SELinux prevents passing TCP sockets via Podman/systemd socket activation

[eriksjolund]

The issue #171 was about Unix socket. This issue is very similar but is about TCP sockets.

I booted up a Fedora CoreOS next stream VM and ran

sudo rpm-ostree install --apply-live --allow-inactive mariadb
sudo rpm-ostree install --apply-live --allow-inactive audit
sudo systemctl start auditd.service

Podman version:

$ podman --version
podman version 3.4.4

container-selinux version:

$ rpm -q container-selinux
container-selinux-2.173.1-1.fc35.noarch

I then followed roughly
https://github.com/eriksjolund/mariadb-podman-socket-activation/

git clone https://github.com/eriksjolund/mariadb-podman-socket-activation.git
cd mariadb-podman-socket-activation
mkdir -p ~/.config/systemd/user
cp -r mariadb*@* ~/.config/systemd/user
systemctl --user daemon-reload 
systemctl --user start mariadb-tcp@demo.socket
sudo setenforce 0
date
mariadb -h 127.0.0.1 --port 8090 -p -u example-user

Then I entered my as password.

I then ran sudo ausearch -ts recent, and saw for instance these entries

time->Tue Feb 15 21:16:18 2022
type=AVC msg=audit(1644959778.536:253): avc:  denied  { getattr } for  pid=4479 comm="mariadbd" laddr=127.0.0.1 lport=8090 scontext=system_u:system_r:container_t:s0:c644,c1023 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1
----
time->Tue Feb 15 21:16:18 2022
type=AVC msg=audit(1644959778.536:254): avc:  denied  { getopt } for  pid=4479 comm="mariadbd" laddr=127.0.0.1 lport=8090 scontext=system_u:system_r:container_t:s0:c644,c1023 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c11
----
time->Tue Feb 15 21:16:18 2022
type=AVC msg=audit(1644959778.539:255): avc:  denied  { accept } for  pid=4479 comm="mariadbd" laddr=127.0.0.1 lport=8090 scontext=system_u:system_r:container_t:s0:c644,c1023 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c11
----
time->Tue Feb 15 21:16:18 2022
type=AVC msg=audit(1644959778.540:256): avc:  denied  { setopt } for  pid=4479 comm="mariadbd" laddr=127.0.0.1 lport=8090 faddr=127.0.0.1 fport=59560 scontext=system_u:system_r:container_t:s0:c644,c1023 tcontext=unconfined_u:system_r:con1

A side-note: Last week I made a Markdown table in https://github.com/eriksjolund/mariadb-podman-socket-activation/blob/main/README.md where I wrote that --security-opt label=enable is possible for
TCP sockets. I was mistaken.

[rhatdan]

Can you attach the full AVCs?

[rhatdan]

And run them through audit2allow.

[eriksjolund]

First experiment

I did

1. run as root

   [root@tutorial ~]#  ausearch --checkpoint /tmp/check --raw > /dev/null
   

2. run as the user helper

   [tester@tutorial ~]$ mariadb -h 127.0.0.1 --port 8090 -u example-user -p
   Enter password: 
   Welcome to the MariaDB monitor.  Commands end with ; or \g.
   Your MariaDB connection id is 3
   Server version: 10.6.5-MariaDB-1:10.6.5+maria~focal mariadb.org binary distribution
   
   Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
   
   Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
   
   MariaDB [(none)]> \q
   Bye
   [tester@tutorial ~]$
   

3. run as root

   [root@tutorial ~]#  ausearch --checkpoint /tmp/check --raw > /tmp/raw1
   

4. run as the user helper again

   [tester@tutorial ~]$ mariadb -h 127.0.0.1 --port 8090 -u example-user -p
   Enter password: 
   Welcome to the MariaDB monitor.  Commands end with ; or \g.
   Your MariaDB connection id is 4
   Server version: 10.6.5-MariaDB-1:10.6.5+maria~focal mariadb.org binary distribution
       
   Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
   
   Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
   
   MariaDB [(none)]> \q
   Bye
   

5. run as root

   [root@tutorial ~]#  ausearch --checkpoint /tmp/check --raw > /tmp/raw2
   

6. run as root

   [root@tutorial ~]#  cat /tmp/raw1 | audit2allow
   [root@tutorial ~]#  cat /tmp/raw2 | audit2allow
   
   
   #============= container_t ==============
   allow container_t container_runtime_t:tcp_socket { accept getattr getopt setopt };
   
   [root@tutorial ~]# cat /tmp/raw1 | ausearch -ts today 
   ----
   time->Sat Feb 19 11:55:35 2022
   type=PROCTITLE msg=audit(1645271735.600:308): proctitle=2F7573722F7362696E2F6368726F6E7964002D460032
   type=SYSCALL msg=audit(1645271735.600:308): arch=c000003e syscall=305 success=yes exit=0 a0=0 a1=7fffe76bdc90 a2=2899b a3=7fffe776e080 items=0 ppid=1 pid=1274 auid=4294967295 uid=994 gid=992 euid=994 suid=994 fsuid=994 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:chronyd_t:s0 key=(null)
   type=TIME_ADJNTPVAL msg=audit(1645271735.600:308): op=freq old=60946841600000 new=10898571264000
   ----
   time->Sat Feb 19 11:55:35 2022
   type=PROCTITLE msg=audit(1645271735.600:309): proctitle=2F7573722F7362696E2F6368726F6E7964002D460032
   type=SYSCALL msg=audit(1645271735.600:309): arch=c000003e syscall=305 success=yes exit=0 a0=0 a1=7fffe76bdca0 a2=fffffffffffd1799 a3=7fffe776e080 items=0 ppid=1 pid=1274 auid=4294967295 uid=994 gid=992 euid=994 suid=994 fsuid=994 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:chronyd_t:s0 key=(null)
   type=TIME_ADJNTPVAL msg=audit(1645271735.600:309): op=freq old=10898571264000 new=-12488998912000
   ----
   time->Sat Feb 19 11:56:40 2022
   type=PROCTITLE msg=audit(1645271800.856:310): proctitle=2F7573722F7362696E2F6368726F6E7964002D460032
   type=SYSCALL msg=audit(1645271800.856:310): arch=c000003e syscall=305 success=yes exit=0 a0=0 a1=7fffe76bdc90 a2=21400 a3=7fffe776e080 items=0 ppid=1 pid=1274 auid=4294967295 uid=994 gid=992 euid=994 suid=994 fsuid=994 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:chronyd_t:s0 key=(null)
   type=TIME_ADJNTPVAL msg=audit(1645271800.856:310): op=freq old=-12488998912000 new=8925478912000
   ----
   time->Sat Feb 19 11:56:40 2022
   type=PROCTITLE msg=audit(1645271800.856:311): proctitle=2F7573722F7362696E2F6368726F6E7964002D460032
   type=SYSCALL msg=audit(1645271800.856:311): arch=c000003e syscall=305 success=yes exit=0 a0=0 a1=7fffe76bdca0 a2=280f a3=7fffe776e080 items=0 ppid=1 pid=1274 auid=4294967295 uid=994 gid=992 euid=994 suid=994 fsuid=994 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:chronyd_t:s0 key=(null)
   type=TIME_ADJNTPVAL msg=audit(1645271800.856:311): op=freq old=8925478912000 new=672071680000
   
