Bug 2031022 - avc: denied { ioctl } for pid=510216 comm="iptables" path="/var/lib/containers/storage/overlay/7d65c03c0ff08daf6366d735723151aa1f2cf165d51be30f62bded9ed586b838/merged" dev="overlay" ino=42308193 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023
Summary: avc: denied { ioctl } for pid=510216 comm="iptables" path="/var/lib/contai...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: netavark
Version: 36
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lokesh Mandvekar
QA Contact:
URL:
Whiteboard: CockpitTest
Depends On:
Blocks: 2089257 2106396
TreeView+ depends on / blocked
 
Reported: 2021-12-10 10:44 UTC by Bruno Goncalves
Modified: 2022-09-22 01:17 UTC (History)
21 users (show)

Fixed In Version: container-selinux-2.190.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2089257 (view as bug list)
Environment:
Last Closed: 2022-09-18 00:17:57 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Bruno Goncalves 2021-12-10 10:44:56 UTC
Description of problem:
During CKI podman test [1] we've hit the following issue:

avc:  denied  { ioctl } for  pid=510216 comm="iptables" path="/var/lib/containers/storage/overlay/7d65c03c0ff08daf6366d735723151aa1f2cf165d51be30f62bded9ed586b838/merged" dev="overlay" ino=42308193 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0:c878,c982 tclass=dir permissive=0

Version-Release number of selected component (if applicable):
selinux-policy-35.6-1.fc36.noarch

How reproducible:
It seems easily reproducible with podman test

Steps to Reproduce:
1. Run test [1]


Additional info:
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-35.6-1.fc36.noarch

[1] https://gitlab.com/cki-project/kernel-tests/-/tree/main/container/podman

Comment 2 Zdenek Pytela 2021-12-10 11:37:43 UTC
Switching the component, there are already some rules in container-selinux:

f35# sesearch -A -s iptables_t -t container_file_t -c dir,file
allow application_domain_type logfile:file { append getattr ioctl lock };
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow iptables_t container_file_t:dir { getattr open search };
allow iptables_t container_file_t:file open;

Comment 3 Martin Pitt 2022-01-10 07:36:05 UTC
In Cockpit we started to see these as well now, in our Fedora CoreOS CI: for example, [1]

audit: type=1400 audit(1641799023.984:237): avc:  denied  { ioctl } for  pid=1161 comm="iptables" path="/var/lib/containers/storage/overlay/0fac9b410d57d0f8ae6fa8f042e8672ae70ddbeb4e25845223e35a3b2260c169/merged" dev="overlay" ino=17950249 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0:c1022,c1023 tclass=dir permissive=0

Nothing in that test fiddles with iptables, that's somehow internal to podman. But lots of tests start a cockpit/ws container there, so this just feels random. E.g. here [2] and here[3] it hit two different, and completely unrelated tests. We haven't seen this before, and haven't refreshed our CoreOS image in a whole week. Was this some sort of a time bomb? (But I can't imagine SELinux rules being time dependent)

[1] https://logs.cockpit-project.org/logs/pull-16798-20220110-064948-be591291-fedora-coreos/log.html#232
[2] https://logs.cockpit-project.org/logs/pull-2784-20220110-024544-7afed88e-fedora-coreos-cockpit-project-cockpit/log.html#152
[3] https://logs.cockpit-project.org/logs/pull-2784-20220110-063907-7afed88e-fedora-coreos-cockpit-project-cockpit/log.html#241

Comment 4 Ben Cotton 2022-02-08 21:15:40 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 36 development cycle.
Changing version to 36.

Comment 5 Zdenek Pytela 2022-09-13 14:35:15 UTC
It seems it is /usr/libexec/podman/netavark which executes iptables which tries to ioctl /var/lib/containers/storage/overlay/HASH/merged on execve:

    PID    PPID COMMAND                     CONTEXT
    685     670 bash -l                     unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
 179294     685 podman run -p 9090:9090 -d  unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023
 179304  179294 /usr/libexec/podman/netavar unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023

----
type=PROCTITLE msg=audit(09/13/2022 10:15:05.216:33510) : proctitle=iptables --version 
type=PATH msg=audit(09/13/2022 10:15:05.216:33510) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=137936 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(09/13/2022 10:15:05.216:33510) : item=0 name=/usr/sbin/iptables inode=158128 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:iptables_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(09/13/2022 10:15:05.216:33510) : cwd=/root
type=EXECVE msg=audit(09/13/2022 10:15:05.216:33510) : argc=2 a0=iptables a1=--version
type=SYSCALL msg=audit(09/13/2022 10:15:05.216:33510) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7fdb735a4d90 a1=0x559443869c80 a2=0x7ffe25ccd7d8 a3=0x8 items=2 ppid=179304 pid=179305 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=iptables exe=/usr/sbin/xtables-nft-multi subj=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(09/13/2022 10:15:05.216:33510) : avc:  denied  { ioctl } for  pid=179305 comm=iptables path=/var/lib/containers/storage/overlay/bd4ddcdfce3c80350149a8f9d5f9caaf4442ec64ccd646addfb6983a86d8fdef/merged/etc dev="overlay" ino=263556 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0:c775,c1020 tclass=dir permissive=0
type=AVC msg=audit(09/13/2022 10:15:05.216:33510) : avc:  denied  { ioctl } for  pid=179305 comm=iptables path=/var/lib/containers/storage/overlay/bd4ddcdfce3c80350149a8f9d5f9caaf4442ec64ccd646addfb6983a86d8fdef/merged dev="overlay" ino=399476 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0:c775,c1020 tclass=dir permissive=0

Switching the component, please assess if there can be leaked file descriptors.

Comment 6 Daniel Walsh 2022-09-13 14:50:31 UTC
Fixed in container-selinux-2.190.0

Comment 7 Fedora Update System 2022-09-13 18:37:48 UTC
FEDORA-2022-32ab235aaa has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-32ab235aaa

Comment 8 Fedora Update System 2022-09-13 18:38:10 UTC
FEDORA-2022-e2afae8ac7 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-e2afae8ac7

Comment 9 Fedora Update System 2022-09-14 01:52:50 UTC
FEDORA-2022-32ab235aaa has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-32ab235aaa`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-32ab235aaa

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 10 Fedora Update System 2022-09-14 02:40:26 UTC
FEDORA-2022-e2afae8ac7 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-e2afae8ac7`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-e2afae8ac7

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 11 Fedora Update System 2022-09-18 00:17:57 UTC
FEDORA-2022-32ab235aaa has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 12 Fedora Update System 2022-09-22 01:17:07 UTC
FEDORA-2022-e2afae8ac7 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.