20230320.0 does not work with Fedora CoreOS SELinux

[TommyTran732]

Description

The latest release does not work on Fedora CoreOS because of SELinux. 20230313.0 however works just fine. This only affects Fedora CoreOS, so it is not reproducible on Fedora

Steps to reproduce

1. Install gvisor release 20230320.0 on Fedora CoreOS 37.20230322.2.0 or 37.20230303.2.0
2. Run docker run --rm --runtime=runsc-ptrace --security-opt label=disable hello-world when SELinux is active.

runsc version

runsc version release-20230320.0
spec: 1.1.0-rc.1

docker version (if using docker)

Client:
 Context:    default
 Debug Mode: false

Server:
 Containers: 7
  Running: 7
  Paused: 0
  Stopped: 0
 Images: 11
 Server Version: 20.10.23
 Storage Driver: overlay2
  Backing Filesystem: xfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: journald
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runtime.v1.linux runc runsc-kvm runsc-ptrace io.containerd.runc.v2
 Default Runtime: runsc-ptrace
 Init Binary: /usr/libexec/docker/docker-init
 containerd version: 
 runc version: 
 init version: 
 Security Options:
  seccomp
   Profile: default
  selinux
  cgroupns
 Kernel Version: 6.1.14-200.fc37.x86_64
 Operating System: Fedora CoreOS 37.20230303.2.0
 OSType: linux
 Architecture: x86_64
 CPUs: 3
 Total Memory: 9.679GiB
 Name: matrix.arcticfoxes.net
 ID: 6DKE:FFK5:QNJU:VWLE:TXLM:TEA4:LPP2:PPDN:LCXM:B2JJ:LTT7:PQEP
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: true

uname

Linux matrix.arcticfoxes.net 6.1.14-200.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Sun Feb 26 00:13:26 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

kubectl (if using Kubernetes)

No response

repo state (if built from source)

No response

runsc debug logs (if available)

No response

[kevinGC]

Do you know what specifically SELinux is disallowing that causes the failure? Ideally we can work around that, although it's also possible that the SELinux config is just too restrictive.

[avagin]

[ 1284.782866] audit: type=1400 audit(1681341109.705:484): avc:  denied  { mounton } for  pid=2054 comm="exe" path="/proc/proc/1/fd" dev="proc" ino=24484 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir permissive=0

This is due to 54a66a6.

[avagin]

The next command has to fix the problem:

$ chcon system_u:object_r:container_runtime_exec_t:s0 path_to_runsc

[TommyTran732]

The next command has to fix the problem:

$ chcon system_u:object_r:container_runtime_exec_t:s0 path_to_runsc

This does fix it! Should I close the issue now or leave it up?

[avagin]

@TommyTran732 chcon is just for testing. You need to read coreos docs to find out how to set contexts properly.

[TommyTran732]

@TommyTran732 chcon is just for testing. You need to read coreos docs to find out how to set contexts properly.

chcon is probably the best solution right now. Adding SELinux policies will run into this issue coreos/fedora-coreos-tracker#701