Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

systemd-socket-activate problem. audit2allow shows "allow container_t unconfined_t:tcp_socket { setopt shutdown };" #179

Closed
eriksjolund opened this issue May 23, 2022 · 1 comment
Closed

systemd-socket-activate problem. audit2allow shows "allow container_t unconfined_t:tcp_socket { setopt shutdown };" #179

eriksjolund opened this issue May 23, 2022 · 1 comment

Comments

@eriksjolund
Copy link

eriksjolund commented May 23, 2022
edited
Loading

Test with "setenforce 1". Downloading with curl fails.

[root@asus ~]# useradd test
[root@asus ~]# machinectl shell test@
Connected to the local host. Press ^] three times within 1s to exit session.
[test@asus ~]$ podman pull -q ghcr.io/eriksjolund/socket-activate-httpd:0.2.0
f6067b3d4430fcefc1425c8d0cebe19557ac777168f5e6f2b94b153dc93dadd5
[test@asus ~]$ systemd-socket-activate -l 8080 podman run --rm --network=none ghcr.io/eriksjolund/socket-activate-httpd:0.2.0
Listening on [::]:8080 as 3.
Communication attempt on fd 3.
Execing podman (podman run --rm --network=none ghcr.io/eriksjolund/socket-activate-httpd:0.2.0)
[Mon May 23 04:04:22.633888 2022] [core:crit] [pid 1:tid 1] (13)Permission denied: AH00067: make_sock: for address [::18d2:cd31:ff7f:0]:8080, apr_socket_opt_set: (SO_REUSEADDR)
AH00526: Syntax error on line 47 of /etc/httpd/conf/httpd.conf:
Failed to setup socket passed by systemd using socket activation
[test@asus ~]$

After starting the command systemd-socket-activate above, in another shell I ran

[test@asus ~]$ curl localhost:8080
curl: (56) Recv failure: Connection reset by peer
[test@asus ~]$

Test with "setenforce 0". Downloading with curl succeeds.

[test@asus ~]$ systemd-socket-activate -l 8080 podman run --rm --network=none ghcr.io/eriksjolund/socket-activate-httpd:0.2.0
Listening on [::]:8080 as 3.
Communication attempt on fd 3.
Execing podman (podman run --rm --network=none ghcr.io/eriksjolund/socket-activate-httpd:0.2.0)
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message

In another shell the download was successful

[test@asus ~]$ curl -o /tmp/file localhost:8080
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  8474  100  8474    0     0  42423      0 --:--:-- --:--:-- --:--:-- 42582
[test@asus ~]$

Query the audit daemon logs with ausearch and analyze them with audit2allow

[root@asus ~]# ausearch --start 06:19:30 --raw > /tmp/raw1
[root@asus ~]# cat /tmp/raw1
type=AVC msg=audit(1653279577.440:3151): avc:  denied  { setopt } for  pid=40506 comm="httpd" lport=8080 scontext=system_u:system_r:container_t:s0:c638,c819 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=tcp_socket permissive=1
type=AVC msg=audit(1653279577.452:3152): avc:  denied  { shutdown } for  pid=40510 comm="httpd" laddr=::ffff:127.0.0.1 lport=8080 faddr=::ffff:127.0.0.1 fport=39226 scontext=system_u:system_r:container_t:s0:c638,c819 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=tcp_socket permissive=1
[root@asus ~]# cat /tmp/raw1 | audit2allow


#============= container_t ==============
allow container_t unconfined_t:tcp_socket { setopt shutdown };
[root@asus ~]#

Extra note

I guess this warning message (seen above) is not relevant to the SELinux problem

AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message

About the system

[test@asus ~]$ cat /etc/fedora-release
Fedora release 36 (Thirty Six)
[test@asus ~]$ rpm -q container-selinux
container-selinux-2.183.0-4.fc36.noarch
[test@asus ~]$ rpm -q podman
podman-4.1.0-1.fc36.x86_64
[test@asus ~]$ rpm -q systemd
systemd-250.3-8.fc36.x86_64
[test@asus ~]$

Update 1

I forgot to mention that the container image was built from this Containerfile (with comments removed)

FROM docker.io/library/fedora:latest

RUN dnf install -y httpd
RUN sed -i "s/Listen 80/Listen 127.0.0.1:8080/g" /etc/httpd/conf/httpd.conf

CMD ["/usr/sbin/httpd", "-DFOREGROUND"]

Another thing:
When running it as a systemd user service instead, it worked with setenforce 1.

I'll try to investigate it a little more later. Maybe the SELinux problem could be worked around with a reconfiguration of the Apache HTTP server? Just a speculation....
@rhatdan
Copy link
Member

rhatdan commented May 24, 2022

Fixed in https://github.com/containers/container-selinux/releases/tag/v2.186.0

@rhatdan rhatdan closed this as completed May 24, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@eriksjolund @rhatdan