Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1366800 - AVC denial when running a container with a hostpath
Summary: AVC denial when running a container with a hostpath
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: docker-latest
Version: 7.2
Hardware: x86_64
OS: Linux
high
medium
Target Milestone: rc
: ---
Assignee: Lokesh Mandvekar
QA Contact: atomic-bugs@redhat.com
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-12 21:08 UTC by Qian Cai
Modified: 2016-08-16 14:16 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-08-15 12:46:46 UTC


Attachments (Terms of Use)

Description Qian Cai 2016-08-12 21:08:35 UTC
Description of problem:
# docker run -it -v /root/:root/ rhel7 bash
bash: /root/.bashrc: Permission denied
bash-4.2# ls /root/
ls: cannot open directory /root/: Permission denied
bash-4.2# exit
exit
# ausearch -m AVC
time->Fri Aug 12 17:03:08 2016
type=SYSCALL msg=audit(1471035788.648:1155): arch=c000003e syscall=2 success=no exit=-13 a0=86f7a0 a1=241 a2=180 a3=0 items=0 ppid=14675 pid=14690 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="bash" exe="/usr/bin/bash" subj=system_u:system_r:svirt_lxc_net_t:s0:c303,c477 key=(null)
type=AVC msg=audit(1471035788.648:1155): avc:  denied  { write } for  pid=14690 comm="bash" name=".bash_history" dev="vda1" ino=8774390 scontext=system_u:system_r:svirt_lxc_net_t:s0:c303,c477 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

# docker info
Containers: 16
 Running: 3
 Paused: 0
 Stopped: 13
Images: 19
Server Version: 1.12.0
Storage Driver: devicemapper
 Pool Name: dockervg-docker--latest--pool
 Pool Blocksize: 524.3 kB
 Base Device Size: 10.74 GB
 Backing Filesystem: xfs
 Data file: 
 Metadata file: 
 Data Space Used: 7.266 GB
 Data Space Total: 10.68 GB
 Data Space Available: 3.417 GB
 Metadata Space Used: 1.368 MB
 Metadata Space Total: 12.58 MB
 Metadata Space Available: 11.21 MB
 Thin Pool Minimum Free Space: 1.068 GB
 Udev Sync Supported: true
 Deferred Removal Enabled: true
 Deferred Deletion Enabled: true
 Deferred Deleted Device Count: 0
 Library Version: 1.02.107-RHEL7 (2016-06-09)
Logging Driver: journald
Cgroup Driver: systemd
Plugins:
 Volume: local
 Network: bridge host null overlay
 Authorization: rhel-push-plugin
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: seccomp selinux
Kernel Version: 3.10.0-327.28.2.el7.x86_64
Operating System: Employee SKU
OSType: linux
Architecture: x86_64
Number of Docker Hooks: 2
CPUs: 2
Total Memory: 3.702 GiB
Name: caiqian-jslave.localdomain
ID: B3AG:LJ7T:3JE4:AGGR:4TWR:NGFX:WELK:RYWF:J22B:4YMA:BMB3:OU7C
Docker Root Dir: /var/lib/docker-latest
Debug Mode (client): false
Debug Mode (server): false
Registry: https://registry.access.redhat.com/v1/
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
Insecure Registries:
 127.0.0.0/8
Registries: registry.access.redhat.com (secure), docker.io (secure)

Version-Release number of selected component (if applicable):
# rpm -qa | grep docker
docker-common-1.10.3-46.el7.10.x86_64
docker-rhel-push-plugin-1.10.3-46.el7.10.x86_64
docker-selinux-1.10.3-46.el7.10.x86_64
docker-latest-1.12.0-4.el7.x86_64

How reproducible:
always

Comment 3 Daniel Walsh 2016-08-15 12:46:46 UTC
You are mounting the /root directory into a locked down container, this means that bash will attempt to write to /root/.bash_history and will get denied, as expected.  This is not a bug.  If you want to manage your /root directory from a container I would advise you to disable SELinux in the container.  Since you should not relabel /root to match the container, and if the container can write to /root, it can cause an admin to to execute commands just by modifing /root/.baserc.

docker run --security-opt label=disable -ti ...

Comment 4 Qian Cai 2016-08-15 13:05:34 UTC
Not only /root, but other hostdir have the same issue. For example, -v /mnt:/mnt . If I remember correctly, I never saw anything like this issue in docker-1.10 before.

Comment 5 Daniel Walsh 2016-08-16 13:17:23 UTC
Please try it in docker-1.10, and show me it succeeding.

Comment 6 Qian Cai 2016-08-16 14:16:05 UTC
You are right. I must be using overlayfs in 1.10 where selinux was disabled in containers.


Note You need to log in before you can comment on or make changes to this bug.