On 10/28/20 10:46 AM, Chris S wrote:
> Howdy folks!
>
> Have an interesting concoction of technologies mixed together and have
> found myself in a pickle.
>
> Currently I have a host that has pods with containers. From the host I
> am using rclone hooked up to Google Drive (and fuse mounted).
>
> When looking at the directory I have mounted with rclone you see the
> following SELinux label:
>
> system_u:object_r:fusefs_t:s0
>
>
> Trying to relabel this with chcon does not work (probably expected)
> getting permission denied.
>
>
> When mounting the volume into the container with :z exhibits similar
> behavior:
>
> Error: relabel failed "/gdrive": operation not supported
>
>
> I then bash into a test CentOS container with the volume mapped in
> (without the labeling :z) and attempt to touch a file to generate an
> audit alert:
>
> sudo grep touch /var/log/audit/audit.log
>
> type=AVC msg=audit(1603873529.524:951948): avc: denied { write }
> for pid=2226162 comm="touch" name="gdrive" dev="dm-0" ino=2359297
> scontext=system_u:system_r:container_t:s0:c296,c525
> tcontext=system_u:object_r:container_file_t:s0:c332,c605 tclass=dir
> permissive=0
>
>
> After finding the event, I attempt to pipe this into audit2allow:
>
> grep touch /var/log/audit/audit.log | audit2allow -R -M gdrive_allow
>
>
> I then ran into this error:
>
> could not open interface info [/var/lib/sepolgen/interface_info]
>
>
> At which point I installed sepolgen-ifge - I then re-ran the
> audit2allow command.
>
>
> This is where I get some interesting behavior:
>
> compilation failed:
> find: ‘thinclient_drives’: Permission denied
> /usr/share/selinux/devel/include/services/container.if:13: Error:
> duplicate definition of container_runtime_domtrans(). Original
> definition on 13.
> /usr/share/selinux/devel/include/services/container.if:40: Error:
> duplicate definition of container_runtime_run(). Original definition
> on 40.
> /usr/share/selinux/devel/include/services/container.if:60: Error:
> duplicate definition of container_runtime_exec(). Original
> definition on 60.
> /usr/share/selinux/devel/include/services/container.if:79: Error:
> duplicate definition of container_read_state(). Original definition
> on 79.
> /usr/share/selinux/devel/include/services/container.if:97: Error:
> duplicate definition of container_search_lib(). Original definition
> on 97.
> /usr/share/selinux/devel/include/services/container.if:116: Error:
> duplicate definition of container_exec_lib(). Original definition on
> 116.
> /usr/share/selinux/devel/include/services/container.if:135: Error:
> duplicate definition of container_read_lib_files(). Original
> definition on 135.
> /usr/share/selinux/devel/include/services/container.if:154: Error:
> duplicate definition of container_read_share_files(). Original
> definition on 154.
> /usr/share/selinux/devel/include/services/container.if:175: Error:
> duplicate definition of container_runtime_read_tmpfs_files().
> Original definition on 175.
> /usr/share/selinux/devel/include/services/container.if:196: Error:
> duplicate definition of container_manage_share_files(). Original
> definition on 196.
> /usr/share/selinux/devel/include/services/container.if:217: Error:
> duplicate definition of container_manage_share_dirs(). Original
> definition on 217.
> /usr/share/selinux/devel/include/services/container.if:237: Error:
> duplicate definition of container_exec_share_files(). Original
> definition on 237.
> /usr/share/selinux/devel/include/services/container.if:255: Error:
> duplicate definition of container_manage_config_files(). Original
> definition on 255.
> /usr/share/selinux/devel/include/services/container.if:274: Error:
> duplicate definition of container_manage_lib_files(). Original
> definition on 274.
> /usr/share/selinux/devel/include/services/container.if:294: Error:
> duplicate definition of container_manage_files(). Original
> definition on 294.
> /usr/share/selinux/devel/include/services/container.if:313: Error:
> duplicate definition of container_manage_dirs(). Original definition
> on 313.
