search

containers / udica

This repository contains a tool for generating SELinux security profiles for containers
GNU General Public License v3.0
488 stars 47 forks source link

Error when creating a policy: `Couldn't create policy: 'PERFMON'` #88

Closed JAORMX closed 2 years ago

JAORMX commented 3 years ago

Describe the bug Unable to create a policy from container in Fedora 33.

Udica version

0.2.3

podman version

Version:      3.1.0
API Version:  3.1.0
Go Version:   go1.15.8
Built:        Mon Apr 12 14:39:16 2021
OS/Arch:      linux/amd64

Podman inspect output

podman inspect selinuxd
[
    {
        "Id": "b87ebdc9a0aaec8458ceab844f56889136b413706fd2eda1bfcd1c6c6c0d52fd",
+ udica selinuxd
        "Created": "2021-04-23T06:24:43.858960438Z",
+ podman inspect selinuxd
        "Path": "/usr/bin/selinuxdctl",
        "Args": [
            "daemon"
        ],
        "State": {
            "OciVersion": "1.0.2-dev",
            "Status": "running",
            "Running": true,
            "Paused": false,
            "Restarting": false,
            "OOMKilled": false,
            "Dead": false,
            "Pid": 14679,
            "ConmonPid": 14674,
            "ExitCode": 0,
            "Error": "",
            "StartedAt": "2021-04-23T06:24:52.923486801Z",
            "FinishedAt": "0001-01-01T00:00:00Z",
            "Healthcheck": {
                "Status": "",
                "FailingStreak": 0,
                "Log": null
            }
        },
        "Image": "287e912c9e11e56391b395b84ec1929df469d9de610d07cab70e21f3eb28e7ca",
        "ImageName": "quay.io/jaosorior/selinuxd-fedora:latest",
        "Rootfs": "",
        "Pod": "",
        "ResolvConfPath": "/run/containers/storage/overlay-containers/b87ebdc9a0aaec8458ceab844f56889136b413706fd2eda1bfcd1c6c6c0d52fd/userdata/resolv.conf",
        "HostnamePath": "/run/containers/storage/overlay-containers/b87ebdc9a0aaec8458ceab844f56889136b413706fd2eda1bfcd1c6c6c0d52fd/userdata/hostname",
        "HostsPath": "/run/containers/storage/overlay-containers/b87ebdc9a0aaec8458ceab844f56889136b413706fd2eda1bfcd1c6c6c0d52fd/userdata/hosts",
        "StaticDir": "/var/lib/containers/storage/overlay-containers/b87ebdc9a0aaec8458ceab844f56889136b413706fd2eda1bfcd1c6c6c0d52fd/userdata",
        "OCIConfigPath": "/var/lib/containers/storage/overlay-containers/b87ebdc9a0aaec8458ceab844f56889136b413706fd2eda1bfcd1c6c6c0d52fd/userdata/config.json",
        "OCIRuntime": "crun",
        "ConmonPidFile": "/run/containers/storage/overlay-containers/b87ebdc9a0aaec8458ceab844f56889136b413706fd2eda1bfcd1c6c6c0d52fd/userdata/conmon.pid",
        "Name": "selinuxd",
        "RestartCount": 0,
        "Driver": "overlay",
        "MountLabel": "system_u:object_r:container_file_t:s0:c242,c471",
        "ProcessLabel": "",
        "AppArmorProfile": "",
        "EffectiveCaps": [
            "CAP_CHOWN",
            "CAP_DAC_OVERRIDE",
            "CAP_DAC_READ_SEARCH",
            "CAP_FOWNER",
            "CAP_FSETID",
            "CAP_KILL",
            "CAP_SETGID",
            "CAP_SETUID",
            "CAP_SETPCAP",
            "CAP_LINUX_IMMUTABLE",
            "CAP_NET_BIND_SERVICE",
            "CAP_NET_BROADCAST",
            "CAP_NET_ADMIN",
            "CAP_NET_RAW",
            "CAP_IPC_LOCK",
            "CAP_IPC_OWNER",
            "CAP_SYS_MODULE",
            "CAP_SYS_RAWIO",
            "CAP_SYS_CHROOT",
            "CAP_SYS_PTRACE",
            "CAP_SYS_PACCT",
            "CAP_SYS_ADMIN",
            "CAP_SYS_BOOT",
            "CAP_SYS_NICE",
            "CAP_SYS_RESOURCE",
            "CAP_SYS_TIME",
            "CAP_SYS_TTY_CONFIG",
            "CAP_MKNOD",
            "CAP_LEASE",
            "CAP_AUDIT_WRITE",
            "CAP_AUDIT_CONTROL",
            "CAP_SETFCAP",
            "CAP_MAC_OVERRIDE",
            "CAP_MAC_ADMIN",
            "CAP_SYSLOG",
            "CAP_WAKE_ALARM",
            "CAP_BLOCK_SUSPEND",
            "CAP_AUDIT_READ",
            "CAP_PERFMON",
            "CAP_BPF"
