'su' in a Docker container -> AVC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I have a container whose entrypoint uses 'su' to drop its privileges. The run of the container triggers an AVC, but the container seems to run normally.

That is on a server, and the SELinux Troubleshooter sends me emails (see the attachment).

Two questions:

 1/ Is there a way to report bugs to Bugzilla using the command line sealert tool (or another command line tool), like what we can do using the GUI?

 2/ What should I do to fix that issue, if that is one?


I copy-paste here the AVC (the attached email have more information):

type=AVC msg=audit(1434542552.136:6332403): avc:  denied  { search } for  pid=11266 comm="su" scontext=system_u:system_r:svirt_lxc_net_t:s0:c68,c965 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=key

type=SYSCALL msg=audit(1434542552.136:6332403): arch=x86_64 syscall=keyctl success=no exit=EACCES a0=0 a1=fffffffd a2=0 a3=7f7c50a132f0 items=0 ppid=11065 pid=11266 auid=4294967295 uid=500 gid=501 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=su exe=/usr/bin/su subj=system_u:system_r:svirt_lxc_net_t:s0:c68,c965 key=(null)

-- 
Laurent Rineau
http://fedoraproject.org/wiki/LaurentRineau
--- Begin Message --- 
SELinux is preventing /usr/bin/su from search access on the key Unknown.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that su should be allowed search access on the Unknown key by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep su /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:svirt_lxc_net_t:s0:c68,c965
Target Context                system_u:system_r:crond_t:s0-s0:c0.c1023
Target Objects                Unknown [ key ]
Source                        su
Source Path                   /usr/bin/su
Port                          <Unknown>
Host                          cgal.geometryfactory.com
Source RPM Packages           util-linux-2.23.2-22.el7_1.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-23.el7_1.7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     cgal.geometryfactory.com
Platform                      Linux cgal.geometryfactory.com
                              3.10.0-229.4.2.el7.x86_64 #1 SMP Wed May 13
                              10:06:09 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-06-17 14:02:32 CEST
Last Seen                     2015-06-17 14:02:32 CEST
Local ID                      2ace044a-1353-4c35-8f5c-035322798519

Raw Audit Messages
type=AVC msg=audit(1434542552.136:6332403): avc:  denied  { search } for  pid=11266 comm="su" scontext=system_u:system_r:svirt_lxc_net_t:s0:c68,c965 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=key


type=SYSCALL msg=audit(1434542552.136:6332403): arch=x86_64 syscall=keyctl success=no exit=EACCES a0=0 a1=fffffffd a2=0 a3=7f7c50a132f0 items=0 ppid=11065 pid=11266 auid=4294967295 uid=500 gid=501 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=su exe=/usr/bin/su subj=system_u:system_r:svirt_lxc_net_t:s0:c68,c965 key=(null)

Hash: su,svirt_lxc_net_t,crond_t,key,search

--- End Message ---
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux