Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Centos docker image throwing selinux violation warnings. #5779

Open
whitingjr opened this issue Jun 28, 2019 · 1 comment

Comments

Projects
None yet
1 participant
@whitingjr
Copy link

commented Jun 28, 2019

Environment

Provide at least:

  • JRuby version (jruby -v) and command line (flags, JRUBY_OPTS, etc)
jruby -v
jruby 9.2.6.0 (2.5.3) 2019-06-04 15ba00b OpenJDK 64-Bit Server VM 11.0.3+7 on 11.0.3+7 +jit [linux-x86_64]

  • Operating system and platform (e.g. uname -a)
$ uname -a
Linux f29lite 5.0.17-200.fc29.x86_64 #1 SMP Mon May 20 15:39:10 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Other relevant info you may wish to add:

$ docker -v
Docker version 1.13.1, build 1185cfd/1.13.1

Docker image:
centos:7.6.1810

Expected Behavior

When building a ported Ruby application to JRuby the docker build is generating errors. The host is getting selinux errors. Logged in the system journal.

Actual Behavior

When docker build is executed the build completes. Yet when the gem is executed JRuby reports the gem executable cannot be found.
Looking back through the build process shows there are restrictions imposed by selinux.

You can run the build by checking out this project apisonator and building the branch jruby-port-branch by executing the Makefile.
$ make -f openshift/Makefile build

This is a small sample of the many setroubleshoot captured errors

Jun 27 23:00:15 f29lite setroubleshoot[20573]: Plugin Exception catchall_labels
Jun 27 23:00:15 f29lite setroubleshoot[20573]: SELinux is preventing sh from read access on the file /usr/lib64/libtinfo.so.5.9. For complete SELinux messages run: sealert -l ea043838-0137-4396-a92b-141d5b9b12dd
Jun 27 23:00:15 f29lite python3[20573]: SELinux is preventing sh from read access on the file /usr/lib64/libtinfo.so.5.9.
                                        
                                        *****  Plugin restorecon (99.5 confidence) suggests   ************************
                                        
                                        If you want to fix the label. 
                                        /usr/lib64/libtinfo.so.5.9 default label should be lib_t.
                                        Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
                                        Do
                                        # /sbin/restorecon -v /usr/lib64/libtinfo.so.5.9
                                        
                                        *****  Plugin catchall (1.49 confidence) suggests   **************************
                                        
                                        If you believe that sh should be allowed read access on the libtinfo.so.5.9 file by default.
                                        Then you should report this as a bug.
                                        You can generate a local policy module to allow this access.
                                        Do
                                        allow this access for now by executing:
                                        # ausearch -c 'sh' --raw | audit2allow -M my-sh
                                        # semodule -X 300 -i my-sh.pp
                                        
Jun 27 23:00:15 f29lite setroubleshoot[20573]: SELinux is preventing semanage from read access on the directory /usr/lib64/python2.7/site-packages. For complete SELinux messages run: sealert -l d3660f29-86b6-4b3e-ad59-cb0903b6621f
Jun 27 23:00:15 f29lite python3[20573]: SELinux is preventing semanage from read access on the directory /usr/lib64/python2.7/site-packages.
                                        
                                        *****  Plugin restorecon (99.5 confidence) suggests   ************************
                                        
                                        If you want to fix the label. 
                                        /usr/lib64/python2.7/site-packages default label should be lib_t.
                                        Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
                                        Do
                                        # /sbin/restorecon -v /usr/lib64/python2.7/site-packages
                                        
                                        *****  Plugin catchall (1.49 confidence) suggests   **************************
                                        
                                        If you believe that semanage should be allowed read access on the site-packages directory by default.
                                        Then you should report this as a bug.
                                        You can generate a local policy module to allow this access.
                                        Do
                                        allow this access for now by executing:
                                        # ausearch -c 'semanage' --raw | audit2allow -M my-semanage
                                        # semodule -X 300 -i my-semanage.pp
                                        
Jun 27 23:00:15 f29lite setroubleshoot[20573]: SELinux is preventing semanage from read access on the directory /usr/lib64/python2.7/site-packages. For complete SELinux messages run: sealert -l 44dff5b0-a9e9-49b8-a886-245ea13446ef
Jun 27 23:00:15 f29lite python3[20573]: SELinux is preventing semanage from read access on the directory /usr/lib64/python2.7/site-packages.
                                        
                                        *****  Plugin restorecon (99.5 confidence) suggests   ************************
                                        
                                        If you want to fix the label. 
                                        /usr/lib64/python2.7/site-packages default label should be lib_t.
                                        Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
                                        Do
                                        # /sbin/restorecon -v /usr/lib64/python2.7/site-packages
                                        