> /usr/share/selinux/devel/include/services/container.if:331: Error:
> duplicate definition of container_manage_lib_dirs(). Original
> definition on 331.
> /usr/share/selinux/devel/include/services/container.if:367: Error:
> duplicate definition of container_lib_filetrans(). Original
> definition on 367.
> /usr/share/selinux/devel/include/services/container.if:385: Error:
> duplicate definition of container_read_pid_files(). Original
> definition on 385.
> /usr/share/selinux/devel/include/services/container.if:404: Error:
> duplicate definition of container_systemctl(). Original definition
> on 404.
> /usr/share/selinux/devel/include/services/container.if:429: Error:
> duplicate definition of container_rw_sem(). Original definition on 429.
> /usr/share/selinux/devel/include/services/container.if:448: Error:
> duplicate definition of container_append_file(). Original definition
> on 448.
> /usr/share/selinux/devel/include/services/container.if:466: Error:
> duplicate definition of container_use_ptys(). Original definition on
> 466.
> /usr/share/selinux/devel/include/services/container.if:484: Error:
> duplicate definition of container_filetrans_named_content().
> Original definition on 484.
> /usr/share/selinux/devel/include/services/container.if:537: Error:
> duplicate definition of container_stream_connect(). Original
> definition on 546.
> /usr/share/selinux/devel/include/services/container.if:558: Error:
> duplicate definition of container_spc_stream_connect(). Original
> definition on 567.
> /usr/share/selinux/devel/include/services/container.if:579: Error:
> duplicate definition of container_admin(). Original definition on 588.
> /usr/share/selinux/devel/include/services/container.if:626: Error:
> duplicate definition of container_auth_domtrans(). Original
> definition on 635.
> /usr/share/selinux/devel/include/services/container.if:645: Error:
> duplicate definition of container_auth_exec(). Original definition
> on 654.
> /usr/share/selinux/devel/include/services/container.if:664: Error:
> duplicate definition of container_auth_stream_connect(). Original
> definition on 673.
> /usr/share/selinux/devel/include/services/container.if:683: Error:
> duplicate definition of container_runtime_typebounds(). Original
> definition on 692.
> /usr/share/selinux/devel/include/services/container.if:702: Error:
> duplicate definition of container_runtime_entrypoint(). Original
> definition on 711.
> /usr/share/selinux/devel/include/services/container.if:709: Error:
> duplicate definition of docker_exec_lib(). Original definition on 718.
> /usr/share/selinux/devel/include/services/container.if:713: Error:
> duplicate definition of docker_read_share_files(). Original
> definition on 722.
> /usr/share/selinux/devel/include/services/container.if:717: Error:
> duplicate definition of docker_exec_share_files(). Original
> definition on 726.
> /usr/share/selinux/devel/include/services/container.if:721: Error:
> duplicate definition of docker_manage_lib_files(). Original
> definition on 730.
> /usr/share/selinux/devel/include/services/container.if:726: Error:
> duplicate definition of docker_manage_lib_dirs(). Original
> definition on 735.
> /usr/share/selinux/devel/include/services/container.if:730: Error:
> duplicate definition of docker_lib_filetrans(). Original definition
> on 739.
> /usr/share/selinux/devel/include/services/container.if:734: Error:
> duplicate definition of docker_read_pid_files(). Original definition
> on 743.
> /usr/share/selinux/devel/include/services/container.if:738: Error:
> duplicate definition of docker_systemctl(). Original definition on 747.
> /usr/share/selinux/devel/include/services/container.if:742: Error:
> duplicate definition of docker_use_ptys(). Original definition on 751.
> /usr/share/selinux/devel/include/services/container.if:746: Error:
> duplicate definition of docker_stream_connect(). Original definition
> on 755.
> /usr/share/selinux/devel/include/services/container.if:750: Error:
> duplicate definition of docker_spc_stream_connect(). Original
> definition on 759.
