Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1488406

Summary: IPA container throws AVC when runnig docker exec
Product: [Fedora] Fedora Reporter: Tibor Dudlák <tdudlak>
Component: container-selinuxAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 26CC: amurdaca, dwalsh, fkluknav, jchaloup, jlebon, jpazdziora, lsm5, lvrabec, mgrepl, plautrba, pmoore, slaznick, tdudlak
Target Milestone: ---Flags: tdudlak: needinfo-
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: container-selinux-2.36-1.fc27 container-selinux-2.36-1.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-10 05:07:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
AVC log
none
AVC log enforcing none

Description Tibor Dudlák 2017-09-05 10:13:22 UTC 
Created attachment 1322149 [details]
AVC log

Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-260.6.fc26.noarch

How reproducible:
Always

Steps to Reproduce:
1. Install docker and atomic-openshif-clients
2. Add insecure registry '--insecure-registry 172.30.0.0/16' to docker config
3. run:
```
# setsebool -P container_manage_cgroup on
# systemctl enable docker --now
# mkdir -p /var/lib/origin-data
# export ORIGIN_VERSION=v1.5.1
# oc cluster up --host-data-dir /var/lib/origin-data --use-existing-config --public-hostname=$(hostname) --version=$ORIGIN_VERSION 
# oc new-project innovation-2017
```
4. Clone: https://github.com/freeipa/freeipa-container.git
5. Run:
```
# oc create -f freeipa-container/freeipa-server-openshift-image.json

# docker pull freeipa/freeipa-server:fedora-25

# oc new-app --name freeipa-y -f freeipa-container/freeipa-server-openshift.json -p IPA_SERVER_SERVICE=freeipa-1 -p IPA_SERVER_IMAGE=freeipa-server:fedora-25 -p IPA_SERVER_HOSTNAME=ipa.example.test -p IPA_SERVER_IP=172.30.13.13 -p IPA_ADMIN_PASSWORD=Secret123 -p TIMEOUT=1200"
```
6. Wait for pod and services in container to initialize.

7. Run: 
```
# docker exec `docker ps | grep freeipa-server | cut -d " " -f1` systemctl status
```


Actual results:
Throws AVC


Expected results:
No AVC

Additional info: in attachment
Comment 2 Daniel Walsh 2017-09-05 10:42:23 UTC 
I see some strange AVC's.

The keyring ones can not be fixed.  It looks like the container_runtime (docker/cri-o) is using a kernel keyring that is leaking into the container and then the container is trying to write to it.  Kernel keyrings are not namespaced, so this is the equivalent of a container process attacking the keyring of the container runtime.

type=AVC msg=audit(1504533437.320:543): avc:  denied  { write } for  pid=20150 comm="keyctl" scontext=system_u:system_r:container_t:s0:c4,c7 tcontext=system_u:system_r:container_runtime_t:s0 tclass=key permissive=1


These three AVC's

time->Mon Sep  4 09:52:57 2017
type=AVC msg=audit(1504533177.717:372): avc:  denied  { write } for  pid=12313 comm="ipa-server-conf" name="fd" dev="proc" ino=65570 scontext=system_u:system_r:container_t:s0:c4,c7 tcontext=system_u:system_r:container_t:s0:c4,c7 tclass=dir permissive=1
----
time->Mon Sep  4 09:52:57 2017
type=AVC msg=audit(1504533177.717:373): avc:  denied  { add_name } for  pid=12313 comm="ipa-server-conf" name="1" scontext=system_u:system_r:container_t:s0:c4,c7 tcontext=system_u:system_r:container_t:s0:c4,c7 tclass=dir permissive=1
----
time->Mon Sep  4 09:52:57 2017
type=AVC msg=audit(1504533177.717:374): avc:  denied  { associate } for  pid=12313 comm="ipa-server-conf" name="1" scontext=system_u:object_r:container_t:s0:c4,c7 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1
----

Look like ipa-server-conf is attempting to add content to directories under the /proc file system?  What is it doing.  I did not think it was possible to add content to these directories?
Comment 3 Jan Pazdziora 2017-09-06 10:53:35 UTC 
Tibor, could you try to set default_ccache_name in /etc/krb5.conf to FILE:/tmp/krb5cc_%{uid} in build time, to avoid using the kernel keyring from the container?
Comment 4 Jan Pazdziora 2017-09-06 10:57:54 UTC 
Actually, we seem to do that in runtime in ipa-server-configure-first with

sed -i 's/default_ccache_name/# default_ccache_name/' /data/etc/krb5.conf

It might be worth investigating what setting is actually observed and why keyring is used.
Comment 5 Jan Pazdziora 2017-09-06 11:02:01 UTC 
In any case, I believe the AVC denials have nothing to do with docker exec.
Comment 6 Jan Pazdziora 2017-09-06 11:03:01 UTC 
This seems to be run with permissive=1. It might be worth trying it in Enforcing, to make the ipa-server-configure-first fail and exactly point out what it is doing and where.
Comment 7 Tibor Dudlák 2017-09-06 13:39:32 UTC 
Created attachment 1322669 [details]
AVC log enforcing
Comment 8 Tibor Dudlák 2017-09-06 13:40:59 UTC 
Thanks Jan,

I filled bug and thought it might be docker exec related so I have tried same without it and AVCs are still there. 

Yes AVC log is from permissive run but I have run it in enforcing as well, see:
AVC log enforcing
Comment 10 Jan Pazdziora 2017-11-06 13:21:30 UTC 
(In reply to Tibor Dudlák from comment #8)
> 
> I filled bug and thought it might be docker exec related so I have tried
> same without it and AVCs are still there. 

Given it likely is not, could you update the bugzilla summary to avoid confusion?

I've hit this issue again today which reminds me that we might need some in-depth investigation of when / why it's happening. in spite of that default_ccache_name being commented out (and thus using the default value) in krb5.conf.
Comment 11 Standa Laznicka 2017-11-24 07:40:13 UTC 
The last time we've seen something like this it was the systemd meddling with the kernel keyring during pki-tomcat startup. Not sure if this info helps, but I think it might we worth looking into.
Comment 12 Jan Pazdziora 2017-11-24 07:55:46 UTC 
So is that the same issue that was resolved by not using unconfined seccomp?
Comment 13 Standa Laznicka 2017-11-24 07:58:08 UTC 
It's just a suspicion I am proposing for Tibor to investigate, I don't know much about what's happening in the OC test suite.
Comment 14 Fedora Update System 2017-11-28 13:34:35 UTC 
container-selinux-2.36-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-27cf1ada3a
Comment 15 Fedora Update System 2017-11-28 13:34:57 UTC 
container-selinux-2.36-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-acc79c0e3e
Comment 16 Fedora Update System 2017-11-28 18:37:05 UTC 
container-selinux-2.36-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-acc79c0e3e
Comment 17 Fedora Update System 2017-11-29 01:47:06 UTC 
container-selinux-2.36-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-27cf1ada3a
Comment 18 Fedora Update System 2017-12-10 05:07:13 UTC 
container-selinux-2.36-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2017-12-12 13:41:36 UTC 
container-selinux-2.36-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.