Upgrade to F31: SELinux denials with container_t trying to access spc_t

[space88man]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

After upgrading from Fedora 30 to Fedora 31, I am getting SELinux denials when container_t is trying to acess spc_t data. This doesn't prevent the container from functioning, though.

Any ideas where all this spc_t access is coming from?

Steps to reproduce the issue:

1. Upgrade from Fedora 30 to Fedora 31

2. Create a CentOS 8 container with /sbin/init as entrypoint

3. Do moderately complicated stuff like:

   • run dnf inside the container: install glibc-langpack-en, erlang, rabbitmq-server
   • create network:none containers and manually configure networking with veths or nsenter
   • stop and start services inside the container
   • stop and start the container multiple times with podman

Describe the results you received:
Lots of SELinux denials mesages when container_t tries to access spc_t data.
Everything still works(!) and the container runs without any issues even when enforcing is on.

Describe the results you expected:
Clean ausearch -m avc output.

Additional information you deem important (e.g. issue happens only occasionally):
Need below to silence SELinux.

require {
        type container_t;
        type spc_t;
        class process { signal sigstop signull };
        class dir { getattr search read };
        class file { getattr read open };
        class lnk_file { read };
}

#============= container_t ==============
allow container_t spc_t:file { getattr read open };
allow container_t spc_t:lnk_file { read };
allow container_t spc_t:dir { getattr search read };
allow container_t spc_t:process { signal sigstop signull };

Output of podman version:

Version:            1.6.1
RemoteAPI Version:  1
Go Version:         go1.13
OS/Arch:            linux/amd64

Output of podman info --debug:

debug:            
  compiler: gc                                                                  
  git commit: ""
  go version: go1.13              
  podman version: 1.6.1   
host:        
  BuildahVersion: 1.11.2
  CgroupVersion: v2                   
  Conmon:                                                                       
    package: conmon-2.0.1-1.fc31.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.1, commit: 5e0eadedda9508810235ab878174dca1183f4013'
  Distribution:
    distribution: fedora
    version: "31"
  MemFree: 5142310912
  MemTotal: 67356446720
  OCIRuntime:
    package: crun-0.10.2-1.fc31.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 0.10.2
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  SwapFree: 0
  SwapTotal: 0
  arch: amd64
  cpus: 16
  eventlogger: journald
  hostname: podman.localdomain
  kernel: 5.3.6-300.fc31.x86_64
  os: linux
  rootless: false
  uptime: 198h 32m 52.94s (Approximately 8.25 days)
registries:
  blocked: null
  insecure: null
  search:
  - docker.io
  - registry.fedoraproject.org
  - quay.io
  - registry.access.redhat.com
  - registry.centos.org
store:
  ConfigFile: /etc/containers/storage.conf
  ContainerStore:
    number: 5
  GraphDriverName: btrfs
  GraphOptions: {}
  GraphRoot: /var/lib/containers/storage
  GraphStatus:
    Build Version: 'Btrfs v5.2.1 '
    Library Version: "102"
  ImageStore:
    number: 6
  RunRoot: /var/run/containers/storage
  VolumePath: /var/lib/containers/storage/volumes

Package info (e.g. output of rpm -q podman or apt list podman):

podman-1.6.1-2.fc31.x86_64

Additional environment details (AWS, VirtualBox, physical, etc.):
Upgraded baremetal from F30 to F31. Sample AVC messages:

type=AVC msg=audit(1572333420.626:5639): avc:  denied  { sigstop } for  pid=1878297 comm="systemd-shutdow" scontext=system_u:system_r:container_t:s0:c464,c961 tcontext=unconfined_u:system_r:spc_t:s0 tclass=process permissive=1

type=AVC msg=audit(1572333625.063:5823): avc:  denied  { search } for  pid=1908140 comm="systemd" name="79" dev="proc" ino=10367374 scontext=system_u:system_r:container_t:s0:c809,c847 tcontext=unconfined_u:system_r:spc_t:s0 tclass=dir permissive=1

type=AVC msg=audit(1572336859.488:6807): avc:  denied  { getattr } for  pid=1930986 comm="ps" path="/proc/25" dev="proc" ino=10464139 scontext=system_u:system_r:container_t:s0:c705,c867 tcontext=unconfined_u:system_r:spc_t:s0 tclass=dir permissive=0

type=AVC msg=audit(1572337178.369:6846): avc:  denied  { search } for  pid=1933453 comm="ps" name="25" dev="proc" ino=10464139 scontext=system_u:system_r:container_t:s0:c705,c867 tcontext=unconfined_u:system_r:spc_t:s0 tclass=dir permissive=0

[vrothberg]

@rhatdan PTAL

[space88man]

I can trigger this on fresh Fedora 31. CentOS 8 systemd root container, running rabbitmq-server.