   
   [root@tutorial ~]# cat /tmp/raw2 | ausearch -ts today 
   ----
   time->Sat Feb 19 11:57:00 2022
   type=AVC msg=audit(1645271820.683:312): avc:  denied  { getattr } for  pid=6481 comm="mariadbd" laddr=127.0.0.1 lport=8090 scontext=system_u:system_r:container_t:s0:c464,c472 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=tcp_socket permissive=1
   ----
   time->Sat Feb 19 11:57:00 2022
   type=AVC msg=audit(1645271820.683:313): avc:  denied  { getopt } for  pid=6481 comm="mariadbd" laddr=127.0.0.1 lport=8090 scontext=system_u:system_r:container_t:s0:c464,c472 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=tcp_socket permissive=1
   ----
   time->Sat Feb 19 11:57:01 2022
   type=AVC msg=audit(1645271821.469:314): avc:  denied  { accept } for  pid=6481 comm="mariadbd" laddr=127.0.0.1 lport=8090 scontext=system_u:system_r:container_t:s0:c464,c472 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=tcp_socket permissive=1
   ----
   time->Sat Feb 19 11:57:01 2022
   type=AVC msg=audit(1645271821.469:315): avc:  denied  { setopt } for  pid=6481 comm="mariadbd" laddr=127.0.0.1 lport=8090 faddr=127.0.0.1 fport=50056 scontext=system_u:system_r:container_t:s0:c464,c472 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=tcp_socket permissive=1
   [root@tutorial ~]# 
   

Disclaimer: I am new to these tools. It seems strange that the allow rules

    allow container_t container_runtime_t:tcp_socket { accept getattr getopt setopt };

are generated from /tmp/raw2 (the output from when the mariadb client is run the second time) but not from /tmp/raw1 (the output from when the mariadb client is run the first time).

The files /tmp/raw1 and /tmp/raw2 can be downloaded from
files.tar.gz

Second experiment

1. Run on the host

   butane --pretty --strict file.butane --output /tmp/file.ign
   cd ~/.local/share/libvirt/images
   qemu-kvm -m 2048 -cpu host -nographic -snapshot -drive if=virtio,file=fedora-coreos-35.20220213.1.0-qemu.x86_64.qcow2 -fw_cfg name=opt/com.coreos/config,file=/tmp/file.ign  -nic user,model=2
   

2. Log in via ssh to the Fedora CoreOS VM

   ssh -i ./id_ed25519 -p 2222 -o NoHostAuthenticationForLocalhost=true tester@127.0.0.1
   

3. Run as the user tester on the Fedora CoreOS VM
   (If the command mariadb is not be availalble at first, just wait a bit, as it is being
   installed with /usr/bin/rpm-ostree install --apply-live --allow-inactive mariadb audit policycoreutils-python-utils)

   [tester@tutorial ~]$ mariadb --port 8090 -h 127.0.0.1 -u example-user -p
   Enter password: 
   Welcome to the MariaDB monitor.  Commands end with ; or \g.
   Your MariaDB connection id is 3
   Server version: 10.6.5-MariaDB-1:10.6.5+maria~focal mariadb.org binary distribution
   
   Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
   
   Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
   
   MariaDB [(none)]> \q
   Bye
   [tester@tutorial ~]$ 
   

   As password my was typed.

4. In the terminal where the user core was automatically logged in, run sudo -i

5. Run as root on the Fedora CoreOS VM

   [root@tutorial ~]# ausearch -ts today --raw > /tmp/raw.experiment2
   [root@tutorial ~]# cat /tmp/raw.experiment2 | audit2allow
   
   
   #============= container_t ==============
   allow container_t container_runtime_t:tcp_socket { accept getattr getopt setopt };
   
   #============= systemd_hostnamed_t ==============
   
   #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
   allow systemd_hostnamed_t etc_t:file map;
   
   #============= systemd_logind_t ==============
   
   #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
   allow systemd_logind_t etc_t:file map;
   
   #============= systemd_userdbd_t ==============
   
   #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
   allow systemd_userdbd_t etc_t:file map;
   [root@tutorial ~]# 
   

The files

• file.butane
• raw.experiment2

can be downloaded from the tar archive experiment2.tar.gz

Some parts of the file file.butane has its origins from the Fedora CoreOS documentation, e.g.:
https://docs.fedoraproject.org/en-US/fedora-coreos/os-extensions/

`

[rhatdan]

Fixed in https://github.com/containers/container-selinux/releases/tag/v2.179.0