Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1517739 - SELinux is preventing dotnet from 'map' accesses on the chr_file /dev/zero.
Summary: SELinux is preventing dotnet from 'map' accesses on the chr_file /dev/zero.
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: container-selinux
Version: 27
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:5b976608e2d701f9e6531724214...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-27 10:58 UTC by Arun Babu Neelicattu
Modified: 2017-12-21 11:02 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-12-21 11:02:16 UTC


Attachments (Terms of Use)

Description Arun Babu Neelicattu 2017-11-27 10:58:29 UTC
Description of problem:
This issue can be reproduced when using either s2i builder images for dotnet core or using microsoft provided dotnet core images. The following are example commands to reporduce.

> docker run --rm -it microsoft/dotnet:latest bash -c "dotnet new console; dotnet run"
> docker run --rm registry.access.redhat.com/dotnet/dotnet-20-rhel7:latest bash -c "dotnet new console; dotnet run"

This also occurs when using "s2i build" commands.

An upstream bugreport is already filed for the dotnet container. [https://github.com/dotnet/dotnet-docker/issues/343]

The following coredump was associated with this issue.
> Stack trace of thread 103:
> #0  0x00007fd4db95dfcf n/a (/lib/x86_64-linux-gnu/libc-2.24.so)
> #1  0x00007fd4db17cbcb n/a (/usr/share/dotnet/shared/Microsoft.NETCore.App/2.0.3/libcoreclr.so)
> #2  0x00007fd4daee58a8 n/a (/usr/share/dotnet/shared/Microsoft.NETCore.App/2.0.3/libcoreclr.so)
> #3  0x00007fd4daee5959 n/a (/usr/share/dotnet/shared/Microsoft.NETCore.App/2.0.3/libcoreclr.so)
> #4  0x00007fd4dae562d9 n/a (/usr/share/dotnet/shared/Microsoft.NETCore.App/2.0.3/libcoreclr.so)
> #5  0x00007fd461d33d3a n/a (n/a)
> #6  0x00007fd461d32eb8 n/a (n/a)
> #7  0x00007fd4daef2067 n/a (/usr/share/dotnet/shared/Microsoft.NETCore.App/2.0.3/libcoreclr.so)
> #8  0x00007fd4dae02e40 n/a (/usr/share/dotnet/shared/Microsoft.NETCore.App/2.0.3/libcoreclr.so)
> #9  0x00007fd4daf13db4 n/a (/usr/share/dotnet/shared/Microsoft.NETCore.App/2.0.3/libcoreclr.so)
> #10 0x00007fd4daf14033 n/a (/usr/share/dotnet/shared/Microsoft.NETCore.App/2.0.3/libcoreclr.so)
> #11 0x00007fd4dad4550b n/a (/usr/share/dotnet/shared/Microsoft.NETCore.App/2.0.3/libcoreclr.so)
> #12 0x00007fd4dad1fe86 n/a (/usr/share/dotnet/shared/Microsoft.NETCore.App/2.0.3/libcoreclr.so)
> #13 0x00007fd4db43e433 n/a (/usr/share/dotnet/shared/Microsoft.NETCore.App/2.0.3/libhostpolicy.so)
> #14 0x00007fd4db4330d8 n/a (/usr/share/dotnet/shared/Microsoft.NETCore.App/2.0.3/libhostpolicy.so)
> #15 0x00007fd4db433772 n/a (/usr/share/dotnet/shared/Microsoft.NETCore.App/2.0.3/libhostpolicy.so)
> #16 0x00007fd4db6f38f4 n/a (/usr/share/dotnet/host/fxr/2.0.3/libhostfxr.so)
> #17 0x00007fd4db6fd978 n/a (/usr/share/dotnet/host/fxr/2.0.3/libhostfxr.so)
> #18 0x00007fd4db6fc8f7 n/a (/usr/share/dotnet/host/fxr/2.0.3/libhostfxr.so)
> #19 0x00007fd4db6fdfac n/a (/usr/share/dotnet/host/fxr/2.0.3/libhostfxr.so)
> #20 0x00007fd4db6f3975 n/a (/usr/share/dotnet/host/fxr/2.0.3/libhostfxr.so)
> #21 0x000000000040c42a _Z3runiPPKc (dotnet)
> #22 0x000000000040c597 main (dotnet)
> #23 0x00007fd4db94b2b1 n/a (/lib/x86_64-linux-gnu/libc-2.24.so)
SELinux is preventing dotnet from 'map' accesses on the chr_file /dev/zero.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that dotnet should be allowed map access on the zero chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'dotnet' --raw | audit2allow -M my-dotnet
# semodule -X 300 -i my-dotnet.pp

