Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Starting lxd triggers SELinux error: "avc: denied { nosuid_transition }" #6

Open
ganto opened this issue May 28, 2018 · 2 comments
Open

Starting lxd triggers SELinux error: "avc: denied { nosuid_transition }" #6

ganto opened this issue May 28, 2018 · 2 comments

Comments

@ganto
Copy link
Owner

ganto commented May 28, 2018

When starting the lxd service on a Fedora 27 with SELinux enabled, the following AVC is triggered:

type=AVC msg=audit(1527521822.187:967): avc:  denied  { nosuid_transition } for  pid=21577 comm="lxd" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:system_r:spc_t:s0 tclass=process2 permissive=1

However, the service is still successfully started and no loss of functionality could be experienced so far.
@ganto
Copy link
Owner Author

ganto commented May 30, 2018

It seems the issue is caused by /var being mounted with the nosuid option on my system:

Removing the nosuid option makes the AVC go away.

@ganto
Copy link
Owner Author

ganto commented May 31, 2018
edited
Loading

Now I was reading Teaching an old dog new tricks what seems to be a nice fix for this issue without the requirement to give up the nosuid mount option:

nosuid_transition

While I was looking at the nnp_transition rules, I noticed that there was also a nosuid_transition permission. nosuid allows people to mount a file system with nosuid flag, this tells the kernel that even if a setuid application exists on this file system, the kernel should ignore it and not allow a process to gain privilege via the file. You always want untrusted file systems like usb sticks to be mounted with this flag. Well SELinux systems similarly ignore transition rules on labels based on a nosuid file system. Similar to nnp_transition, this blocks a process from transition from a privileged domain to a less privileged domain. But the nosuid_transtion flag allows us to tell the kernel to allow transitions from one domain to another even if the file system is marked nosuid.

allow container_runtime_t confined_t:process2 nosuid_transition;
allow unconfined_t container_t:process2 nosuid_transition;

This means that even if a user used podman to execute a file on a nosuid file system it would be allowed to transition from the unconfined_t to container_t.

It looks to me as this should be available in container-selinux since version 2.57 (containers/container-selinux@2377c73). Still I'm seeing this error with container-selinux-2.60-1.git97f8dfc.fc27.noarch.

Must be an uncovered label combination in case of LXD... @Conan-Kudo any hint on this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ganto