        ],
        "BoundingCaps": [
            "CAP_CHOWN",
            "CAP_DAC_OVERRIDE",
            "CAP_DAC_READ_SEARCH",
            "CAP_FOWNER",
            "CAP_FSETID",
            "CAP_KILL",
            "CAP_SETGID",
            "CAP_SETUID",
            "CAP_SETPCAP",
            "CAP_LINUX_IMMUTABLE",
            "CAP_NET_BIND_SERVICE",
            "CAP_NET_BROADCAST",
            "CAP_NET_ADMIN",
            "CAP_NET_RAW",
            "CAP_IPC_LOCK",
            "CAP_IPC_OWNER",
            "CAP_SYS_MODULE",
            "CAP_SYS_RAWIO",
            "CAP_SYS_CHROOT",
            "CAP_SYS_PTRACE",
            "CAP_SYS_PACCT",
            "CAP_SYS_ADMIN",
            "CAP_SYS_BOOT",
            "CAP_SYS_NICE",
            "CAP_SYS_RESOURCE",
            "CAP_SYS_TIME",
            "CAP_SYS_TTY_CONFIG",
            "CAP_MKNOD",
            "CAP_LEASE",
            "CAP_AUDIT_WRITE",
            "CAP_AUDIT_CONTROL",
            "CAP_SETFCAP",
            "CAP_MAC_OVERRIDE",
            "CAP_MAC_ADMIN",
            "CAP_SYSLOG",
            "CAP_WAKE_ALARM",
            "CAP_BLOCK_SUSPEND",
            "CAP_AUDIT_READ",
            "CAP_PERFMON",
            "CAP_BPF"
        ],
        "ExecIDs": [],
        "GraphDriver": {
            "Name": "overlay",
            "Data": {
                "LowerDir": "/var/lib/containers/storage/overlay/f5079b9338fd0ea2aa28909e980400a5d03ec79d0d50f5d5beee7bbe7e33c87d/diff:/var/lib/containers/storage/overlay/4f6c1911868506b4e4876db275784eaa72e47ef76b763a2f7595696e379624e6/diff:/var/lib/containers/storage/overlay/36e6d1ca1019d1f90e809a0fd8ec92e9d84fa47afeeefa8898d2beed206f745a/diff:/var/lib/containers/storage/overlay/ad9e92539a859d4f075a713cd426d917f15c200a9b42c631f1eb4aff752ed706/diff:/var/lib/containers/storage/overlay/560fc2df26ee7f35189813d3837095337bd73eb166b569108acef00da10728c3/diff:/var/lib/containers/storage/overlay/27d65299ea8a2ae3431fa4161da0a141426e49da67273947ad5a439df69bba96/diff:/var/lib/containers/storage/overlay/efcf60e50823c88769df575821c86f5bc1390f7d34bcf9464a40d105bf0bd99e/diff",
                "MergedDir": "/var/lib/containers/storage/overlay/aafbc7489b4a074711bbdc2dc01ac3f8395ee284f29829bec4e7163adffe2200/merged",
                "UpperDir": "/var/lib/containers/storage/overlay/aafbc7489b4a074711bbdc2dc01ac3f8395ee284f29829bec4e7163adffe2200/diff",
                "WorkDir": "/var/lib/containers/storage/overlay/aafbc7489b4a074711bbdc2dc01ac3f8395ee284f29829bec4e7163adffe2200/work"
            }
        },
        "Mounts": [
            {
                "Type": "bind",
                "Source": "/sys/fs/selinux",
                "Destination": "/sys/fs/selinux",
                "Driver": "",
                "Mode": "",
                "Options": [
                    "noexec",
                    "nosuid",
                    "rbind"
                ],
                "RW": true,
                "Propagation": "rprivate"
            },
            {
                "Type": "bind",
                "Source": "/var/lib/selinux",
                "Destination": "/var/lib/selinux",
                "Driver": "",
                "Mode": "",
                "Options": [
                    "rbind"
                ],
                "RW": true,
                "Propagation": "rprivate"
            },
            {
                "Type": "bind",
                "Source": "/etc/selinux",
                "Destination": "/etc/selinux",
                "Driver": "",
                "Mode": "",
                "Options": [
                    "rbind"
                ],
                "RW": true,
                "Propagation": "rprivate"
            },
            {
                "Type": "bind",
                "Source": "/etc/selinux.d",
                "Destination": "/etc/selinux.d",
                "Driver": "",
                "Mode": "",
                "Options": [
                    "rbind"
                ],
                "RW": true,
                "Propagation": "rprivate"
            }
