Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1691504 - SELinux is preventing /usr/bin/tee from open access on the fifo_file fifo_file
Summary: SELinux is preventing /usr/bin/tee from open access on the fifo_file fifo_file
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: container-selinux
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lokesh Mandvekar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-21 18:44 UTC by Lukas Slebodnik
Modified: 2019-03-25 10:31 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Lukas Slebodnik 2019-03-21 18:44:53 UTC
SELinux is preventing /usr/bin/tee from open access on the fifo_file fifo_file.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that tee should be allowed open access on the fifo_file fifo_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'tee' --raw | audit2allow -M my-tee
# semodule -X 300 -i my-tee.pp


Additional Information:
Source Context                system_u:system_r:container_t:s0:c150,c605
Target Context                unconfined_u:system_r:container_runtime_t:s0-s0:c0
                              .c1023
Target Objects                fifo_file [ fifo_file ]
Source                        tee
Source Path                   /usr/bin/tee
Port                          <Unknown>
Host                          nec-em19.khw2.lab.eng.bos.redhat.com
Source RPM Packages           coreutils-8.31-2.fc31.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.4-5.fc31.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     nec-em19.khw2.lab.eng.bos.redhat.com
Platform                      Linux nec-em19.khw2.lab.eng.bos.redhat.com
                              5.1.0-0.rc1.git0.1.fc31.x86_64 #1 SMP Mon Mar 18
                              15:09:12 UTC 2019 x86_64 x86_64
Alert Count                   1
First Seen                    2019-03-21 14:42:29 EDT
Last Seen                     2019-03-21 14:42:29 EDT
Local ID                      1c07fedf-39c5-4896-90e6-4ab1accd8864

Raw Audit Messages
type=AVC msg=audit(1553193749.866:692): avc:  denied  { open } for  pid=31950 comm="tee" path="pipe:[327600]" dev="pipefs" ino=327600 scontext=system_u:system_r:container_t:s0:c150,c605 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0


type=SYSCALL msg=audit(1553193749.866:692): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=7ffe82b69f40 a2=241 a3=1b6 items=4 ppid=31930 pid=31950 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm=tee exe=/usr/bin/tee subj=system_u:system_r:container_t:s0:c150,c605 key=(null)

type=CWD msg=audit(1553193749.866:692): cwd=/

type=PATH msg=audit(1553193749.866:692): item=0 name=/dev/ inode=322321 dev=00:3e mode=040500 ouid=0 ogid=0 rdev=00:00 obj=system_u:system_r:container_t:s0:c150,c605 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

type=PATH msg=audit(1553193749.866:692): item=1 name=/dev/stderr inode=329814 dev=00:3f mode=0120777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_file_t:s0:c150,c605 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

type=PATH msg=audit(1553193749.866:692): item=2 name=/dev/stderr inode=322322 dev=00:3e mode=0120300 ouid=0 ogid=0 rdev=00:00 obj=system_u:system_r:container_t:s0:c150,c605 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

Hash: tee,container_t,container_runtime_t,fifo_file,open

Comment 1 Lukas Slebodnik 2019-03-21 18:46:31 UTC
Steps to reproduce

sh-5.0# cat /tmp/Dockerfile
FROM fedora:29

RUN set -o pipefail ; echo test | tee /dev/stderr | sed -n 's/^patching file //;T;/\.py$/p'
sh-5.0# echo ok | ( tty ; podman build -t test-image -f /tmp/Dockerfile )
not a tty
STEP 1: FROM fedora:29
STEP 2: RUN set -o pipefail ; echo test | tee /dev/stderr | sed -n 's/^patching file //;T;/\.py$/p'
tee: /dev/stderr: Permission denied
Error: error building at step {Env:[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin DISTTAG=fcontainer FGC=f FBR=f] Command:run Args:[set -o pipefail ; echo test | tee /dev/stderr | sed -n 's/^patching file //;T;/\.py$/p'] Flags:[] Attrs:map[] Message:RUN set -o pipefail ; echo test | tee /dev/stderr | sed -n 's/^patching file //;T;/\.py$/p' Original:RUN set -o pipefail ; echo test | tee /dev/stderr | sed -n 's/^patching file //;T;/\.py$/p'}: error while running runtime: exit status 1

