On 10/28/20 10:46 AM, Chris S wrote:
Howdy folks!
Have an interesting concoction of technologies mixed together and have
found myself in a pickle.
Currently I have a host that has pods with containers. From the host I
am using rclone hooked up to Google Drive (and fuse mounted).
When looking at the directory I have mounted with rclone you see the
following SELinux label:
system_u:object_r:fusefs_t:s0
Trying to relabel this with chcon does not work (probably expected)
getting permission denied.
When mounting the volume into the container with :z exhibits similar
behavior:
Error: relabel failed "/gdrive": operation not supported
I then bash into a test CentOS container with the volume mapped in
(without the labeling :z) and attempt to touch a file to generate an
audit alert:
sudo grep touch /var/log/audit/audit.log
type=AVC msg=audit(1603873529.524:951948): avc: denied { write }
for pid=2226162 comm="touch" name="gdrive" dev="dm-0"
ino=2359297
scontext=system_u:system_r:container_t:s0:c296,c525
tcontext=system_u:object_r:container_file_t:s0:c332,c605 tclass=dir
permissive=0
After finding the event, I attempt to pipe this into audit2allow:
grep touch /var/log/audit/audit.log | audit2allow -R -M gdrive_allow
I then ran into this error:
could not open interface info [/var/lib/sepolgen/interface_info]
At which point I installed sepolgen-ifge - I then re-ran the
audit2allow command.
This is where I get some interesting behavior:
compilation failed:
find: ‘thinclient_drives’: Permission denied
/usr/share/selinux/devel/include/services/container.if:13: Error:
duplicate definition of container_runtime_domtrans(). Original
definition on 13.
/usr/share/selinux/devel/include/services/container.if:40: Error:
duplicate definition of container_runtime_run(). Original definition
on 40.
/usr/share/selinux/devel/include/services/container.if:60: Error:
duplicate definition of container_runtime_exec(). Original
definition on 60.
/usr/share/selinux/devel/include/services/container.if:79: Error:
duplicate definition of container_read_state(). Original definition
on 79.
/usr/share/selinux/devel/include/services/container.if:97: Error:
duplicate definition of container_search_lib(). Original definition
on 97.
/usr/share/selinux/devel/include/services/container.if:116: Error:
duplicate definition of container_exec_lib(). Original definition on
116.
/usr/share/selinux/devel/include/services/container.if:135: Error:
duplicate definition of container_read_lib_files(). Original
definition on 135.
/usr/share/selinux/devel/include/services/container.if:154: Error:
duplicate definition of container_read_share_files(). Original
definition on 154.
/usr/share/selinux/devel/include/services/container.if:175: Error:
duplicate definition of container_runtime_read_tmpfs_files().
Original definition on 175.
/usr/share/selinux/devel/include/services/container.if:196: Error:
duplicate definition of container_manage_share_files(). Original
definition on 196.
/usr/share/selinux/devel/include/services/container.if:217: Error:
duplicate definition of container_manage_share_dirs(). Original
definition on 217.
/usr/share/selinux/devel/include/services/container.if:237: Error:
duplicate definition of container_exec_share_files(). Original
definition on 237.
/usr/share/selinux/devel/include/services/container.if:255: Error:
duplicate definition of container_manage_config_files(). Original
definition on 255.
/usr/share/selinux/devel/include/services/container.if:274: Error:
duplicate definition of container_manage_lib_files(). Original
definition on 274.
/usr/share/selinux/devel/include/services/container.if:294: Error:
duplicate definition of container_manage_files(). Original
definition on 294.
/usr/share/selinux/devel/include/services/container.if:313: Error:
duplicate definition of container_manage_dirs(). Original definition
on 313.
/usr/share/selinux/devel/include/services/container.if:331: Error:
duplicate definition of container_manage_lib_dirs(). Original
definition on 331.
/usr/share/selinux/devel/include/services/container.if:367: Error:
duplicate definition of container_lib_filetrans(). Original
definition on 367.
/usr/share/selinux/devel/include/services/container.if:385: Error:
duplicate definition of container_read_pid_files(). Original
definition on 385.
/usr/share/selinux/devel/include/services/container.if:404: Error:
duplicate definition of container_systemctl(). Original definition
on 404.
/usr/share/selinux/devel/include/services/container.if:429: Error:
duplicate definition of container_rw_sem(). Original definition on 429.
/usr/share/selinux/devel/include/services/container.if:448: Error:
duplicate definition of container_append_file(). Original definition
on 448.
/usr/share/selinux/devel/include/services/container.if:466: Error:
duplicate definition of container_use_ptys(). Original definition on
466.
/usr/share/selinux/devel/include/services/container.if:484: Error:
duplicate definition of container_filetrans_named_content().
Original definition on 484.
/usr/share/selinux/devel/include/services/container.if:537: Error:
duplicate definition of container_stream_connect(). Original
definition on 546.
/usr/share/selinux/devel/include/services/container.if:558: Error:
duplicate definition of container_spc_stream_connect(). Original
definition on 567.
/usr/share/selinux/devel/include/services/container.if:579: Error:
duplicate definition of container_admin(). Original definition on 588.
/usr/share/selinux/devel/include/services/container.if:626: Error:
duplicate definition of container_auth_domtrans(). Original
definition on 635.
/usr/share/selinux/devel/include/services/container.if:645: Error:
duplicate definition of container_auth_exec(). Original definition
on 654.
/usr/share/selinux/devel/include/services/container.if:664: Error:
duplicate definition of container_auth_stream_connect(). Original
definition on 673.
/usr/share/selinux/devel/include/services/container.if:683: Error:
duplicate definition of container_runtime_typebounds(). Original
definition on 692.
/usr/share/selinux/devel/include/services/container.if:702: Error:
duplicate definition of container_runtime_entrypoint(). Original
definition on 711.
/usr/share/selinux/devel/include/services/container.if:709: Error:
duplicate definition of docker_exec_lib(). Original definition on 718.
/usr/share/selinux/devel/include/services/container.if:713: Error:
duplicate definition of docker_read_share_files(). Original
definition on 722.
/usr/share/selinux/devel/include/services/container.if:717: Error:
duplicate definition of docker_exec_share_files(). Original
definition on 726.
/usr/share/selinux/devel/include/services/container.if:721: Error:
duplicate definition of docker_manage_lib_files(). Original
definition on 730.
/usr/share/selinux/devel/include/services/container.if:726: Error:
duplicate definition of docker_manage_lib_dirs(). Original
definition on 735.
/usr/share/selinux/devel/include/services/container.if:730: Error:
duplicate definition of docker_lib_filetrans(). Original definition
on 739.
/usr/share/selinux/devel/include/services/container.if:734: Error:
duplicate definition of docker_read_pid_files(). Original definition
on 743.
/usr/share/selinux/devel/include/services/container.if:738: Error:
duplicate definition of docker_systemctl(). Original definition on 747.
/usr/share/selinux/devel/include/services/container.if:742: Error:
duplicate definition of docker_use_ptys(). Original definition on 751.
/usr/share/selinux/devel/include/services/container.if:746: Error:
duplicate definition of docker_stream_connect(). Original definition
on 755.
/usr/share/selinux/devel/include/services/container.if:750: Error:
duplicate definition of docker_spc_stream_connect(). Original
definition on 759.
/usr/share/selinux/devel/include/services/container.if:764: Error:
duplicate definition of container_spc_read_state(). Original
definition on 773.
/usr/share/selinux/devel/include/services/container.if:783: Error:
duplicate definition of container_runtime_domain_template().
Original definition on 792.
/usr/share/selinux/devel/include/services/container.if:819: Error:
duplicate definition of container_domain_template(). Original
definition on 828.
/usr/share/selinux/devel/include/services/container.if:847: Error:
duplicate definition of container_spc_rw_pipes(). Original
definition on 856.
Compiling targeted gdrive_allow module
gdrive_allow.te:15:ERROR 'syntax error' at token 'mlsconstrain' on
line 3339:
# mlsconstrain dir { ioctl read lock search } ((h1 dom h2 -Fail-)
or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain dir { write setattr append unlink link rename add_name
remove_name } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type
-Fail-) ); Constraint DENIED
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [/usr/share/selinux/devel/include/Makefile:157:
tmp/gdrive_allow.mod] Error 1
What stands out here is *gdrive_allow.te:15:ERROR 'syntax error' at
token 'mlsconstrain' on line 3339*
This leads me to believe that audit2allow is not equip to handle this
kind of rule - specifically:
policy_module(gdrive_allow, 1.0)
require {
type container_file_t;
type container_t;
class dir write;
}
#============= container_t ==============
#!!!! This avc is a constraint violation. You would need to modify
the attributes of either the source or target types to allow this
access.
#Constraint rule:
#mlsconstrain dir { ioctl read lock search } ((h1 dom h2 -Fail-) or
(t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain dir { write setattr append unlink link rename add_name
remove_name } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type
-Fail-) ); Constraint DENIED
mlsconstrain dir { relabelfrom } ((h1 dom h2 -Fail-) or (t1 !=
mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain dir { create relabelto } ((h1 dom h2 -Fail-) or (t1 !=
mcs_constrained_type -Fail-) ); Constraint DENIED
#Possible cause is the source level (s0:c296,c525) and target level
(s0:c332,c605) are different.
allow container_t container_file_t:dir write;
*
*
At the current point in time, I am at a stand still as I cannot relabel
the source. Any help would be extremely appreciated - I refuse to turn
SELinux off hehe :)
CentOS Linux release 8.2.2004 (Core)
4.18.0-193.19.1.el8_2.x86_64
podman version 1.6.4
container-selinux-2.124.0-1.module_el8.2.0+305+5e198a41.noarch
policycoreutils-devel-2.9-9.el8.x86_64
selinux-policy-devel-3.14.3-41.el8_2.6.noarch
Hello,
Did you mount /gdrive to some previous container? Because it was
relabeled to correct SELinux type: container_file_t but it gets also
concrete MCS categories "c332,c605", now, you're trying to access the
volume but with different container with different unique categories
"c296,c525".
It's expected that each container has same type "container_t" but unique
categories.
To make it working, you need to label /gdrive as container_file_t but
with *NO* category. You can use restorecon and chcon commands, problem
is that you see permission denied. Do you execute these commands with
root privileges?
Thanks,
Lukas.
Regards,
Christopher
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
--
Lukas Vrabec
SELinux Evangelist,
Senior Software Engineer, Security Technologies
Red Hat, Inc.