SELinux prevents passing TCP sockets via Podman/systemd socket activation
eriksjolund opened this issue · 4 comments
The issue #171 was about Unix socket. This issue is very similar but is about TCP sockets.
I booted up a Fedora CoreOS next stream VM and ran
sudo rpm-ostree install --apply-live --allow-inactive mariadb
sudo rpm-ostree install --apply-live --allow-inactive audit
sudo systemctl start auditd.service
Podman version:
$ podman --version
podman version 3.4.4
container-selinux version:
$ rpm -q container-selinux
container-selinux-2.173.1-1.fc35.noarch
I then followed roughly
https://github.com/eriksjolund/mariadb-podman-socket-activation/
git clone https://github.com/eriksjolund/mariadb-podman-socket-activation.git
cd mariadb-podman-socket-activation
mkdir -p ~/.config/systemd/user
cp -r mariadb*@* ~/.config/systemd/user
systemctl --user daemon-reload
systemctl --user start mariadb-tcp@demo.socket
sudo setenforce 0
date
mariadb -h 127.0.0.1 --port 8090 -p -u example-user
Then I entered my as password.
I then ran sudo ausearch -ts recent
, and saw for instance these entries
time->Tue Feb 15 21:16:18 2022
type=AVC msg=audit(1644959778.536:253): avc: denied { getattr } for pid=4479 comm="mariadbd" laddr=127.0.0.1 lport=8090 scontext=system_u:system_r:container_t:s0:c644,c1023 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1
----
time->Tue Feb 15 21:16:18 2022
type=AVC msg=audit(1644959778.536:254): avc: denied { getopt } for pid=4479 comm="mariadbd" laddr=127.0.0.1 lport=8090 scontext=system_u:system_r:container_t:s0:c644,c1023 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c11
----
time->Tue Feb 15 21:16:18 2022
type=AVC msg=audit(1644959778.539:255): avc: denied { accept } for pid=4479 comm="mariadbd" laddr=127.0.0.1 lport=8090 scontext=system_u:system_r:container_t:s0:c644,c1023 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c11
----
time->Tue Feb 15 21:16:18 2022
type=AVC msg=audit(1644959778.540:256): avc: denied { setopt } for pid=4479 comm="mariadbd" laddr=127.0.0.1 lport=8090 faddr=127.0.0.1 fport=59560 scontext=system_u:system_r:container_t:s0:c644,c1023 tcontext=unconfined_u:system_r:con1
A side-note: Last week I made a Markdown table in https://github.com/eriksjolund/mariadb-podman-socket-activation/blob/main/README.md where I wrote that --security-opt label=enable
is possible for
TCP sockets. I was mistaken.
Can you attach the full AVCs?
And run them through audit2allow.
First experiment
I did
- run as root
[root@tutorial ~]# ausearch --checkpoint /tmp/check --raw > /dev/null
- run as the user helper
[tester@tutorial ~]$ mariadb -h 127.0.0.1 --port 8090 -u example-user -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 3 Server version: 10.6.5-MariaDB-1:10.6.5+maria~focal mariadb.org binary distribution Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> \q Bye [tester@tutorial ~]$
- run as root
[root@tutorial ~]# ausearch --checkpoint /tmp/check --raw > /tmp/raw1
- run as the user helper again
[tester@tutorial ~]$ mariadb -h 127.0.0.1 --port 8090 -u example-user -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 4 Server version: 10.6.5-MariaDB-1:10.6.5+maria~focal mariadb.org binary distribution Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> \q Bye
- run as root
[root@tutorial ~]# ausearch --checkpoint /tmp/check --raw > /tmp/raw2
- run as root
[root@tutorial ~]# cat /tmp/raw1 | audit2allow [root@tutorial ~]# cat /tmp/raw2 | audit2allow #============= container_t ============== allow container_t container_runtime_t:tcp_socket { accept getattr getopt setopt }; [root@tutorial ~]# cat /tmp/raw1 | ausearch -ts today ---- time->Sat Feb 19 11:55:35 2022 type=PROCTITLE msg=audit(1645271735.600:308): proctitle=2F7573722F7362696E2F6368726F6E7964002D460032 type=SYSCALL msg=audit(1645271735.600:308): arch=c000003e syscall=305 success=yes exit=0 a0=0 a1=7fffe76bdc90 a2=2899b a3=7fffe776e080 items=0 ppid=1 pid=1274 auid=4294967295 uid=994 gid=992 euid=994 suid=994 fsuid=994 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:chronyd_t:s0 key=(null) type=TIME_ADJNTPVAL msg=audit(1645271735.600:308): op=freq old=60946841600000 new=10898571264000 ---- time->Sat Feb 19 11:55:35 2022 type=PROCTITLE msg=audit(1645271735.600:309): proctitle=2F7573722F7362696E2F6368726F6E7964002D460032 type=SYSCALL msg=audit(1645271735.600:309): arch=c000003e syscall=305 success=yes exit=0 a0=0 a1=7fffe76bdca0 a2=fffffffffffd1799 a3=7fffe776e080 items=0 ppid=1 pid=1274 auid=4294967295 uid=994 gid=992 euid=994 suid=994 fsuid=994 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:chronyd_t:s0 key=(null) type=TIME_ADJNTPVAL msg=audit(1645271735.600:309): op=freq old=10898571264000 new=-12488998912000 ---- time->Sat Feb 19 11:56:40 2022 type=PROCTITLE