Cannot see AVCs with tty

sh-5.0# tty ; podman build -t test-image -f /tmp/Dockerfile
/dev/pts/4
STEP 1: FROM fedora:29
STEP 2: RUN set -o pipefail ; echo test | tee /dev/stderr | sed -n 's/^patching file //;T;/\.py$/p'
test
--> b83e249f0bf1027bd4d2fbd48300fcfb1772c6d928f55e314e5c290a2a7ff528
STEP 3: COMMIT test-image

Comment 2 Daniel Walsh 2019-03-22 14:47:33 UTC
I am trying to find where the container_runtime_t fifo file is leaking into the container.

cat ~/Dockerfile.test
FROM fedora 
RUN dnf -y install findutils
RUN find / -printf "%P %Z\n"

podman build -f ~/Dockerfile.test ~ | grep container_runtime
STEP 1: FROM fedora
STEP 2: RUN dnf -y install findutils
STEP 3: FROM aca743b83bf16613c7a484383d52b913259741e2fdf0952b8a56edf5da0de0e6
STEP 4: RUN find / -printf "%P %Z\n"
STEP 5: COMMIT 

I see no fifo_files labeled container_runtime_t.

Comment 3 Lukas Slebodnik 2019-03-22 18:22:51 UTC
(In reply to Daniel Walsh from comment #2)
> I am trying to find where the container_runtime_t fifo file is leaking into
> the container.
> 
> cat ~/Dockerfile.test
> FROM fedora 
> RUN dnf -y install findutils
> RUN find / -printf "%P %Z\n"
> 
> podman build -f ~/Dockerfile.test ~ | grep container_runtime
> STEP 1: FROM fedora
> STEP 2: RUN dnf -y install findutils
> STEP 3: FROM aca743b83bf16613c7a484383d52b913259741e2fdf0952b8a56edf5da0de0e6
> STEP 4: RUN find / -printf "%P %Z\n"
> STEP 5: COMMIT 
> 
> I see no fifo_files labeled container_runtime_t.

I would say that tricky part is: 

> tee: /dev/stderr: Permission denied
> Error: error building at step

And I cannot see it in your docker file.

Comment 4 Lukas Slebodnik 2019-03-22 19:25:13 UTC
sh-4.4# cat Dockerfile 
FROM docker.io/fedora:29
RUN dnf -y install findutils
RUN set -o pipefail ; ls -liZ /proc/self/fd/* /dev/stderr | tee /dev/stderr | sed -n 's/^patching file //;T;/\.py$/p'
sh-4.4# 
sh-4.4# echo ok | ( tty ; podman build -t test-image -f ./Dockerfile )
not a tty
STEP 1: FROM docker.io/fedora:29
STEP 2: RUN dnf -y install findutils
--> Using cache 659aca5bec5e91d6ac0e36f8b3bab16590dd750240de86e08ad4b36bc849c957
STEP 3: FROM 659aca5bec5e91d6ac0e36f8b3bab16590dd750240de86e08ad4b36bc849c957
STEP 4: RUN set -o pipefail ; ls -liZ /proc/self/fd/* /dev/stderr | tee /dev/stderr | sed -n 's/^patching file //;T;/\.py$/p'
tee: /dev/stderr: Permission denied
ls: cannot access '/proc/self/fd/3': No such file or directory
error building at step {Env:[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin DISTTAG=fcontainer FGC=f FBR=f] Command:run Args:[set -o pipefail ; ls -liZ /proc/self/fd/* /dev/stderr | tee /dev/stderr | sed -n 's/^patching file //;T;/\.py$/p'] Flags:[] Attrs:map[] Message:RUN set -o pipefail ; ls -liZ /proc/self/fd/* /dev/stderr | tee /dev/stderr | sed -n 's/^patching file //;T;/\.py$/p' Original:RUN set -o pipefail ; ls -liZ /proc/self/fd/* /dev/stderr | tee /dev/stderr | sed -n 's/^patching file //;T;/\.py$/p'}: error while running runtime: exit status 1
sh-4.4# 
sh-4.4# ausearch -m avc -i
----
type=AVC msg=audit(03/22/2019 15:24:47.239:2083810) : avc:  denied  { open } for  pid=28095 comm=tee path=pipe:[835451002] dev="pipefs" ino=835451002 scontext=system_u:system_r:container_t:s0:c701,c720 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0

