Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1488406
Summary: | IPA container throws AVC when runnig docker exec | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Tibor Dudlák <tdudlak> | ||||||
Component: | container-selinux | Assignee: | Lokesh Mandvekar <lsm5> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 26 | CC: | amurdaca, dwalsh, fkluknav, jchaloup, jlebon, jpazdziora, lsm5, lvrabec, mgrepl, plautrba, pmoore, slaznick, tdudlak | ||||||
Target Milestone: | --- | Flags: | tdudlak:
needinfo-
|
||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | container-selinux-2.36-1.fc27 container-selinux-2.36-1.fc26 | Doc Type: | If docs needed, set a value | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2017-12-10 05:07:13 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Tibor Dudlák
2017-09-05 10:13:22 UTC
I see some strange AVC's. The keyring ones can not be fixed. It looks like the container_runtime (docker/cri-o) is using a kernel keyring that is leaking into the container and then the container is trying to write to it. Kernel keyrings are not namespaced, so this is the equivalent of a container process attacking the keyring of the container runtime. type=AVC msg=audit(1504533437.320:543): avc: denied { write } for pid=20150 comm="keyctl" scontext=system_u:system_r:container_t:s0:c4,c7 tcontext=system_u:system_r:container_runtime_t:s0 tclass=key permissive=1 These three AVC's time->Mon Sep 4 09:52:57 2017 type=AVC msg=audit(1504533177.717:372): avc: denied { write } for pid=12313 comm="ipa-server-conf" name="fd" dev="proc" ino=65570 scontext=system_u:system_r:container_t:s0:c4,c7 tcontext=system_u:system_r:container_t:s0:c4,c7 tclass=dir permissive=1 ---- time->Mon Sep 4 09:52:57 2017 type=AVC msg=audit(1504533177.717:373): avc: denied { add_name } for pid=12313 comm="ipa-server-conf" name="1" scontext=system_u:system_r:container_t:s0:c4,c7 tcontext=system_u:system_r:container_t:s0:c4,c7 tclass=dir permissive=1 ---- time->Mon Sep 4 09:52:57 2017 type=AVC msg=audit(1504533177.717:374): avc: denied { associate } for pid=12313 comm="ipa-server-conf" name="1" scontext=system_u:object_r:container_t:s0:c4,c7 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1 ---- Look like ipa-server-conf is attempting to add content to directories under the /proc file system? What is it doing. I did not think it was possible to add content to these directories? Tibor, could you try to set default_ccache_name in /etc/krb5.conf to FILE:/tmp/krb5cc_%{uid} in build time, to avoid using the kernel keyring from the container? Actually, we seem to do that in runtime in ipa-server-configure-first with sed -i 's/default_ccache_name/# default_ccache_name/' /data/etc/krb5.conf It might be worth investigating what setting is actually observed and why keyring is used. In any case, I believe the AVC denials have nothing to do with docker exec. This seems to be run with permissive=1. It might be worth trying it in Enforcing, to make the ipa-server-configure-first fail and exactly point out what it is doing and where. Created attachment 1322669 [details]
AVC log enforcing
Thanks Jan, I filled bug and thought it might be docker exec related so I have tried same without it and AVCs are still there. Yes AVC log is from permissive run but I have run it in enforcing as well, see: AVC log enforcing (In reply to Tibor Dudlák from comment #8) > > I filled bug and thought it might be docker exec related so I have tried > same without it and AVCs are still there. Given it likely is not, could you update the bugzilla summary to avoid confusion? I've hit this issue again today which reminds me that we might need some in-depth investigation of when / why it's happening. in spite of that default_ccache_name being commented out (and thus using the default value) in krb5.conf. The last time we've seen something like this it was the systemd meddling with the kernel keyring during pki-tomcat startup. Not sure if this info helps, but I think it might we worth looking into. So is that the same issue that was resolved by not using unconfined seccomp? It's just a suspicion I am proposing for Tibor to investigate, I don't know much about what's happening in the OC test suite. container-selinux-2.36-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-27cf1ada3a container-selinux-2.36-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-acc79c0e3e container-selinux-2.36-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-acc79c0e3e container-selinux-2.36-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-27cf1ada3a container-selinux-2.36-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. container-selinux-2.36-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. |