2072908 – SElinux is prevent docker build with DOCKER_BUILDKIT=1

Bug 2072908 - SElinux is prevent docker build with DOCKER_BUILDKIT=1

Summary: SElinux is prevent docker build with DOCKER_BUILDKIT=1

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	moby-engine
Sub Component:
Version:	35
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Olivier Lemasle
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-04-07 09:19 UTC by Dan Čermák
Modified:	2022-07-05 11:17 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2022-07-05 11:17:49 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
setroubleshoot output from journald (1.95 MB, text/plain) 2022-04-07 09:19 UTC, Dan Čermák	no flags	Details
recent AVCs after running docker build (178.87 KB, text/plain) 2022-04-07 14:43 UTC, Dan Čermák	no flags	Details
View All

Description Dan Čermák 2022-04-07 09:19:10 UTC

Created attachment 1871251 [details]
setroubleshoot output from journald

Description of problem: I have tried to build a container with docker & buildkit, but the builds are consistently failing and flooding my system with SELinux alerts.


Version-Release number of selected component (if applicable):
- moby-engine-20.10.12-1.fc35.x86_64
- container-selinux-2.181.0-1.fc35.noarch

How reproducible:
always

Steps to Reproduce:
1. git clone https://github.com/distribution/distribution.git
2. DOCKER_BUILDKIT=1 docker build -t distribution .


Actual results:
```
✦ 🕙[ 10:53:06 ] ❯ DOCKER_BUILDKIT=1 docker build -t distribution .
[+] Building 14.3s (4/4) FINISHED                                                                                     
 => [internal] load build definition from Dockerfile                                                             0.0s
 => => transferring dockerfile: 1.76kB                                                                           0.0s
 => [internal] load .dockerignore                                                                                0.0s
 => => transferring context: 2B                                                                                  0.0s
 => resolve image config for docker.io/docker/dockerfile:1.3                                                     2.0s
 => docker-image://docker.io/docker/dockerfile:1.3@sha256:42399d4635eddd7a9b8a24be879d2f9a930d0ed040a61324cfdf  12.0s
 => => resolve docker.io/docker/dockerfile:1.3@sha256:42399d4635eddd7a9b8a24be879d2f9a930d0ed040a61324cfdf59ef1  0.0s
 => => sha256:42399d4635eddd7a9b8a24be879d2f9a930d0ed040a61324cfdf59ef1357b3b2 2.00kB / 2.00kB                   0.0s
 => => sha256:93f32bd6dd9004897fed4703191f48924975081860667932a4df35ba567d7426 528B / 528B                       0.0s
 => => sha256:e532695ddd93ca7c85a816c67afdb352e91052fab7ac19a675088f80915779a7 1.21kB / 1.21kB                   0.0s
 => => sha256:24a639a53085eb680e1d11618ac62f3977a3926fedf5b8471ace519b8c778030 9.67MB / 9.67MB                  11.8s
 => => extracting sha256:24a639a53085eb680e1d11618ac62f3977a3926fedf5b8471ace519b8c778030                        0.2s
failed to solve with frontend dockerfile.v0: failed to solve with frontend gateway.v0: exit code: 1
```

Expected results:
The build should succeed


Additional info:

Comment 1 Daniel Walsh 2022-04-07 09:39:41 UTC

I would use podman, but this feals like 1871337, except you are on f35,

I would try 

# dnf reinstall container-selinux
# restorecon -R -v /var/lib/docker

Comment 2 Dan Čermák 2022-04-07 10:56:10 UTC

(In reply to Daniel Walsh from comment #1)
> I would use podman, but this feals like 1871337, except you are on f35,

I would use podman as well, but buildah doesn't support the following dockerfile syntax:
```
RUN --mount=type=bind,target=/src,rw \
  --mount=type=cache,target=/root/.cache/go-build \
  --mount=target=/go/pkg/mod,type=cache \
```

> I would try 
> 
> # dnf reinstall container-selinux
> # restorecon -R -v /var/lib/docker

Sadly that didn't help

Comment 3 Daniel Walsh 2022-04-07 12:52:16 UTC

Is there an issue with Buildah on the continuation support?

What are the actual AVCs you are seeing

ausearch -m avc -ts recent

What is the docker command you are running?

Comment 4 Dan Čermák 2022-04-07 14:43:10 UTC

(In reply to Daniel Walsh from comment #3)
> Is there an issue with Buildah on the continuation support?

Buildah fails to build this Dockerfile:
[3/6] STEP 8/8: RUN --mount=type=bind,target=/src,rw   --mount=type=cache,target=/root/.cache/go-build   --mount=target=/go/pkg/mod,type=cache   goreleaser-xx --debug     --name="registry"     --dist="/out"     --main="./cmd/registry"     --flags="-v"     --ldflags="-s -w -X '$PKG/version.Version={{.Version}}' -X '$PKG/version.Revision={{.Commit}}' -X '$PKG/version.Package=$PKG'"     --tags="$BUILDTAGS"     --files="LICENSE"     --files="README.md"
error building at STEP "RUN --mount=type=bind,target=/src,rw --mount=type=cache,target=/root/.cache/go-build --mount=target=/go/pkg/mod,type=cache goreleaser-xx --debug     --name="registry"     --dist="/out"     --main="./cmd/registry"     --flags="-v"     --ldflags="-s -w -X '$PKG/version.Version={{.Version}}' -X '$PKG/version.Revision={{.Commit}}' -X '$PKG/version.Package=$PKG'"     --tags="$BUILDTAGS"     --files="LICENSE"     --files="README.md"": error resolving mountpoints for container "235b1522dea31599545abd41e3d0bf5575eb225dd098fc0d031de77dc533e666": invalid mount type "bind"
ERRO[0013] exit status 125                              


> What are the actual AVCs you are seeing
> 
> ausearch -m avc -ts recent

A have attached the output of that command

> What is the docker command you are running?

DOCKER_BUILDKIT=1 docker build -t distribution .

in the checked out repository https://github.com/distribution/distribution.git (see also How to reproduce in the initial report)

Comment 5 Dan Čermák 2022-04-07 14:43:50 UTC

Created attachment 1871324 [details]
recent AVCs after running docker build

Comment 6 Maxwell G 2022-07-04 02:22:22 UTC

Unfortunately, I am not familiar enough with SELinux to help with this. Daniel Walsh, can you please take another look?

Comment 7 Daniel Walsh 2022-07-05 11:17:49 UTC

# audit2allow -la

#============= spc_t ==============

#!!!! This avc can be allowed using the boolean 'mmap_low_allowed'
allow spc_t self:memprotect mmap_zero;


This means you can set the boolean to allow this, although this is considered a fairly dangerous access.

# setsebool -P mmap_low_allowed

The following is caused by a mislabeling.

type=AVC msg=audit(1649342391.756:11665): avc:  denied  { read execute } for  pid=1048748 comm="dockerfile-fron" path="/bin/dockerfile-frontend" dev="dm-0" ino=260 scontext=system_u:system_r:container_t:s0:c76,c401 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=0

Note You need to log in before you can comment on or make changes to this bug.