        ],
        "Dependencies": [],
        "NetworkSettings": {
            "EndpointID": "",
            "Gateway": "10.88.0.1",
            "IPAddress": "10.88.0.3",
            "IPPrefixLen": 16,
            "IPv6Gateway": "",
            "GlobalIPv6Address": "",
            "GlobalIPv6PrefixLen": 0,
            "MacAddress": "2e:e4:66:48:33:08",
            "Bridge": "",
            "SandboxID": "",
            "HairpinMode": false,
            "LinkLocalIPv6Address": "",
            "LinkLocalIPv6PrefixLen": 0,
            "Ports": {},
            "SandboxKey": "/run/netns/cni-2f49e675-a459-6845-ac97-7e2e896a948f",
            "Networks": {
                "podman": {
                    "EndpointID": "",
                    "Gateway": "10.88.0.1",
                    "IPAddress": "10.88.0.3",
                    "IPPrefixLen": 16,
                    "IPv6Gateway": "",
                    "GlobalIPv6Address": "",
                    "GlobalIPv6PrefixLen": 0,
                    "MacAddress": "2e:e4:66:48:33:08",
                    "NetworkID": "podman",
                    "DriverOpts": null,
                    "IPAMConfig": null,
                    "Links": null
                }
            }
        },
        "ExitCommand": [
            "/usr/bin/podman",
            "--root",
            "/var/lib/containers/storage",
            "--runroot",
            "/run/containers/storage",
            "--log-level",
            "warning",
            "--cgroup-manager",
            "systemd",
            "--tmpdir",
            "/run/libpod",
            "--runtime",
            "crun",
            "--storage-driver",
            "overlay",
            "--storage-opt",
            "overlay.mountopt=nodev",
            "--events-backend",
            "journald",
            "container",
            "cleanup",
            "b87ebdc9a0aaec8458ceab844f56889136b413706fd2eda1bfcd1c6c6c0d52fd"
        ],
        "Namespace": "",
        "IsInfra": false,
        "Config": {
            "Hostname": "b87ebdc9a0aa",
            "Domainname": "",
            "User": "root",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "Tty": false,
            "OpenStdin": false,
            "StdinOnce": false,
            "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "TERM=xterm",
                "container=oci",
                "DISTTAG=f33container",
                "FGC=f33",
                "HOME=/root",
                "HOSTNAME=b87ebdc9a0aa"
            ],
            "Cmd": [
                "daemon"
            ],
            "Image": "quay.io/jaosorior/selinuxd-fedora:latest",
            "Volumes": null,
            "WorkingDir": "/",
            "Entrypoint": "/usr/bin/selinuxdctl",
            "OnBuild": null,
            "Labels": {
                "description": "selinuxd is a daemon that listens for files in /etc/selinux.d/ and installs the relevant policies.",
                "io.buildah.version": "1.19.4",
                "license": "MIT",
                "name": "selinuxd",
                "vendor": "Fedora Project",
                "version": "33"
            },
            "Annotations": {
                "io.container.manager": "libpod",
                "io.containers.trace-syscall": "of:/tmp/selinuxd-seccomp.json",
                "io.kubernetes.cri-o.Created": "2021-04-23T06:24:43.858960438Z",
                "io.kubernetes.cri-o.TTY": "false",
                "io.podman.annotations.autoremove": "FALSE",
                "io.podman.annotations.init": "FALSE",
                "io.podman.annotations.privileged": "TRUE",
                "io.podman.annotations.publish-all": "FALSE",
                "org.opencontainers.image.stopSignal": "15"
            },
            "StopSignal": 15,
            "CreateCommand": [
                "podman",
                "run",
                "--name",
                "selinuxd",
                "-d",
                "--annotation",
                "io.containers.trace-syscall=of:/tmp/selinuxd-seccomp.json",
