2025445 – AVC prevents ping -I from running in UBI 8 container

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2025445 - AVC prevents ping -I from running in UBI 8 container

Summary: AVC prevents ping -I from running in UBI 8 container

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.5
Hardware:	Unspecified
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	8.6
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2027691 2029802
TreeView+	depends on / blocked

Reported:	2021-11-22 08:51 UTC by Chen
Modified:	2023-09-18 04:28 UTC (History)
CC List:	17 users (show)
Fixed In Version:	selinux-policy-3.14.3-85.el8
Doc Type:	Bug Fix
Doc Text:	Cause: The policy does not allow the container_t domain to node_bind to an icmp_socket. Consequence: The ping command executed from inside the container is not allowed to set the source address with the "-I" switch. Fix: The rule to allow the corenet_unconfined_type attribute to node_bind to icmp_socket was added to the policy. Result: "ping -I" works as expected.
Clone Of:
Clones:	2027691 2029802 (view as bug list)
Environment:
Last Closed:	2022-05-10 15:15:37 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1848929	1	None	None	None	2021-11-25 12:55:16 UTC
Red Hat Issue Tracker	RHELPLAN-103534	0	None	None	None	2021-11-22 09:55:09 UTC
Red Hat Product Errata	RHBA-2022:1995	0	None	None	None	2022-05-10 15:16:04 UTC

Description Chen 2021-11-22 08:51:13 UTC

Description of problem:

AVC prevents ping -I from running in UBI 8 container.

Version-Release number of selected component (if applicable):

OCP 4.8

How reproducible:

100%

Steps to Reproduce:
1. oc new-project test-ubi-ping

2. oc add-scc-to-user privileged -z default -n test-ubi-ping
3. Apply the following deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: demo-test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: demo-test
  template:
    metadata:
      labels:
        app: demo-test
      annotations:
    spec:
      containers:
      - name: demotest
        image: quay.io/rhn_support_cchen/testcase:latest
        command: ["/bin/sh"]
        args: ["-c", "while true; do sleep 10000000;done"]
        securityContext:
          capabilities:
            add: ["NET_RAW", "NET_ADMIN"]

Actual results:

ping -I <source address> <target address> will fail with

bind: permission denied

Checking the audit.log in worker node:

type=AVC msg=audit(1637569623.551:1816): avc:  denied  { node_bind } for  pid=2923238 comm="ping" saddr=10.131.1.153 scontext=system_u:system_r:container_:s0:c41,c603 tcontext=system_u:object_r:node_t:s0 tclass=icmp_socket permissive=0

Expected results:


Additional info:

quay.io/rhn_support_cchen/testcase is built from ubi 8 image with iputils package installed.

$ cat Dockerfile
FROM registry.access.redhat.com/ubi8/ubi:8.2
RUN dnf install iputils -y 
CMD tail -f /dev/null

Comment 2 Jindrich Novy 2021-11-22 15:00:59 UTC

Which version of container-selinux are you using?

Comment 3 Chen 2021-11-22 15:04:41 UTC

Hi Jindrich,

On worker node I have:

# rpm -q container-selinux
container-selinux-2.167.0-1.module+el8.4.0+12646+b6fd1bdf.noarch

Best Regards,
Chen

Comment 10 Daniel Walsh 2021-11-22 21:09:26 UTC

Looks to me like the update failed or you are using the old policy.

Can you execute semodule -B to recompile the policy and see if the container-selinux package was updated.

Comment 11 Chen 2021-11-23 01:35:36 UTC

Hi Daniel, Jindrich,

I ran the semodule -B but still the same result. So in theory the 2.171 container-selinux should contain the fix am I correct ?

On worker node:

sh-4.4# rpm -qa | grep container
containernetworking-plugins-0.9.1-1.module+el8.4.0+11822+6cc1e7d7.x86_64
containers-common-1.3.1-5.module+el8.4.0+11990+22932769.x86_64
container-selinux-2.171.0-1.module+el8.5.0+13418+bc0307a5.noarch
sh-4.4# > /var/log/audit/audit.log
sh-4.4# semodule -B

In POD:

sh-4.4# ping -I 10.128.2.24 8.8.8.8
bind: Permission denied

On worker node:

sh-4.4# grep ping /var/log/audit/audit.log
type=AVC msg=audit(1637631198.704:101): avc:  denied  { node_bind } for  pid=3181018 comm="ping" saddr=10.128.2.24 scontext=system_u:system_r:container_t:s0:c13,c407 tcontext=system_u:object_r:node_t:s0 tclass=icmp_socket permissive=0
type=SYSCALL msg=audit(1637631198.704:101): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=55d421d45070 a2=10 a3=7f44cb1d4280 items=0 ppid=3118334 pid=3181018 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="ping" exe="/usr/bin/ping" subj=system_u:system_r:container_t:s0:c13,c407 key=(null)ARCH=x86_64 SYSCALL=bind AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"

Comment 12 Daniel Walsh 2021-11-23 12:41:28 UTC

Jindrich either that container-selinux does not have the fix, or something in the coreos update is failing.

