Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1488406 - IPA container throws AVC when runnig docker exec
Summary: IPA container throws AVC when runnig docker exec
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: container-selinux
Version: 26
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lokesh Mandvekar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-09-05 10:13 UTC by Tibor Dudlák
Modified: 2018-01-08 12:12 UTC (History)
13 users (show)

Fixed In Version: container-selinux-2.36-1.fc27 container-selinux-2.36-1.fc26
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-12-10 05:07:13 UTC
Type: Bug
Embargoed:
tdudlak: needinfo-


Attachments (Terms of Use)
AVC log (2.55 KB, text/plain)
2017-09-05 10:13 UTC, Tibor Dudlák
no flags Details
AVC log enforcing (2.84 KB, text/plain)
2017-09-06 13:39 UTC, Tibor Dudlák
no flags Details

Description Tibor Dudlák 2017-09-05 10:13:22 UTC
Created attachment 1322149 [details]
AVC log

Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-260.6.fc26.noarch

How reproducible:
Always

Steps to Reproduce:
1. Install docker and atomic-openshif-clients
2. Add insecure registry '--insecure-registry 172.30.0.0/16' to docker config
3. run:
```
# setsebool -P container_manage_cgroup on
# systemctl enable docker --now
# mkdir -p /var/lib/origin-data
# export ORIGIN_VERSION=v1.5.1
# oc cluster up --host-data-dir /var/lib/origin-data --use-existing-config --public-hostname=$(hostname) --version=$ORIGIN_VERSION 
# oc new-project innovation-2017
```
4. Clone: https://github.com/freeipa/freeipa-container.git
5. Run:
```
# oc create -f freeipa-container/freeipa-server-openshift-image.json

# docker pull freeipa/freeipa-server:fedora-25

# oc new-app --name freeipa-y -f freeipa-container/freeipa-server-openshift.json -p IPA_SERVER_SERVICE=freeipa-1 -p IPA_SERVER_IMAGE=freeipa-server:fedora-25 -p IPA_SERVER_HOSTNAME=ipa.example.test -p IPA_SERVER_IP=172.30.13.13 -p IPA_ADMIN_PASSWORD=Secret123 -p TIMEOUT=1200"
```
6. Wait for pod and services in container to initialize.

7. Run: 
```
# docker exec `docker ps | grep freeipa-server | cut -d " " -f1` systemctl status
```


Actual results:
Throws AVC


Expected results:
No AVC

Additional info: in attachment

Comment 2 Daniel Walsh 2017-09-05 10:42:23 UTC
I see some strange AVC's.

The keyring ones can not be fixed.  It looks like the container_runtime (docker/cri-o) is using a kernel keyring that is leaking into the container and then the container is trying to write to it.  Kernel keyrings are not namespaced, so this is the equivalent of a container process attacking the keyring of the container runtime.

type=AVC msg=audit(1504533437.320:543): avc:  denied  { write } for  pid=20150 comm="keyctl" scontext=system_u:system_r:container_t:s0:c4,c7 tcontext=system_u:system_r:container_runtime_t:s0 tclass=key permissive=1


These three AVC's

time->Mon Sep  4 09:52:57 2017
type=AVC msg=audit(1504533177.717:372): avc:  denied  { write } for  pid=12313 comm="ipa-server-conf" name="fd" dev="proc" ino=65570 scontext=system_u:system_r:container_t:s0:c4,c7 tcontext=system_u:system_r:container_t:s0:c4,c7 tclass=dir permissive=1
----
time->Mon Sep  4 09:52:57 2017
type=AVC msg=audit(1504533177.717:373): avc:  denied  { add_name } for  pid=12313 comm="ipa-server-conf" name="1" scontext=system_u:system_r:container_t:s0:c4,c7 tcontext=system_u:system_r:container_t:s0:c4,c7 tclass=dir permissive=1
----
time->Mon Sep  4 09:52:57 2017
type=AVC msg=audit(1504533177.717:374): avc:  denied  { associate } for  pid=12313 comm="ipa-server-conf" name="1" scontext=system_u:object_r:container_t:s0:c4,c7 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1
----

Look like ipa-server-conf is attempting to add content to directories under the /proc file system?  What is it doing.  I did not think it was possible to add content to these directories?

Comment 3 Jan Pazdziora 2017-09-06 10:53:35 UTC
Tibor, could you try to set default_ccache_name in /etc/krb5.conf to FILE:/tmp/krb5cc_%{uid} in build time, to avoid using the kernel keyring from the container?

Comment 4 Jan Pazdziora 2017-09-06 10:57:54 UTC
Actually, we seem to do that in runtime in ipa-server-configure-first with

sed -i 's/default_ccache_name/# default_ccache_name/' /data/etc/krb5.conf

It might be worth investigating what setting is actually observed and why keyring is used.

Comment 5 Jan Pazdziora 2017-09-06 11:02:01 UTC
In any case, I believe the AVC denials have nothing to do with docker exec.

Comment 6 Jan Pazdziora 2017-09-06 11:03:01 UTC
This seems to be run with permissive=1. It might be worth trying it in Enforcing, to make the ipa-server-configure-first fail and exactly point out what it is doing and where.

Comment 7 Tibor Dudlák 2017-09-06 13:39:32 UTC
Created attachment 1322669 [details]
AVC log enforcing

Comment 8 Tibor Dudlák 2017-09-06 13:40:59 UTC
Thanks Jan,

I filled bug and thought it might be docker exec related so I have tried same without it and AVCs are still there. 

Yes AVC log is from permissive run but I have run it in enforcing as well, see:
AVC log enforcing

Comment 10 Jan Pazdziora 2017-11-06 13:21:30 UTC
(In reply to Tibor Dudlák from comment #8)
> 
> I filled bug and thought it might be docker exec related so I have tried
> same without it and AVCs are still there. 

Given it likely is not, could you update the bugzilla summary to avoid confusion?

I've hit this issue again today which reminds me that we might need some in-depth investigation of when / why it's happening. in spite of that default_ccache_name being commented out (and thus using the default value) in krb5.conf.

Comment 11 Standa Laznicka 2017-11-24 07:40:13 UTC
The last time we've seen something like this it was the systemd meddling with the kernel keyring during pki-tomcat startup. Not sure if this info helps, but I think it might we worth looking into.

Comment 12 Jan Pazdziora 2017-11-24 07:55:46 UTC
So is that the same issue that was resolved by not using unconfined seccomp?

Comment 13 Standa Laznicka 2017-11-24 07:58:08 UTC
It's just a suspicion I am proposing for Tibor to investigate, I don't know much about what's happening in the OC test suite.

Comment 14 Fedora Update System 2017-11-28 13:34:35 UTC
container-selinux-2.36-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-27cf1ada3a

Comment 15 Fedora Update System 2017-11-28 13:34:57 UTC
container-selinux-2.36-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-acc79c0e3e

Comment 16 Fedora Update System 2017-11-28 18:37:05 UTC
container-selinux-2.36-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-acc79c0e3e

Comment 17 Fedora Update System 2017-11-29 01:47:06 UTC
container-selinux-2.36-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-27cf1ada3a

Comment 18 Fedora Update System 2017-12-10 05:07:13 UTC
container-selinux-2.36-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2017-12-12 13:41:36 UTC
container-selinux-2.36-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.