Comment 5 Lukas Slebodnik 2019-03-22 20:00:31 UTC
One more time

sh-4.4# cat Dockerfile 
FROM docker.io/fedora:29
RUN dnf -y install findutils
RUN set -o pipefail ; ls -liZ /proc/self/fd/* /dev/stderr | tee /dev/stderr | sed -e 's/^patching file //;T;/\.py$/p'
sh-4.4# 
sh-4.4# echo ok | ( tty ; podman build -t test-image -f ./Dockerfile )
not a tty
STEP 1: FROM docker.io/fedora:29
STEP 2: RUN dnf -y install findutils
--> Using cache 659aca5bec5e91d6ac0e36f8b3bab16590dd750240de86e08ad4b36bc849c957
STEP 3: FROM 659aca5bec5e91d6ac0e36f8b3bab16590dd750240de86e08ad4b36bc849c957
STEP 4: RUN set -o pipefail ; ls -liZ /proc/self/fd/* /dev/stderr | tee /dev/stderr | sed -e 's/^patching file //;T;/\.py$/p'
tee: /dev/stderr: Permission denied
ls: cannot access '/proc/self/fd/3': No such file or directory
835505521 lrwxrwxrwx. 1 root root system_u:object_r:container_file_t:s0:c262,c982 15 Mar 22 19:59 /dev/stderr -> /proc/self/fd/2
835503570 lr-x------. 1 root root system_u:system_r:container_t:s0:c262,c982      64 Mar 22 19:59 /proc/self/fd/0 -> pipe:[835507841]
835503571 l-wx------. 1 root root system_u:system_r:container_t:s0:c262,c982      64 Mar 22 19:59 /proc/self/fd/1 -> pipe:[835505579]
835503572 l-wx------. 1 root root system_u:system_r:container_t:s0:c262,c982      64 Mar 22 19:59 /proc/self/fd/2 -> pipe:[835507843]
error building at step {Env:[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin DISTTAG=fcontainer FGC=f FBR=f] Command:run Args:[set -o pipefail ; ls -liZ /proc/self/fd/* /dev/stderr | tee /dev/stderr | sed -e 's/^patching file //;T;/\.py$/p'] Flags:[] Attrs:map[] Message:RUN set -o pipefail ; ls -liZ /proc/self/fd/* /dev/stderr | tee /dev/stderr | sed -e 's/^patching file //;T;/\.py$/p' Original:RUN set -o pipefail ; ls -liZ /proc/self/fd/* /dev/stderr | tee /dev/stderr | sed -e 's/^patching file //;T;/\.py$/p'}: error while running runtime: exit status 1
sh-4.4# 
sh-4.4# ausearch -m avc -i
----
type=AVC msg=audit(03/22/2019 15:59:32.855:2084372) : avc:  denied  { open } for  pid=9362 comm=tee path=pipe:[835507843] dev="pipefs" ino=835507843 scontext=system_u:system_r:container_t:s0:c262,c982 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0

