LXC system initialization (exec of /sbin/init denied)

Submit your RBAC policies or suggest policy improvements

LXC system initialization (exec of /sbin/init denied)

Postby trupanka » Sun Dec 14, 2014 2:56 pm

Hi.
I try to run lxc-start on RBAC-enabled system with special role.
In learning mode lxc-container starts and works.
But with `gradm -E` and auto generated config (https://dpaste.de/zHNS/raw)
I got the /sbin/init denied message in kernel log's.
Code: Select all
Dec 14 20:29:43 hellstation kernel: grsec: (root:U:/sbin/gradm) exec of /sbin/gradm (gradm -a lxc ) by /sbin/gradm[bash:18327] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:11348] uid/euid:0/0 gid/egid:0/0
Dec 14 20:29:45 hellstation kernel: grsec: (root:U:/sbin/gradm) successful change to special role lxc (id 40) by /sbin/gradm[gradm:18327] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:11348] uid/euid:0/0 gid/egid:0/0
Dec 14 20:29:48 hellstation kernel: grsec: (lxc:S:/usr/sbin/lxc-start) exec of /usr/sbin/lxc-start (lxc-start -n server ) by /usr/sbin/lxc-start[bash:18328] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:11348] uid/euid:0/0 gid/egid:0/0
Dec 14 20:29:48 hellstation kernel: IPv6: ADDRCONF(NETDEV_UP): server0: link is not ready
Dec 14 20:29:48 hellstation kernel: IPv6: ADDRCONF(NETDEV_UP): server1: link is not ready
Dec 14 20:29:48 hellstation kernel: grsec: (lxc:S:/bin/bash) exec of /bin/bash (sh -c /etc/lxc/server/if-up.sh server net up veth server1 ) by /bin/bash[lxc-start:18332] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/lxc-start[lxc-start:18328] uid/euid:0/0 gid/egid:0/0
Dec 14 20:29:48 hellstation kernel: grsec: (lxc:S:/bin/bash) exec of /etc/lxc/server/if-up.sh (/etc/lxc/server/if-up.sh server net up veth server1 ) by /etc/lxc/server/if-up.sh[sh:18332] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/lxc-start[lxc-start:18328] uid/euid:0/0 gid/egid:0/0
Dec 14 20:29:48 hellstation kernel: grsec: (lxc:S:/sbin/brctl) exec of /sbin/brctl (brctl addif br0 server0 ) by /sbin/brctl[if-up.sh:18337] uid/euid:0/0 gid/egid:0/0, parent /etc/lxc/server/if-up.sh[if-up.sh:18332] uid/euid:0/0 gid/egid:0/0
Dec 14 20:29:48 hellstation kernel: device server0 entered promiscuous mode
Dec 14 20:29:48 hellstation kernel: grsec: (lxc:S:/bin/ifconfig) exec of /bin/ifconfig (ifconfig server0 up ) by /bin/ifconfig[if-up.sh:18338] uid/euid:0/0 gid/egid:0/0, parent /etc/lxc/server/if-up.sh[if-up.sh:18332] uid/euid:0/0 gid/egid:0/0
Dec 14 20:29:48 hellstation kernel: grsec: (lxc:S:/sbin/brctl) exec of /sbin/brctl (brctl addif br1 server1 ) by /sbin/brctl[if-up.sh:18340] uid/euid:0/0 gid/egid:0/0, parent /etc/lxc/server/if-up.sh[if-up.sh:18332] uid/euid:0/0 gid/egid:0/0
Dec 14 20:29:48 hellstation kernel: device server1 entered promiscuous mode
Dec 14 20:29:48 hellstation kernel: br1: port 1(server1) entered forwarding state
Dec 14 20:29:48 hellstation kernel: br1: port 1(server1) entered forwarding state
Dec 14 20:29:48 hellstation kernel: grsec: (lxc:S:/bin/ifconfig) exec of /bin/ifconfig (ifconfig server1 up ) by /bin/ifconfig[if-up.sh:18341] uid/euid:0/0 gid/egid:0/0, parent /etc/lxc/server/if-up.sh[if-up.sh:18332] uid/euid:0/0 gid/egid:0/0
Dec 14 20:29:48 hellstation kernel: grsec: (lxc:S:/bin/bash) exec of /bin/bash (sh -c zfs list 2> /dev/null ) by /bin/bash[lxc-start:18350] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/lxc-start[lxc-start:18346] uid/euid:0/0 gid/egid:0/0
Dec 14 20:29:48 hellstation kernel: eth0: renamed from vethAJGVV4
Dec 14 20:29:48 hellstation kernel: eth1: renamed from veth1HYV91
Dec 14 20:29:48 hellstation kernel: EXT4-fs (dm-32): mounted filesystem with ordered data mode. Opts: (null)
Dec 14 20:29:48 hellstation kernel: EXT4-fs (dm-33): mounted filesystem with ordered data mode. Opts: (null)
Dec 14 20:29:48 hellstation kernel: EXT4-fs (dm-34): mounted filesystem with ordered data mode. Opts: (null)
Dec 14 20:29:48 hellstation kernel: grsec: (lxc:S:/usr/sbin/lxc-start) [b]denied execution of /sbin/init[/b] by /usr/sbin/lxc-start[lxc-start:18346] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/lxc-start[lxc-start:18328] uid/euid:0/0 gid/egid:0/0
trupanka
 
Posts: 3
Joined: Fri Oct 31, 2014 1:21 pm

Re: LXC system initialization (exec of /sbin/init denied)

Postby spender » Sun Dec 14, 2014 9:20 pm

You're mounting filesystems with RBAC enabled -- this isn't a supported use-case. Other than that, there might also be mount namespaces in use which also are currently unsupported.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: LXC system initialization (exec of /sbin/init denied)

Postby trupanka » Mon Dec 15, 2014 3:03 am

spender wrote:You're mounting filesystems with RBAC enabled -- this isn't a supported use-case. Other than that, there might also be mount namespaces in use which also are currently unsupported.

-Brad


I think it's the first issue. I'll try to run lxc with pre-mounted rootfs image.
Thank you.
trupanka
 
Posts: 3
Joined: Fri Oct 31, 2014 1:21 pm

Re: LXC system initialization (exec of /sbin/init denied)

Postby trupanka » Mon Dec 15, 2014 12:18 pm

I'll try to run lxc with pre-mounted rootfs image.


That didn't make sense (pivoted dir not seen by RBAC anyway).
LXC supports apparmor and SELinux.
May be I'll try to combine grsec RBAC for the host and AppArmor for containers.
But I'm not shure whether it improves security...
trupanka
 
Posts: 3
Joined: Fri Oct 31, 2014 1:21 pm


Return to RBAC policy development