> /usr/share/selinux/devel/include/services/container.if:764: Error:
> duplicate definition of container_spc_read_state(). Original
> definition on 773.
> /usr/share/selinux/devel/include/services/container.if:783: Error:
> duplicate definition of container_runtime_domain_template().
> Original definition on 792.
> /usr/share/selinux/devel/include/services/container.if:819: Error:
> duplicate definition of container_domain_template(). Original
> definition on 828.
> /usr/share/selinux/devel/include/services/container.if:847: Error:
> duplicate definition of container_spc_rw_pipes(). Original
> definition on 856.
> Compiling targeted gdrive_allow module
> gdrive_allow.te:15:ERROR 'syntax error' at token 'mlsconstrain' on
> line 3339:
> # mlsconstrain dir { ioctl read lock search } ((h1 dom h2 -Fail-)
> or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
> mlsconstrain dir { write setattr append unlink link rename add_name
> remove_name } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type
> -Fail-) ); Constraint DENIED
> /usr/bin/checkmodule: error(s) encountered while parsing configuration
> make: *** [/usr/share/selinux/devel/include/Makefile:157:
> tmp/gdrive_allow.mod] Error 1
>
>
> What stands out here is *gdrive_allow.te:15:ERROR 'syntax error' at
> token 'mlsconstrain' on line 3339*
> This leads me to believe that audit2allow is not equip to handle this
> kind of rule - specifically:
>
> policy_module(gdrive_allow, 1.0)
>
>
> require {
>
> type container_file_t;
>
> type container_t;
>
> class dir write;
>
> }
>
>
> #============= container_t ==============
>
>
> #!!!! This avc is a constraint violation. You would need to modify
> the attributes of either the source or target types to allow this
> access.
>
> #Constraint rule:
>
> #mlsconstrain dir { ioctl read lock search } ((h1 dom h2 -Fail-) or
> (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
>
> mlsconstrain dir { write setattr append unlink link rename add_name
> remove_name } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type
> -Fail-) ); Constraint DENIED
>
> mlsconstrain dir { relabelfrom } ((h1 dom h2 -Fail-) or (t1 !=
> mcs_constrained_type -Fail-) ); Constraint DENIED
>
> mlsconstrain dir { create relabelto } ((h1 dom h2 -Fail-) or (t1 !=
> mcs_constrained_type -Fail-) ); Constraint DENIED
>
>
> #Possible cause is the source level (s0:c296,c525) and target level
> (s0:c332,c605) are different.
>
> allow container_t container_file_t:dir write;
>
> *
> *
> At the current point in time, I am at a stand still as I cannot relabel
> the source. Any help would be extremely appreciated - I refuse to turn
> SELinux off hehe :)
>
> CentOS Linux release 8.2.2004 (Core)
>
> 4.18.0-193.19.1.el8_2.x86_64
>
> podman version 1.6.4
>
> container-selinux-2.124.0-1.module_el8.2.0+305+5e198a41.noarch
>
> policycoreutils-devel-2.9-9.el8.x86_64
>
> selinux-policy-devel-3.14.3-41.el8_2.6.noarch
>
>
Hello,
Did you mount /gdrive to some previous container? Because it was
relabeled to correct SELinux type: container_file_t but it gets also
concrete MCS categories "c332,c605", now, you're trying to access the
volume but with different container with different unique categories
"c296,c525".
It's expected that each container has same type "container_t" but unique
categories.
To make it working, you need to label /gdrive as container_file_t but
with *NO* category. You can use restorecon and chcon commands, problem
is that you see permission denied. Do you execute these commands with
root privileges?
Thanks,
Lukas.
>
> Regards,
>
> Christopher
>
>
>
>
>
>
>
> _______________________________________________
> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
>
--
Lukas Vrabec
SELinux Evangelist,
Senior Software Engineer, Security Technologies
Red Hat, Inc.
Attachment:
OpenPGP_0x8CDA63AD633F6955_and_old_rev.asc
Description: application/pgp-keys
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