Additional Information:
Source Context                system_u:system_r:container_t:s0:c438,c767
Target Context                system_u:object_r:container_file_t:s0:c438,c767
Target Objects                /dev/zero [ chr_file ]
Source                        dotnet
Source Path                   dotnet
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-283.16.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.13.13-300.fc27.x86_64 #1 SMP Wed
                              Nov 15 15:47:50 UTC 2017 x86_64 x86_64
Alert Count                   3
First Seen                    2017-11-27 23:52:15 NZDT
Last Seen                     2017-11-27 23:52:17 NZDT
Local ID                      7be0d4e5-5bbe-4bb9-a183-641d8471e131

Raw Audit Messages
type=AVC msg=audit(1511779937.59:5619): avc:  denied  { map } for  pid=26481 comm="dotnet" path="/dev/zero" dev="tmpfs" ino=1615430 scontext=system_u:system_r:container_t:s0:c438,c767 tcontext=system_u:object_r:container_file_t:s0:c438,c767 tclass=chr_file permissive=0


Hash: dotnet,container_t,container_file_t,chr_file,map

Version-Release number of selected component:
selinux-policy-3.13.1-283.16.fc27.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.13.13-300.fc27.x86_64
type:           libreport

Comment 1 Daniel Walsh 2017-11-27 13:10:20 UTC
rpm -q container-selinux

Comment 2 Arun Babu Neelicattu 2017-11-27 23:49:47 UTC
> $ rpm -q container-selinux
> container-selinux-2.29-1.fc27.noarch

Comment 3 Daniel Walsh 2017-11-28 14:32:37 UTC
I just put container-selinux-2.36 into fedora 27 updates.  Should fix this issue.

Comment 4 Arun Babu Neelicattu 2017-11-28 23:14:57 UTC
Thanks Dan!

Comment 5 Daniel Walsh 2017-12-02 20:28:10 UTC
Please test it and update karma.

Comment 6 Arun Babu Neelicattu 2017-12-03 00:58:32 UTC
Updated https://bodhi.fedoraproject.org/updates/FEDORA-2017-27cf1ada3a

The fix was locally verified.

> $ sudo dnf info container-selinux
> Last metadata expiration check: 1:10:00 ago on Sun 03 Dec 2017 12:36:30 NZDT.
> Installed Packages
> Name         : container-selinux
> Epoch        : 2
> Version      : 2.36
> Release      : 1.fc27
> Arch         : noarch
> Size         : 35 k
> Source       : container-selinux-2.36-1.fc27.src.rpm
> Repo         : @System
> From repo    : @commandline
> Summary      : SELinux policies for container runtimes
> URL          : https://github.com/projectatomic/container-selinux
> License      : GPLv2
> Description  : SELinux policy modules for use with container runtimes.
> 
> $ docker run --rm registry.access.redhat.com/dotnet/dotnet-20-rhel7:latest bash -c "dotnet new console; dotnet run"
> Getting ready...
> The template "Console Application" was created successfully.
> 
> Processing post-creation actions...
> Running 'dotnet restore' on /opt/app-root/src/src.csproj...
>   Restoring packages for /opt/app-root/src/src.csproj...
>   Installing Microsoft.NETCore.DotNetAppHost 2.0.0.
>   Installing Microsoft.NETCore.DotNetHostResolver 2.0.0.
>   Installing Microsoft.NETCore.App 2.0.0.
>   Installing NETStandard.Library 2.0.0.
>   Installing Microsoft.NETCore.DotNetHostPolicy 2.0.0.
>   Installing Microsoft.NETCore.Platforms 2.0.0.
>   Generating MSBuild file /opt/app-root/src/obj/src.csproj.nuget.g.props.
>   Generating MSBuild file /opt/app-root/src/obj/src.csproj.nuget.g.targets.
>   Restore completed in 8.77 sec for /opt/app-root/src/src.csproj.
> 
> 
> Restore succeeded.
> 
> Hello World!


Note You need to log in before you can comment on or make changes to this bug.