Can you just back port the latest container-selinux?

It should not cause any problems.

Comment 13 Jindrich Novy 2021-11-23 13:02:12 UTC

RHAOS-4.6 and on will have at least container-selinux-2.170.0 in next releases which is reasonably recent (and 2.172.0 in 4.10). But without proper RCA we don't really know if it fixes the problem Chen is seeing or not.

Comment 17 Jindrich Novy 2021-11-25 07:47:07 UTC

Chen, Prashanth, it might be well a duplicate of the bug you mentioned in comment #16. Reassigning to selinux-policy (where the fix actually landed) to confirm.

Comment 19 Chen 2021-11-25 08:03:49 UTC

Hi Jindrich,

May I know whether the following workaround can be applied to CoreOS worker node ?

sh-4.4# cat /var/log/audit/audit.log | audit2allow

#============= container_t ==============
allow container_t node_t:icmp_socket node_bind;
sh-4.4# cd /tmp/
sh-4.4# cat /var/log/audit/audit.log | audit2allow -M ping_rule
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i ping_rule.pp

sh-4.4# semodule -i ping_rule.pp

Also after applying the ping_rule.pp on CoreOS worker node I can confirm the ping -I <source address> could work inside the POD.

Thank you so much!

Best Regards,
Chen

Comment 20 Yuval Kashtan 2021-11-25 08:53:32 UTC

FYI
-I is for interface
```
# ping --help
ping: invalid option -- '-'
Usage: ping [-aAbBdDfhLnOqrRUvV64] [-c count] [-i interval] [-I interface]
            [-m mark] [-M pmtudisc_option] [-l preload] [-p pattern] [-Q tos]
            [-s packetsize] [-S sndbuf] [-t ttl] [-T timestamp_option]
            [-w deadline] [-W timeout] [hop1 ...] destination
Usage: ping -6 [-aAbBdDfhLnOqrRUvV] [-c count] [-i interval] [-I interface]
             [-l preload] [-m mark] [-M pmtudisc_option]
             [-N nodeinfo_option] [-p pattern] [-Q tclass] [-s packetsize]
             [-S sndbuf] [-t ttl] [-T timestamp_option] [-w deadline]
             [-W timeout] destination

```

and that pod definition only have one nic (the primary)..

Comment 21 Chen 2021-11-25 09:02:13 UTC

Hi Yuval,

Thank you for your input.

The POD is just a sample and in customer's scenario the POD will use source based routing so ping -I <source address> is required in customer's scenario.

Best Regards,
Chen

Comment 22 Jindrich Novy 2021-11-25 11:02:30 UTC

SGTM Chen. Leaving this to Dan/Zdenek to double-confirm.

Comment 23 Zdenek Pytela 2021-11-25 12:55:17 UTC

Backporting the last out of these 3 commits will resolve the reported issue as container_t is corenet_unconfined_type.

commit 1aa9e5609375815103d2445df1746cb90a02b55a
Author: Patrik Koncity <pkoncity>
Date:   Tue Aug 11 14:19:29 2020 +0200

    Allow traceroute_t and ping_t to bind generic nodes.

    Use newly created macro corenet_icmp_bind_generic_node() for ping_t and traceroute_t.
    This macro allowing bind generic nodes in node_t domain.

commit 65c1a66265908f3d5a39fa201d6b6f9f2a2981a4
Author: Patrik Koncity <pkoncity>
Date:   Tue Aug 11 13:51:55 2020 +0200

    Create macro corenet_icmp_bind_generic_node()

    This macro allowing bind ICMP sockets to generic nodes in node_t domain.

commit e4f9c9f4f4c5af851410fde006f6589c0bf7f863
Author: Patrik Koncity <pkoncity>
Date:   Wed Aug 5 17:26:20 2020 +0200

    Allow unconfined_t to node_bind icmp_sockets in node_t domain

    When uncofined user run ping or traceroute, this process get label unconfined_t.
    Allow to ping or traceroute, which run as unconfined_t, to node_bind icmp_sockets in node_t domain.

    Bugzila: https://bugzilla.redhat.com/show_bug.cgi?id=1848929#c0

Comment 53 errata-xmlrpc 2022-05-10 15:15:37 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1995

Comment 54 Red Hat Bugzilla 2023-09-18 04:28:19 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days

Note You need to log in before you can comment on or make changes to this bug.