Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1423502

Summary: Update of oci-systemd-hook leads to AVC denied messages
Product: Red Hat Enterprise Linux 7 Reporter: Robert Scheck <redhat-bugzilla>
Component: oci-systemd-hookAssignee: David Darrah/Red Hat QE <ddarrah>
Status: CLOSED CURRENTRELEASE QA Contact: Martin Jenner <mjenner>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: ajia, dornelas, dwalsh, lvrabec, mgrepl, mmalik, plautrba, pvrabec, robert.scheck, srandhaw, ssekidde
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: oci-systemd-hook-0.1.6-1.gitfe22236.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-22 15:24:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1419040    
Bug Blocks: 1186913, 1420851    

Description Robert Scheck 2017-02-17 13:17:28 UTC
Description of problem:
Aside of the issues caused by the update of oci-systemd-hook as mentioned
at https://bugzilla.redhat.com/show_bug.cgi?id=1419040 the same update also
leads to new SELinux AVC denied messages, such as e.g.:

type=SYSCALL msg=audit(1487262984.032:1147): arch=c000003e syscall=56 success=yes exit=12238 a0=6c028011 a1=7ffee0566900 a2=7ffee0567a30 a3=0 items=0 ppid=12229 pid=12237 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="exe" exe="/usr/libexec/docker/docker-runc-current" subj=system_u:system_r:container_runtime_t:s0 key=(null)
type=AVC msg=audit(1487262984.262:1148): avc:  denied  { remount } for  pid=12279 comm="(e-db-dir)" scontext=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c330,c944 tclass=filesystem
type=SYSCALL msg=audit(1487262984.262:1148): arch=c000003e syscall=165 success=no exit=-13 a0=0 a1=7ff1252ec0c0 a2=0 a3=1026 items=0 ppid=12238 pid=12279 auid=4294967295 uid=0 gid=27 euid=0 suid=0 fsuid=0 egid=27 sgid=27 fsgid=27 tty=(none) ses=4294967295 comm="(e-db-dir)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 key=(null)
type=AVC msg=audit(1487262984.307:1149): avc:  denied  { remount } for  pid=12311 comm="(qld_safe)" scontext=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c330,c944 tclass=filesystem
type=SYSCALL msg=audit(1487262984.307:1149): arch=c000003e syscall=165 success=no exit=-13 a0=0 a1=7ff12532a160 a2=0 a3=1026 items=0 ppid=12238 pid=12311 auid=4294967295 uid=0 gid=27 euid=0 suid=0 fsuid=0 egid=27 sgid=27 fsgid=27 tty=(none) ses=4294967295 comm="(qld_safe)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 key=(null)
type=AVC msg=audit(1487262984.307:1150): avc:  denied  { remount } for  pid=12312 comm="(it-ready)" scontext=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c330,c944 tclass=filesystem
type=SYSCALL msg=audit(1487262984.307:1150): arch=c000003e syscall=165 success=no exit=-13 a0=0 a1=7ff12532a2c0 a2=0 a3=1026 items=0 ppid=12238 pid=12312 auid=4294967295 uid=0 gid=27 euid=0 suid=0 fsuid=0 egid=27 sgid=27 fsgid=27 tty=(none) ses=4294967295 comm="(it-ready)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 key=(null)
type=AVC msg=audit(1487262986.357:1151): avc:  denied  { remount } for  pid=12530 comm="(extcloud)" scontext=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c330,c944 tclass=filesystem
type=SYSCALL msg=audit(1487262986.357:1151): arch=c000003e syscall=165 success=no exit=-13 a0=0 a1=7ff12532a2b0 a2=0 a3=1026 items=0 ppid=12238 pid=12530 auid=4294967295 uid=0 gid=27 euid=0 suid=0 fsuid=0 egid=27 sgid=27 fsgid=27 tty=(none) ses=4294967295 comm="(extcloud)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 key=(null)
type=AVC msg=audit(1487262986.382:1152): avc:  denied  { remount } for  pid=12538 comm="(extcloud)" scontext=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c330,c944 tclass=filesystem