From outside the container

podman exec rabbitmq_2 systemctl stop rabbitmq-server

See AVCs:

---
time->Tue Oct 29 18:49:36 2019
type=AVC msg=audit(1572346176.045:1478): avc:  denied  { getattr } for  pid=240507 comm="ps" path="/proc/653" dev="proc" ino=5635971 scontext=system_u:system_r:container_t:s0:c28,c560 tcontext=unconfined_u:system_r:spc_t:s0 tclass=dir permissive=0
----
time->Tue Oct 29 18:49:37 2019
type=AVC msg=audit(1572346177.058:1479): avc:  denied  { getattr } for  pid=240508 comm="ps" path="/proc/653" dev="proc" ino=5635971 scontext=system_u:system_r:container_t:s0:c28,c560 tcontext=unconfined_u:system_r:spc_t:s0 tclass=dir permissive=0
----
time->Tue Oct 29 18:49:38 2019
type=AVC msg=audit(1572346178.066:1480): avc:  denied  { getattr } for  pid=240509 comm="ps" path="/proc/653" dev="proc" ino=5635971 scontext=system_u:system_r:container_t:s0:c28,c560 tcontext=unconfined_u:system_r:spc_t:s0 tclass=dir permissive=0
----
time->Tue Oct 29 18:49:39 2019
type=AVC msg=audit(1572346179.074:1482): avc:  denied  { getattr } for  pid=240516 comm="ps" path="/proc/653" dev="proc" ino=5635971 scontext=system_u:system_r:container_t:s0:c28,c560 tcontext=unconfined_u:system_r:spc_t:s0 tclass=dir permissive=0

The command still works, though.

[space88man]

Reproducer on a fresh Fedora 31:

CON=$(buildah from centos:8)
buildah run $CON dnf install -y glibc-langpack-en
buildah run $CON dnf install -y https://github.com/rabbitmq/erlang-rpm/releases/download/v22.1.5/erlang-22.1.5-1.el8.x86_64.rpm
buildah run $CON dnf install -y https://github.com/rabbitmq/rabbitmq-server/releases/download/v3.7.20/rabbitmq-server-3.7.20-1.el8.noarch.rpm

buildah run $CON systemctl enable rabbitmq-server.service

buildah commit $CON rabbitmq:test


podman run -it --rm --name rabbit_1 --entrypoint /sbin/init rabbitmq:test

On the host run podman exec rabbit_1 systemctl stop rabbitmq-server.

See

----
time->Tue Oct 29 19:11:07 2019
type=AVC msg=audit(1572347467.326:1909): avc:  denied  { getattr } for  pid=247158 comm="ps" path="/proc/423" dev="proc" ino=5691516 scontext=system_u:system_r:container_t:s0:c519,c604 tcontext=unconfined_u:system_r:spc_t:s0 tclass=dir permissive=0
----
time->Tue Oct 29 19:11:08 2019
type=AVC msg=audit(1572347468.339:1910): avc:  denied  { getattr } for  pid=247159 comm="ps" path="/proc/423" dev="proc" ino=5691516 scontext=system_u:system_r:container_t:s0:c519,c604 tcontext=unconfined_u:system_r:spc_t:s0 tclass=dir permissive=0
----
time->Tue Oct 29 19:11:09 2019
type=AVC msg=audit(1572347469.347:1911): avc:  denied  { getattr } for  pid=247160 comm="ps" path="/proc/423" dev="proc" ino=5691516 scontext=system_u:system_r:container_t:s0:c519,c604 tcontext=unconfined_u:system_r:spc_t:s0 tclass=dir permissive=0
----
time->Tue Oct 29 19:11:10 2019
type=AVC msg=audit(1572347470.365:1913): avc:  denied  { getattr } for  pid=247167 comm="ps" path="/proc/423" dev="proc" ino=5691516 scontext=system_u:system_r:container_t:s0:c519,c604 tcontext=unconfined_u:system_r:spc_t:s0 tclass=dir permissive=0
----
time->Tue Oct 29 19:11:11 2019
type=AVC msg=audit(1572347471.376:1914): avc:  denied  { getattr } for  pid=247170 comm="ps" path="/proc/423" dev="proc" ino=5691516 scontext=system_u:system_r:container_t:s0:c519,c604 tcontext=unconfined_u:system_r:spc_t:s0 tclass=dir permissive=0

[rhatdan]

Do you know what process is running as spc_t?

ps -eZ | grep spc_t

[space88man]

@rhatdan it is the externally exec'ed program

# podman exec rabbit_1 ps -eZ 
LABEL                               PID TTY          TIME CMD
system_u:system_r:container_t:s0:c519,c604 1 ?   00:00:00 systemd
system_u:system_r:container_t:s0:c519,c604 16 ?  00:00:00 systemd-journal
system_u:system_r:container_t:s0:c519,c604 22 ?  00:00:00 dbus-daemon
system_u:system_r:container_t:s0:c519,c604 2286 ? 00:00:18 beam.smp
system_u:system_r:container_t:s0:c519,c604 2494 ? 00:00:00 epmd
system_u:system_r:container_t:s0:c519,c604 2644 ? 00:00:00 erl_child_setup
system_u:system_r:container_t:s0:c519,c604 2669 ? 00:00:00 inet_gethost
system_u:system_r:container_t:s0:c519,c604 2670 ? 00:00:00 inet_gethost
unconfined_u:system_r:spc_t:s0    10491 ?        00:00:00 ps

[rhatdan]

That is a bug.

[rhatdan]

PR has merged that should fix this.