Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

avc denied log after enabling SELinux #2561

Open
Eshakk opened this Issue Mar 4, 2019 · 1 comment

Comments

Projects
None yet
2 participants
@Eshakk
Copy link

Eshakk commented Mar 4, 2019

Issue Report

I have followed the steps in https://github.com/coreos/docs/blob/master/os/selinux.md to check my containers compatibility with SELinux.

Bug

After enabling logging, I found the below message in the system logs:

Mar 04 20:45:39 sys_hostname_here audit[36286]: AVC avc:  denied  { execstack } for  pid=36286 comm="node" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1

Container Linux Version

$ cat /etc/os-release
NAME="Container Linux by CoreOS"
ID=coreos
VERSION=2023.4.0
VERSION_ID=2023.4.0
BUILD_ID=2019-02-26-0032
PRETTY_NAME="Container Linux by CoreOS 2023.4.0 (Rhyolite)"
ANSI_COLOR="38;5;75"
HOME_URL="https://coreos.com/"
BUG_REPORT_URL="https://issues.coreos.com"
COREOS_BOARD="amd64-usr"

Expected Behavior

Container to start successfully.

Actual Behavior

Got execstack error while starting container.

Reproduction Steps

Ran these commands to enable logging for SELinux:

$ rm /etc/audit/rules.d/80-selinux.rules
$ rm /etc/audit/rules.d/99-default.rules
$ rm /etc/selinux/mcs
$ cp -a /usr/lib/selinux/mcs /etc/selinux
$ rm /var/lib/selinux
$ cp -a /usr/lib/selinux/policy /var/lib/selinux
$ semodule -DB
$ systemctl restart audit-rules

and restarted my container.

@Eshakk

This comment has been minimized.

Copy link
Author

Eshakk commented Mar 4, 2019

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             mcs
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.