type=SYSCALL msg=audit(1487262986.382:1152): arch=c000003e syscall=165 success=no exit=-13 a0=0 a1=7ff125328bb0 a2=0 a3=1026 items=0 ppid=12238 pid=12538 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(extcloud)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 key=(null)
type=AVC msg=audit(1487262986.409:1153): avc:  denied  { mount } for  pid=12543 comm="systemd-logind" name="/" dev="tmpfs" ino=169409 scontext=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1487262986.409:1153): arch=c000003e syscall=165 success=no exit=-13 a0=7f7f651fab98 a1=7f7f65e3ed60 a2=7f7f651fab98 a3=6 items=0 ppid=12238 pid=12543 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 key=(null)
type=VIRT_CONTROL msg=audit(1487262986.596:1154): pid=7210 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='auid=0 exe=? hostname=? reason=api op=exec vm=? vm-pid=? user=root  exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success'
type=VIRT_CONTROL msg=audit(1487262986.597:1155): pid=7210 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='user=root auid=0 exe=? hostname=? reason=api op=start vm=? vm-pid=?  exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success'
type=VIRT_CONTROL msg=audit(1487262986.597:1156): pid=7210 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='vm-pid=? user=root auid=0 exe=? hostname=? reason=api op=resize vm=?  exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1487262986.665:1157): avc:  denied  { mount } for  pid=12543 comm="systemd-logind" name="/" dev="tmpfs" ino=167357 scontext=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1487262986.665:1157): arch=c000003e syscall=165 success=no exit=-13 a0=7f7f651fab98 a1=7f7f65e3ecc0 a2=7f7f651fab98 a3=6 items=0 ppid=12238 pid=12543 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 key=(null)
type=AVC msg=audit(1487262986.862:1158): avc:  denied  { mount } for  pid=12543 comm="systemd-logind" name="/" dev="tmpfs" ino=167397 scontext=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1487262986.862:1158): arch=c000003e syscall=165 success=no exit=-13 a0=7f7f651fab98 a1=7f7f65e3ecc0 a2=7f7f651fab98 a3=6 items=0 ppid=12238 pid=12543 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 key=(null)
type=AVC msg=audit(1487262987.062:1159): avc:  denied  { mount } for  pid=12543 comm="systemd-logind" name="/" dev="tmpfs" ino=167424 scontext=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1487262987.062:1159): arch=c000003e syscall=165 success=no exit=-13 a0=7f7f651fab98 a1=7f7f65e3ecc0 a2=7f7f651fab98 a3=6 items=0 ppid=12238 pid=12543 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 key=(null)
type=AVC msg=audit(1487262987.257:1160): avc:  denied  { mount } for  pid=12543 comm="systemd-logind" name="/" dev="tmpfs" ino=167447 scontext=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1487262987.257:1160): arch=c000003e syscall=165 success=no exit=-13 a0=7f7f651fab98 a1=7f7f65e3ecc0 a2=7f7f651fab98 a3=6 items=0 ppid=12238 pid=12543 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 key=(null)
type=AVC msg=audit(1487262987.450:1161): avc:  denied  { remount } for  pid=12674 comm="(httpd)" scontext=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c330,c944 tclass=filesystem
type=SYSCALL msg=audit(1487262987.450:1161): arch=c000003e syscall=165 success=no exit=-13 a0=0 a1=7ff125332260 a2=0 a3=1026 items=0 ppid=12238 pid=12674 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(httpd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:svirt_lxc_net_t:s0:c330,c944 key=(null)