                "--privileged",
                "-v",
                "/sys/fs/selinux:/sys/fs/selinux",
                "-v",
                "/var/lib/selinux:/var/lib/selinux",
                "-v",
                "/etc/selinux:/etc/selinux",
                "-v",
                "/etc/selinux.d:/etc/selinux.d",
                "quay.io/jaosorior/selinuxd-fedora:latest",
                "daemon"
            ],
            "Umask": "0022"
        },
        "HostConfig": {
            "Binds": [
                "/sys/fs/selinux:/sys/fs/selinux:rw,rprivate,noexec,nosuid,rbind",
                "/var/lib/selinux:/var/lib/selinux:rw,rprivate,rbind",
                "/etc/selinux:/etc/selinux:rw,rprivate,rbind",
                "/etc/selinux.d:/etc/selinux.d:rw,rprivate,rbind"
            ],
            "CgroupManager": "systemd",
            "CgroupMode": "private",
            "ContainerIDFile": "",
            "LogConfig": {
                "Type": "k8s-file",
                "Config": null,
                "Path": "/var/lib/containers/storage/overlay-containers/b87ebdc9a0aaec8458ceab844f56889136b413706fd2eda1bfcd1c6c6c0d52fd/userdata/ctr.log",
                "Tag": "",
                "Size": "0B"
            },
            "NetworkMode": "bridge",
            "PortBindings": {},
            "RestartPolicy": {
                "Name": "",
                "MaximumRetryCount": 0
            },
            "AutoRemove": false,
            "VolumeDriver": "",
            "VolumesFrom": null,
            "CapAdd": [],
            "CapDrop": [
                "CAP_CHECKPOINT_RESTORE"
            ],
            "Dns": [],
            "DnsOptions": [],
            "DnsSearch": [],
            "ExtraHosts": [],
            "GroupAdd": [],
            "IpcMode": "private",
            "Cgroup": "",
            "Cgroups": "default",
            "Links": null,
            "OomScoreAdj": 0,
            "PidMode": "private",
            "Privileged": true,
            "PublishAllPorts": false,
            "ReadonlyRootfs": false,
            "SecurityOpt": [],
            "Tmpfs": {},
            "UTSMode": "private",
            "UsernsMode": "",
            "ShmSize": 65536000,
            "Runtime": "oci",
            "ConsoleSize": [
                0,
                0
            ],
            "Isolation": "",
            "CpuShares": 0,
            "Memory": 0,
            "NanoCpus": 0,
            "CgroupParent": "",
            "BlkioWeight": 0,
            "BlkioWeightDevice": null,
            "BlkioDeviceReadBps": null,
            "BlkioDeviceWriteBps": null,
            "BlkioDeviceReadIOps": null,
            "BlkioDeviceWriteIOps": null,
            "CpuPeriod": 0,
            "CpuQuota": 0,
            "CpuRealtimePeriod": 0,
            "CpuRealtimeRuntime": 0,
            "CpusetCpus": "",
            "CpusetMems": "",
            "Devices": [],
            "DiskQuota": 0,
            "KernelMemory": 0,
            "MemoryReservation": 0,
            "MemorySwap": 0,
            "MemorySwappiness": 0,
            "OomKillDisable": false,
            "PidsLimit": 2048,
            "Ulimits": [
                {
                    "Name": "RLIMIT_NOFILE",
                    "Soft": 1048576,
                    "Hard": 1048576
                },
                {
                    "Name": "RLIMIT_NPROC",
                    "Soft": 4194304,
                    "Hard": 4194304
                }
            ],
            "CpuCount": 0,
            "CpuPercent": 0,
            "IOMaximumIOps": 0,
            "IOMaximumBandwidth": 0,
            "CgroupConf": null
        }
    }
]

Error output

Couldn't create policy: 'PERFMON'
Error: Process completed with exit code 4.

Expected behavior It should generate the policy

Additional context We have this set up in our CI. You can see the failure here: https://github.com/JAORMX/selinuxd/pull/73

JAORMX commented 3 years ago

@wrabcak might wanna check this out, this is an issue in newer Fedora versions.