                                        *****  Plugin catchall (1.49 confidence) suggests   **************************
                                        
                                        If you believe that semanage should be allowed read access on the site-packages directory by default.
                                        Then you should report this as a bug.
                                        You can generate a local policy module to allow this access.
                                        Do
                                        allow this access for now by executing:
                                        # ausearch -c 'semanage' --raw | audit2allow -M my-semanage
                                        # semodule -X 300 -i my-semanage.pp
                                        
Jun 27 23:00:15 f29lite setroubleshoot[20573]: SELinux is preventing semanage from read access on the file /usr/lib64/python2.7/site-packages/policycoreutils/default_encoding_utf8.so. For complete SELinux messages run: sealert -l b9ef2ea5-132e-4616-8fd5-7df0a91f3d20
Jun 27 23:00:15 f29lite python3[20573]: SELinux is preventing semanage from read access on the file /usr/lib64/python2.7/site-packages/policycoreutils/default_encoding_utf8.so.
                                        
                                        *****  Plugin restorecon (99.5 confidence) suggests   ************************
                                        
                                        If you want to fix the label. 
                                        /usr/lib64/python2.7/site-packages/policycoreutils/default_encoding_utf8.so default label should be lib_t.
                                        Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
                                        Do
                                        # /sbin/restorecon -v /usr/lib64/python2.7/site-packages/policycoreutils/default_encoding_utf8.so
                                        
                                        *****  Plugin catchall (1.49 confidence) suggests   **************************
                                        
                                        If you believe that semanage should be allowed read access on the default_encoding_utf8.so file by default.
                                        Then you should report this as a bug.
                                        You can generate a local policy module to allow this access.
                                        Do
                                        allow this access for now by executing:
                                        # ausearch -c 'semanage' --raw | audit2allow -M my-semanage
                                        # semodule -X 300 -i my-semanage.pp
                                        

 messages run: sealert -l 369bdd7e-62d5-48e0-a4bc-faaa921364cb
Jun 27 14:55:03 f29lite python3[15434]: SELinux is preventing bash from read access on the directory /opt/jruby/jruby-9.2.6.0/lib.
                                        
                                        *****  Plugin restorecon (99.5 confidence) suggests   ************************
                                        
                                        If you want to fix the label. 
                                        /opt/jruby/jruby-9.2.6.0/lib default label should be lib_t.
                                        Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
                                        Do
                                        # /sbin/restorecon -v /opt/jruby/jruby-9.2.6.0/lib
                                        
                                        *****  Plugin catchall (1.49 confidence) suggests   **************************
                                        
                                        If you believe that bash should be allowed read access on the lib directory by default.
                                        Then you should report this as a bug.
                                        You can generate a local policy module to allow this access.
                                        Do
                                        allow this access for now by executing:
                                        # ausearch -c 'bash' --raw | audit2allow -M my-bash
                                        # semodule -X 300 -i my-bash.pp
Jun 27 14:55:03 f29lite python3[15434]: SELinux is preventing java from read access on the file /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.212.b04-0.el7_6.x86_64/jre/lib/amd64/jli/libjli.so.
                                        
                                        *****  Plugin restorecon (99.5 confidence) suggests   ************************
                                        
                                        If you want to fix the label. 
                                        /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.212.b04-0.el7_6.x86_64/jre/lib/amd64/jli/libjli.so default label should be textrel_shlib_t.
                                        Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
                                        Do
                                        # /sbin/restorecon -v /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.212.b04-0.el7_6.x86_64/jre/lib/amd64/jli/libjli.so
                                        
                                        *****  Plugin catchall (1.49 confidence) suggests   **************************
                                        
                                        If you believe that java should be allowed read access on the libjli.so file by default.
                                        Then you should report this as a bug.
                                        You can generate a local policy module to allow this access.
                                        Do
                                        allow this access for now by executing:
                                        # ausearch -c 'java' --raw | audit2allow -M my-java
                                        # semodule -X 300 -i my-java.pp

I've started to go down the never ending path of configuring selinux policies. Has this issue been seen before ?
Would a better alternative be to use one of the jruby docker images instead ?

@whitingjr

This comment has been minimized.

Copy link
Author

commented Jun 28, 2019

Adding the policies ended up with another type of error.

 ---> Running in f7c45140e1a0
libsemanage.semanage_commit_sandbox: Error while renaming /etc/selinux/targeted/active to /etc/selinux/targeted/previous. (Invalid cross-device link).
OSError: Invalid cross-device link

It seems I've stumbled across an issue with the underlying storage, docker and selinux. As observed here and here.

I'll get started on swapping out the base layer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.