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-102.el7_3.13.noarch
selinux-policy-targeted-3.13.1-102.el7_3.13.noarch
container-selinux-1.12.5-14.el7.x86_64
oci-systemd-hook-0.1.4-9.git671c428.el7.x86_64

How reproducible:
See bug #1419040 #c0 or also reproducer at initial description at GitHub at
https://github.com/projectatomic/oci-systemd-hook/issues/46

Actual results:
allow svirt_lxc_net_t tmpfs_t:filesystem { mount remount unmount };
allow svirt_lxc_net_t svirt_sandbox_file_t:filesystem { remount };

Expected results:
No AVC denied messages.

Comment 1 Robert Scheck 2017-02-17 13:21:17 UTC
Cross-filed case 01794554 on the Red Hat customer portal.

Comment 3 Daniel Walsh 2017-02-20 16:07:50 UTC
These are systemd doing things that we are attempting to get oci-systemd-hook to do for it. Basically we are not going to allow file systems to be mounted within the container.

Comment 4 Robert Scheck 2017-02-20 16:46:37 UTC
Not sure if I get you, Daniel. These mounting attempts should be either
allow'ed or dontaudit'ed. They result from updated oci-systemd-hook. In
the end, https://github.com/projectatomic/oci-systemd-hook/pull/42 is
the cause.

Comment 5 Daniel Walsh 2017-02-20 19:10:40 UTC
oci-systemd-hook should not be running as container_t, (svirt_lxc_net_t),  These avc's are caused by systemd inside of the container attempting to mount file systems which we want to prevent.  So we don't want SELinux to allow or cover this up.  We want to fix oci-systemd-hook to setup the environment in such a way that systemd will not attempt to mount.

Comment 6 Daniel Walsh 2017-03-12 12:17:23 UTC
Tom could you check to see if this is fixed with the lates oci-systemd-hook

Comment 7 Tom Sweeney 2017-03-25 20:37:12 UTC
(In reply to Daniel Walsh from comment #6)
> Tom could you check to see if this is fixed with the lates oci-systemd-hook

Seems to be fixed oci-systemd-hook-0.1.6-1.gitfe22236.el7.  Test results follow.  Dan I'll touch base Monday with you to close.

[root@rhel73bz ~]# cat > Dockerfile.mariadb << EOF
> FROM centos:latest
> STOPSIGNAL SIGRTMIN+3
>  
> RUN yum -y install mariadb-server && yum clean all
>  
> RUN systemctl enable mariadb
>  
> VOLUME /var/lib/mysql
>  
> CMD ["/sbin/init"]
> EOF
[root@rhel73bz ~]# 
[root@rhel73bz ~]# docker volume create --name localtest-mdb
localtest-mdb
[root@rhel73bz ~]# docker build -f Dockerfile.mariadb -t localtest-mdb .
Sending build context to Docker daemon 14.85 kB
Step 1 : FROM centos:latest
 ---> 98d35105a391
Step 2 : STOPSIGNAL SIGRTMIN+3
 ---> Using cache
 ---> d21037da37ed
Step 3 : RUN yum -y install mariadb-server && yum clean all
 ---> Using cache
 ---> 4440f237aa2b
Step 4 : RUN systemctl enable mariadb
 ---> Using cache
 ---> 007cbeb7dcff
Step 5 : VOLUME /var/lib/mysql
 ---> Using cache
 ---> dc7109037dbf
Step 6 : CMD /sbin/init
 ---> Using cache
 ---> 53e981575dd6
Successfully built 53e981575dd6
[root@rhel73bz ~]# docker run -dt -v localtest-mdb:/var/lib/mysql --name localtest-mdb localtest-mdb
8f5f9735e44d3b517c009d7ee7e6a234ea701da21b70b1308756df38cdbfb53e
[root@rhel73bz ~]# docker exec -t localtest-mdb /bin/bash -c 'for i in {1..30}; do if systemctl is-active mariadb ; then break  ; else sleep 1 ; fi done;'
inactive
inactive
activating
activating
activating
activating
active
[root@rhel73bz ~]# docker exec -t localtest-mdb mysql -e "GRANT ALL PRIVILEGES ON *.* TO 'testuser'@'%' IDENTIFIED BY 'testpassword' WITH GRANT OPTION;"
[root@rhel73bz ~]# docker stop localtest-mdb
localtest-mdb
[root@rhel73bz ~]# docker rm localtest-mdb
localtest-mdb
[root@rhel73bz ~]# uname -a
Linux rhel73bz.localdomain 3.10.0-625.el7.x86_64 #1 SMP Thu Mar 23 11:04:30 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux
[root@rhel73bz ~]# cat /proc/version
Linux version 3.10.0-625.el7.x86_64 (mockbuild.eng.bos.redhat.com) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC) ) #1 SMP Thu Mar 23 11:04:30 EDT 2017
[root@rhel73bz ~]# rpm -qa | grep oci-systemd-hook
oci-systemd-hook-0.1.6-1.gitfe22236.el7.x86_64

Comment 8 Tom Sweeney 2017-03-27 13:41:29 UTC
I've tested with the latest patch (see previous comment) and the problem has been resolved.  I've changed the status to ON_QA pending any approval they may need to do.

Comment 9 David Darrah/Red Hat QE 2017-03-28 20:47:10 UTC
Verified on RHEL with latest build as above.