search

containers / qm

QM is a containerized environment for running Functional Safety qm (Quality Management) software
https://github.com/containers/qm
GNU General Public License v2.0
21 stars 22 forks source link

setup: connecting to UNIX socket mounted in the qm container #390

Closed aesteve-rh closed 4 months ago

aesteve-rh commented 4 months ago

Problem statement

Trying to connect to a UNIX socket from inside the qm container, but it gets blocked by SELinux.

Description

I create the socket at /var/lib/systemd/example.socket using systemd.socket, and mounted in the qm partition in a new root folder at /ipc-example.

This is the socket permissions and context:

# ls -lZ /var/lib/systemd/example.socket 
srw-rw-rw-. 1 root root system_u:object_r:qm_container_file_t:s0 0 Apr 25 13:51 /var/lib/systemd/example.socket

And this is the error I get from the service trying to connect to the socket (basically a container with a simple python script):

# sealert -l 6b7b192c-0804-4353-959c-a61560fb89aa
SELinux is preventing /usr/bin/python3.12 from connectto access on the unix_stream_socket /var/lib/systemd/example.socket.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that python3.12 should be allowed connectto access on the example.socket unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'python3' --raw | audit2allow -M my-python3
# semodule -X 300 -i my-python3.pp

Additional Information:
Source Context                system_u:system_r:qm_container_t:s0:c349,c808
Target Context                system_u:system_r:container_runtime_t:s0
Target Objects                /var/lib/systemd/example.socket [ unix_stream_socket ]
Source                        python3
Source Path                   /usr/bin/python3.12
Port                          <Unknown>
Host                          localhost
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.1.35-2.el9.noarch
Local Policy RPM              qm-0.6.2-3.el9iv.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost
Platform                      Linux localhost 5.14.0-438.391.el9iv.x86_64 #1 SMP
                              PREEMPT_RT Wed Apr 17 19:50:33 UTC 2024 x86_64
                              x86_64
Alert Count                   150
First Seen                    2024-04-25 13:18:57 UTC
Last Seen                     2024-04-25 13:21:26 UTC
Local ID                      6b7b192c-0804-4353-959c-a61560fb89aa

Raw Audit Messages
type=AVC msg=audit(1714051286.118:319): avc:  denied  { connectto } for  pid=649 comm="python3" path="/var/lib/systemd/example.socket" scontext=system_u:system_r:qm_container_t:s0:c349,c808 tcontext=system_u:system_r:container_runtime_t:s0 tclass=unix_stream_socket permissive=0

type=SYSCALL msg=audit(1714051286.118:319): arch=x86_64 syscall=connect success=no exit=EACCES a0=3 a1=7ffeae177c90 a2=17 a3=7f4ba6d72c30 items=0 ppid=647 pid=649 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=python3 exe=/usr/bin/python3.12 subj=system_u:system_r:qm_container_t:s0:c349,c808 key=(null)

Hash: python3,qm_container_t,container_runtime_t,unix_stream_socket,connectto

Running netcat from inside the qm container:

# sealert -l 53f6d2c8-879b-4ab9-bde4-b83ff25865fd
SELinux is preventing /usr/bin/ncat from connectto access on the unix_stream_socket /var/lib/systemd/ipc.socket.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that ncat should be allowed connectto access on the example.socket unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'nc' --raw | audit2allow -M my-nc
# semodule -X 300 -i my-nc.pp

Additional Information:
Source Context                system_u:system_r:qm_t:s0
Target Context                system_u:system_r:container_runtime_t:s0
Target Objects                /var/lib/systemd/example.socket [ unix_stream_socket ]
Source                        nc
Source Path                   /usr/bin/ncat
Port                          <Unknown>
Host                          localhost
Source RPM Packages           nmap-ncat-7.92-1.el9.x86_64
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.1.35-2.el9.noarch
Local Policy RPM              qm-0.6.2-3.el9iv.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost
Platform                      Linux localhost 5.14.0-438.391.el9iv.x86_64 #1 SMP
                              PREEMPT_RT Wed Apr 17 19:50:33 UTC 2024 x86_64
                              x86_64
Alert Count                   1
First Seen                    2024-04-25 13:30:43 UTC
Last Seen                     2024-04-25 13:30:43 UTC
Local ID                      53f6d2c8-879b-4ab9-bde4-b83ff25865fd

Raw Audit Messages
type=AVC msg=audit(1714051843.522:885): avc:  denied  { connectto } for  pid=814 comm="nc" path="/var/lib/systemd/example.socket" scontext=system_u:system_r:qm_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=unix_stream_socket permissive=0

type=SYSCALL msg=audit(1714051843.522:885): arch=x86_64 syscall=connect success=no exit=EACCES a0=3 a1=55847bebe8f0 a2=16 a3=55847bf14cc0 items=0 ppid=810 pid=814 auid=999 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm=nc exe=/usr/bin/ncat subj=system_u:system_r:qm_t:s0 key=(null)

Hash: nc,qm_t,container_runtime_t,unix_stream_socket,connectto
# ausearch -m avc -ts recent 
time->Thu Apr 25 13:52:14 2024
type=PROCTITLE msg=audit(1714053134.700:156): proctitle=707974686F6E33002F7573722F62696E2F6970632D636C69656E74
type=SYSCALL msg=audit(1714053134.700:156): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7ffce11bcb30 a2=17 a3=7fcb4754ec30 items=0 ppid=606 pid=608 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="python3" exe="/usr/bin/python3.12" subj=system_u:system_r:qm_container_t:s0:c243,c915 key=(null)
type=AVC msg=audit(1714053134.700:156): avc:  denied  { connectto } for  pid=608 comm="python3" path="/var/lib/systemd/example.socket" scontext=system_u:system_r:qm_container_t:s0:c243,c915 tcontext=system_u:system_r:container_runtime_t:s0 tclass=unix_stream_socket permissive=0

Expectations

Processes should be allowed to connect to the UNIX socket inside the qm container.

dougsland commented 4 months ago

In the end, this one is the behaviour expected as @rhatdan mentioned in the PR.