* blocking / mount using containers
@ 2018-07-10 14:00 Mclain, Warren
2018-07-10 16:42 ` Stephen Smalley
2018-07-11 16:34 ` Daniel Walsh
0 siblings, 2 replies; 3+ messages in thread
From: Mclain, Warren @ 2018-07-10 14:00 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 1063 bytes --]
I am trying to find a solution for blocking the mounting of / from containers. This is a major security hole for Docker and all of those types of applications.
I found the mount_anyfile Boolean but nothing that digs into that to show how to disable specific mountings.
Looking for any information that would help the container community in general.
thanks
___________________________________
Warren McLain
Enterprise Engineering Services
IEI Foundation Engineering - Compute, Optum Technology
warren_mclain@optum.com Office: 763-744-3107
This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity
to which it is addressed. If the reader of this e-mail is not the intended
recipient or his or her authorized agent, the reader is hereby notified
that any dissemination, distribution or copying of this e-mail is
prohibited. If you have received this e-mail in error, please notify the
sender by replying to this message and delete this e-mail immediately.
[-- Attachment #2: Type: text/html, Size: 3179 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: blocking / mount using containers
2018-07-10 14:00 blocking / mount using containers Mclain, Warren
@ 2018-07-10 16:42 ` Stephen Smalley
2018-07-11 16:34 ` Daniel Walsh
1 sibling, 0 replies; 3+ messages in thread
From: Stephen Smalley @ 2018-07-10 16:42 UTC (permalink / raw)
To: Mclain, Warren, selinux
On 07/10/2018 10:00 AM, Mclain, Warren wrote:
> I am trying to find a solution for blocking the mounting of / from containers. This is a major security hole for Docker and all of those types of applications.
>
>
>
> I found the mount_anyfile Boolean but nothing that digs into that to show how to disable specific mountings.
>
>
>
> Looking for any information that would help the container community in general.
Not sure if this answers your question, but Fedora/RHEL ships with a container policy that should already protect the host OS filesystem from the containers.
Even if you mount / into the container when you create it, it isn't writable due to SELinux policy, e.g.
$ sudo docker run -v /:/mnt -i -t fedora /bin/bash
[root@fb83953335bb /]# cd mnt
[root@fb83953335bb mnt]# cat etc/shadow
cat: etc/shadow: Permission denied
[root@fb83953335bb mnt]# touch foo
touch: cannot touch 'foo': Permission denied
[root@fb83953335bb mnt]# exit
$ sudo ausearch -i -m AVC -ts recent
----
type=PROCTITLE msg=audit(07/10/2018 12:40:11.083:870570) : proctitle=cat etc/shadow
type=PATH msg=audit(07/10/2018 12:40:11.083:870570) : item=0 name=etc/shadow inode=1311125 dev=fd:01 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(07/10/2018 12:40:11.083:870570) : cwd=/mnt
type=SYSCALL msg=audit(07/10/2018 12:40:11.083:870570) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffffffffffff9c a1=0x7fffe6c7b92f a2=O_RDONLY a3=0x0 items=1 ppid=1992 pid=2044 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts3 ses=unset comm=cat exe=/usr/bin/cat subj=system_u:system_r:container_t:s0:c138,c987 key=(null)
type=AVC msg=audit(07/10/2018 12:40:11.083:870570) : avc: denied { read } for pid=2044 comm=cat name=shadow dev="dm-1" ino=1311125 scontext=system_u:system_r:container_t:s0:c138,c987 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=0
----
type=PROCTITLE msg=audit(07/10/2018 12:40:19.859:870580) : proctitle=touch foo
type=PATH msg=audit(07/10/2018 12:40:19.859:870580) : item=0 name=/mnt inode=2 dev=fd:01 mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:root_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(07/10/2018 12:40:19.859:870580) : cwd=/mnt
type=SYSCALL msg=audit(07/10/2018 12:40:19.859:870580) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffffffffffff9c a1=0x7ffc7550f932 a2=O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK a3=0x1b6 items=1 ppid=1992 pid=2053 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts3 ses=unset comm=touch exe=/usr/bin/touch subj=system_u:system_r:container_t:s0:c138,c987 key=(null)
type=AVC msg=audit(07/10/2018 12:40:19.859:870580) : avc: denied { write } for pid=2053 comm=touch name=/ dev="dm-1" ino=2 scontext=system_u:system_r:container_t:s0:c138,c987 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: blocking / mount using containers
2018-07-10 14:00 blocking / mount using containers Mclain, Warren
2018-07-10 16:42 ` Stephen Smalley
@ 2018-07-11 16:34 ` Daniel Walsh
1 sibling, 0 replies; 3+ messages in thread
From: Daniel Walsh @ 2018-07-11 16:34 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 1698 bytes --]
On 07/10/2018 10:00 AM, Mclain, Warren wrote:
>
> I am trying to find a solution for blocking the mounting of / from
> containers. This is a major security hole for Docker and all of those
> types of applications.
>
> I found the mount_anyfile Boolean but nothing that digs into that to
> show how to disable specific mountings.
>
> Looking for any information that would help the container community in
> general.
>
This seems mighty arbitrary. I would think you would want to block lots
of directories from being mounted into the container in addition to /,
/home, /var, /etc? for example.
What tool are you using, and what access to you want to grant to your users?
> thanks
>
> ___________________________________
>
> Warren McLain
>
> Enterprise Engineering Services
>
> IEI Foundation Engineering - Compute, Optum Technology
>
> warren_mclain@optum.com Office: 763-744-3107
>
>
> This e-mail, including attachments, may include confidential and/or
> proprietary information, and may be used only by the person or entity
> to which it is addressed. If the reader of this e-mail is not the intended
> recipient or his or her authorized agent, the reader is hereby notified
> that any dissemination, distribution or copying of this e-mail is
> prohibited. If you have received this e-mail in error, please notify the
> sender by replying to this message and delete this e-mail immediately.
>
>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
[-- Attachment #2: Type: text/html, Size: 4774 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-07-11 16:35 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-07-10 14:00 blocking / mount using containers Mclain, Warren
2018-07-10 16:42 ` Stephen Smalley
2018-07-11 16:34 ` Daniel Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.