Comment 6 Lukas Slebodnik 2019-03-22 20:02:11 UTC
(In reply to Lukas Slebodnik from comment #5)
> One more time
> 
> sh-4.4# cat Dockerfile 
> FROM docker.io/fedora:29
> RUN dnf -y install findutils
> RUN set -o pipefail ; ls -liZ /proc/self/fd/* /dev/stderr | tee /dev/stderr
> | sed -e 's/^patching file //;T;/\.py$/p'
> sh-4.4# 
> sh-4.4# echo ok | ( tty ; podman build -t test-image -f ./Dockerfile )
> not a tty
> STEP 1: FROM docker.io/fedora:29
> STEP 2: RUN dnf -y install findutils
> --> Using cache
> 659aca5bec5e91d6ac0e36f8b3bab16590dd750240de86e08ad4b36bc849c957
> STEP 3: FROM 659aca5bec5e91d6ac0e36f8b3bab16590dd750240de86e08ad4b36bc849c957
> STEP 4: RUN set -o pipefail ; ls -liZ /proc/self/fd/* /dev/stderr | tee
> /dev/stderr | sed -e 's/^patching file //;T;/\.py$/p'
> tee: /dev/stderr: Permission denied
> ls: cannot access '/proc/self/fd/3': No such file or directory
> 835505521 lrwxrwxrwx. 1 root root
> system_u:object_r:container_file_t:s0:c262,c982 15 Mar 22 19:59 /dev/stderr
> -> /proc/self/fd/2

/dev/stderr is obviously /proc/self/fd/2

> 835503570 lr-x------. 1 root root system_u:system_r:container_t:s0:c262,c982
> 64 Mar 22 19:59 /proc/self/fd/0 -> pipe:[835507841]
> 835503571 l-wx------. 1 root root system_u:system_r:container_t:s0:c262,c982
> 64 Mar 22 19:59 /proc/self/fd/1 -> pipe:[835505579]
> 835503572 l-wx------. 1 root root system_u:system_r:container_t:s0:c262,c982
> 64 Mar 22 19:59 /proc/self/fd/2 -> pipe:[835507843]

and /proc/self/fd/2 is problematic pipe:[835507843]

> error building at step
> {Env:[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
> DISTTAG=fcontainer FGC=f FBR=f] Command:run Args:[set -o pipefail ; ls -liZ
> /proc/self/fd/* /dev/stderr | tee /dev/stderr | sed -e 's/^patching file
> //;T;/\.py$/p'] Flags:[] Attrs:map[] Message:RUN set -o pipefail ; ls -liZ
> /proc/self/fd/* /dev/stderr | tee /dev/stderr | sed -e 's/^patching file
> //;T;/\.py$/p' Original:RUN set -o pipefail ; ls -liZ /proc/self/fd/*
> /dev/stderr | tee /dev/stderr | sed -e 's/^patching file //;T;/\.py$/p'}:
> error while running runtime: exit status 1
> sh-4.4# 
> sh-4.4# ausearch -m avc -i
> ----
> type=AVC msg=audit(03/22/2019 15:59:32.855:2084372) : avc:  denied  { open }
> for  pid=9362 comm=tee path=pipe:[835507843] dev="pipefs" ino=835507843
                              ^^^^^^^^^^^^^^^^
                              problematic pipe                          
> scontext=system_u:system_r:container_t:s0:c262,c982
> tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023
> tclass=fifo_file permissive=0

Comment 7 Daniel Walsh 2019-03-24 20:14:49 UTC
Why doesn't ls -lZ show it as container_runtime_t then?

Comment 8 Lukas Slebodnik 2019-03-25 10:00:45 UTC
(In reply to Daniel Walsh from comment #7)
> Why doesn't ls -lZ show it as container_runtime_t then?

I have no idea. I also wonder why there are not AVCs when building with tty.

Comment 9 Daniel Walsh 2019-03-25 10:31:39 UTC
I think the difference is the opening of the TTY. When running normally we are not opening the TTY we are inheriting it, and this is just handled with different ACCESS Checks.


Note You need to log in before you can comment on or make changes to this bug.