msg=audit(1645271800.856:310): proctitle=2F7573722F7362696E2F6368726F6E7964002D460032 type=SYSCALL msg=audit(1645271800.856:310): arch=c000003e syscall=305 success=yes exit=0 a0=0 a1=7fffe76bdc90 a2=21400 a3=7fffe776e080 items=0 ppid=1 pid=1274 auid=4294967295 uid=994 gid=992 euid=994 suid=994 fsuid=994 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:chronyd_t:s0 key=(null) type=TIME_ADJNTPVAL msg=audit(1645271800.856:310): op=freq old=-12488998912000 new=8925478912000 ---- time->Sat Feb 19 11:56:40 2022 type=PROCTITLE msg=audit(1645271800.856:311): proctitle=2F7573722F7362696E2F6368726F6E7964002D460032 type=SYSCALL msg=audit(1645271800.856:311): arch=c000003e syscall=305 success=yes exit=0 a0=0 a1=7fffe76bdca0 a2=280f a3=7fffe776e080 items=0 ppid=1 pid=1274 auid=4294967295 uid=994 gid=992 euid=994 suid=994 fsuid=994 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:chronyd_t:s0 key=(null) type=TIME_ADJNTPVAL msg=audit(1645271800.856:311): op=freq old=8925478912000 new=672071680000 [root@tutorial ~]# cat /tmp/raw2 | ausearch -ts today ---- time->Sat Feb 19 11:57:00 2022 type=AVC msg=audit(1645271820.683:312): avc: denied { getattr } for pid=6481 comm="mariadbd" laddr=127.0.0.1 lport=8090 scontext=system_u:system_r:container_t:s0:c464,c472 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=tcp_socket permissive=1 ---- time->Sat Feb 19 11:57:00 2022 type=AVC msg=audit(1645271820.683:313): avc: denied { getopt } for pid=6481 comm="mariadbd" laddr=127.0.0.1 lport=8090 scontext=system_u:system_r:container_t:s0:c464,c472 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=tcp_socket permissive=1 ---- time->Sat Feb 19 11:57:01 2022 type=AVC msg=audit(1645271821.469:314): avc: denied { accept } for pid=6481 comm="mariadbd" laddr=127.0.0.1 lport=8090 scontext=system_u:system_r:container_t:s0:c464,c472 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=tcp_socket permissive=1 ---- time->Sat Feb 19 11:57:01 2022 type=AVC msg=audit(1645271821.469:315): avc: denied { setopt } for pid=6481 comm="mariadbd" laddr=127.0.0.1 lport=8090 faddr=127.0.0.1 fport=50056 scontext=system_u:system_r:container_t:s0:c464,c472 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=tcp_socket permissive=1 [root@tutorial ~]#
Disclaimer: I am new to these tools. It seems strange that the allow rules
allow container_t container_runtime_t:tcp_socket { accept getattr getopt setopt };
are generated from /tmp/raw2 (the output from when the mariadb client is run the second time) but not from /tmp/raw1 (the output from when the mariadb client is run the first time).
The files /tmp/raw1 and /tmp/raw2 can be downloaded from
files.tar.gz
Second experiment
-
Run on the host
butane --pretty --strict file.butane --output /tmp/file.ign cd ~/.local/share/libvirt/images qemu-kvm -m 2048 -cpu host -nographic -snapshot -drive if=virtio,file=fedora-coreos-35.20220213.1.0-qemu.x86_64.qcow2 -fw_cfg name=opt/com.coreos/config,file=/tmp/file.ign -nic user,model=2
-
Log in via ssh to the Fedora CoreOS VM
ssh -i ./id_ed25519 -p 2222 -o NoHostAuthenticationForLocalhost=true tester@127.0.0.1
-
Run as the user tester on the Fedora CoreOS VM
(If the commandmariadb
is not be availalble at first, just wait a bit, as it is being
installed with/usr/bin/rpm-ostree install --apply-live --allow-inactive mariadb audit policycoreutils-python-utils
)[tester@tutorial ~]$ mariadb --port 8090 -h 127.0.0.1 -u example-user -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 3 Server version: 10.6.5-MariaDB-1:10.6.5+maria~focal mariadb.org binary distribution Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> \q Bye [tester@tutorial ~]$
As password my was typed.
-
In the terminal where the user core was automatically logged in, run
sudo -i
-
Run as root on the Fedora CoreOS VM
[root@tutorial ~]# ausearch -ts today --raw > /tmp/raw.experiment2 [root@tutorial ~]# cat /tmp/raw.experiment2 | audit2allow #============= container_t ============== allow container_t container_runtime_t:tcp_socket { accept getattr getopt setopt }; #============= systemd_hostnamed_t ============== #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' allow systemd_hostnamed_t etc_t:file map; #============= systemd_logind_t ============== #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' allow systemd_logind_t etc_t:file map; #============= systemd_userdbd_t ============== #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' allow systemd_userdbd_t etc_t:file map; [root@tutorial ~]#
The files
- file.butane
- raw.experiment2
can be downloaded from the tar archive experiment2.tar.gz
Some parts of the file file.butane has its origins from the Fedora CoreOS documentation, e.g.:
https://docs.fedoraproject.org/en-US/fedora-coreos/os-extensions/
`