduce this issue? If so, please provide the steps to reproduce
   the issue below:

$ cat test.c
#include <sys/mount.h>

int
main()
{
  mount ("overlay", "merged", "overlay", 0, "lowerdir=l,workdir=w,upperdir=u,context=\"system_u:object_r:container_file_t:s0\"");
  return 0;
}

$ mkdir l w u merged
$ gcc -o test test.c
$ unshare -rm strace -f -e mount /tmp/cc
mount("overlay", "merged", "overlay", 0, "lowerdir=l,workdir=w,upperdir=u,"...) = -1 EACCES (Permission denied)
+++ exited with 0 +++


5. Does this problem occur with the latest Rawhide kernel? To install the
   Rawhide kernel, run ``sudo dnf install fedora-repos-rawhide`` followed by
   ``sudo dnf update --enablerepo=rawhide kernel``:

yes

6. Are you running any modules that not shipped with directly Fedora's kernel?:

no

7. Please attach the kernel logs. You can get the complete kernel log
   for a boot with ``journalctl --no-hostname -k > dmesg.txt``. If the
   issue occurred on a previous boot, use the journalctl ``-b`` flag.
Comment 1 Daniel Walsh 2021-03-26 18:26:05 UTC 
We would really like to get this into peoples hands so we could test it before we put it in RHEL8.5 in the fall.
Comment 2 Renaud Métrich 2021-06-02 06:07:26 UTC 
I think I'm hitting this as well.
I'm using a user namespace, I need the context= option to be supplied otherwise the overlay file system gets the context of my user, "unconfined_u:unconfined_r:unconfined_t" which prevents from executing binaries hosted on the overlay file system.

See reproducer below:

1. Create a minimal environment suitable to be chroot'ed into

(user)     $ sudo dnf install --installroot=$PWD/miniroot --releasever=/ bash
(user)     $ unshare -Urm
(fakeroot) # id -Z
           unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

(fakeroot) # mkdir /tmp/foo


2. Mount the overlay without context= option: prevents from chroot'ing

  (fakeroot) # mount -t overlay overlay -o lowerdir=$PWD/miniroot:/mnt /tmp/foo
  
  (fakeroot) # ls -Z /tmp/foo/bin/bash
  unconfined_u:object_r:unconfined_t:s0 /tmp/foo/bin/bash

  (fakeroot) # chroot /tmp/foo
  chroot: failed to run command ‘/bin/bash’: Permission denied

3. Move to Permissive and retry to collect all the AVCs

  (root) # setenforce 0

  (fakeroot) # chroot /tmp/foo
  (chroot)   bash-5.1# exit
  
  (root) # ausearch -m avc -ts recent

  ----
  time->Wed Jun  2 07:55:40 2021
  type=AVC msg=audit(1622613340.469:1549): avc:  denied  { execute } for  pid=14674 comm="chroot" name="bash" dev="overlay" ino=793408 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_t:s0 tclass=file permissive=1
  ----
  time->Wed Jun  2 07:55:40 2021
  type=AVC msg=audit(1622613340.469:1550): avc:  denied  { execute_no_trans } for  pid=14674 comm="chroot" path="/usr/bin/bash" dev="overlay" ino=793408 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_t:s0 tclass=file permissive=1
  ----
  time->Wed Jun  2 07:55:40 2021
  type=AVC msg=audit(1622613340.469:1551): avc:  denied  { map } for  pid=14674 comm="bash" path="/usr/bin/bash" dev="overlay" ino=793408 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_t:s0 tclass=file permissive=1

  (fakeroot) # umount /tmp/foo

4. Mount the overlay with context= option: doesn't work

  (fakeroot) # mount -t overlay overlay -o lowerdir=$PWD/miniroot:/mnt,context=system_u:object_r:tmp_t:s0 /tmp/foo
             mount: /tmp/foo: cannot mount overlay read-only.

  Strace shows:

    15115 08:02:59.951282 mount("overlay", "/tmp/foo", "overlay", MS_RDONLY, "lowerdir=/home/rmetrich/miniroot:/mnt,context=\"system_u:object_r:tmp_t:s0\"") = -1 EACCES (Permission denied) <0.000100>

  dmesg shows:

    SELinux: security_context_str_to_sid() failed for (dev overlay, type overlay) errno=-22
Comment 3 Justin M. Forbes 2021-06-02 12:37:58 UTC 
Now that the patch is accepted upstream, I have cherry-picked it back to the 5.12 branch for Fedora, this should appear in 5.12.9 and newer kernels.
Comment 4 Renaud Métrich 2021-06-02 12:50:59 UTC 
Hi Justin,

Do you know if that will also fix the issue that arises when not using "context=" option: overlay mount shows labels of the process ("unconfined_X") which is non-sense for files.
See my comment " 2. Mount the overlay without context= option: prevents from chroot'ing "

Renaud.
Comment 5 Fedora Update System 2021-06-03 21:31:29 UTC 
FEDORA-2021-c2b2f23a6f has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-c2b2f23a6f
Comment 6 Fedora Update System 2021-06-03 21:31:31 UTC 
FEDORA-2021-21f80017d0 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-21f80017d0
Comment 7 Fedora Update System 2021-06-04 01:19:25 UTC 
FEDORA-2021-c2b2f23a6f has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-c2b2f23a6f`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-c2b2f23a6f

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2021-06-04 01:48:06 UTC 
FEDORA-2021-21f80017d0 has been pushed to the Fedora 33 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-21f80017d0`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-21f80017d0

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 9 Fedora Update System 2021-06-08 01:07:07 UTC 
FEDORA-2021-21f80017d0 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 10 Fedora Update System 2021-06-08 01:07:35 UTC 
FEDORA-2021-c2b2f23a6f has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 11 Renaud Métrich 2021-06-08 06:48:04 UTC 
5.12.9-300.fc34.x86_64 works just fine for me: contexts appear properly.
Comment 12 Red Hat Bugzilla 2023-09-15 01:04:11 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days
Note You need to log in before you can comment on or make changes to this bug.