tests/int: add selinux test case

This is a test case to demonstrate the selinux vs dmz issue. The issue is, runc calls selinux.SetExecLabel and then execs the runc-dmz binary, but the execve is denied by selinux: > type=PROCTITLE msg=audit(10/05/2023 22:54:07.911:10904) : proctitle=/tmp/bats-run-sGk2sn/runc.Ql243q/bundle/runc init > type=SYSCALL msg=audit(10/05/2023 22:54:07.911:10904) : arch=x86_64 syscall=execveat success=no exit=EACCES(Permission denied) a0=0x6 a1=0xc0000b90fa a2=0xc0000a26a0 a3=0xc000024660 items=0 ppid=105316 pid=105327 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=8 comm=runc:[2:INIT] exe=/tmp/bats-run-sGk2sn/runc.Ql243q/bundle/runc subj=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(10/05/2023 22:54:07.911:10904) : avc: denied { entrypoint } for pid=105327 comm=runc:[2:INIT] path=/memfd:runc_cloned:runc-dmz (deleted) dev="tmpfs" ino=2341 scontext=system_u:system_r:container_t:s0:c4,c5 tcontext=unconfined_u:object_r:container_runtime_tmpfs_t:s0 tclass=file permissive=0 Once that error is fixed (by adding a selinux rule that enables it), we see one more error, also related to executing a file on tmpfs. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-09-27 03:46:19 +08:00 · 2023-10-03 17:44:39 -07:00
parent ef1166a554
commit b39781b067
3 changed files with 63 additions and 3 deletions
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -57,7 +57,7 @@ task:
    mkdir -p -m 0700 /root/.ssh
    vagrant ssh-config >> /root/.ssh/config
  guest_info_script: |
-    ssh default 'sh -exc "uname -a && systemctl --version && df -T && cat /etc/os-release && go version"'
+    ssh default 'sh -exc "uname -a && systemctl --version && df -T && cat /etc/os-release && go version && sestatus"'
  check_config_script: |
    ssh default /vagrant/script/check-config.sh
  unit_tests_script: |
@@ -79,7 +79,7 @@ task:
    CIRRUS_WORKING_DIR: /home/runc
    GO_VERSION: "1.20"
    BATS_VERSION: "v1.9.0"
-    RPMS: gcc git iptables jq glibc-static libseccomp-devel make criu fuse-sshfs
+    RPMS: gcc git iptables jq glibc-static libseccomp-devel make criu fuse-sshfs container-selinux
    # yamllint disable rule:key-duplicates
    matrix:
      DISTRO: centos-7
@@ -170,6 +170,8 @@ task:
    # -----
    df -T
    # -----
+    sestatus
+    # -----
    cat /proc/cpuinfo
  check_config_script: |
    /home/runc/script/check-config.sh
--- a/Vagrantfile.fedora
+++ b/Vagrantfile.fedora
@@ -23,12 +23,15 @@ Vagrant.configure("2") do |config|
      cat << EOF | dnf -y --exclude=kernel,kernel-core shell && break
 config install_weak_deps false
 update
-install iptables gcc golang-go make glibc-static libseccomp-devel bats jq git-core criu fuse-sshfs
+install iptables gcc golang-go make glibc-static libseccomp-devel bats jq git-core criu fuse-sshfs container-selinux
 ts run
 EOF
    done
    dnf clean all

+    # To avoid "avc: denied { nosuid_transition }" from SELinux as we run tests on /tmp.
+    mount -o remount,suid /tmp
+
    # Prevent the "fatal: unsafe repository" git complain during build.
    git config --global --add safe.directory /vagrant

--- a/tests/integration/selinux.bats
+++ b/tests/integration/selinux.bats
@@ -0,0 +1,55 @@
+#!/usr/bin/env bats
+
+load helpers
+
+function setup() {
+	requires root # for chcon
+	if ! selinuxenabled; then
+		skip "requires SELinux enabled and in enforcing mode"
+	fi
+
+	setup_busybox
+
+	# Use a copy of runc binary with proper selinux label set.
+	cp "$RUNC" .
+	export RUNC="$PWD/runc"
+	chcon -u system_u -r object_r -t container_runtime_exec_t "$RUNC"
+
+	# Label container fs.
+	chcon -u system_u -r object_r -t container_file_t -R rootfs
+
+	# Save the start date and time for ausearch.
+	AU_DD="$(date +%x)"
+	AU_TT="$(date +%H:%M:%S)"
+}
+
+function teardown() {
+	teardown_bundle
+	# Show any avc denials.
+	if [[ -v AU_DD && -v AU_TT ]] && command -v ausearch &>/dev/null; then
+		ausearch -ts "$AU_DD" "$AU_TT" -i -m avc || true
+	fi
+}
+
+# Baseline test, to check that runc works with selinux enabled.
+@test "runc run (no selinux label)" {
+	update_config '	  .process.args = ["/bin/true"]'
+	runc run tst
+	[ "$status" -eq 0 ]
+}
+
+# https://github.com/opencontainers/runc/issues/4057
+@test "runc run (custom selinux label)" {
+	update_config '	  .process.selinuxLabel |= "system_u:system_r:container_t:s0:c4,c5"
+			| .process.args = ["/bin/true"]'
+	runc run tst
+	[ "$status" -eq 0 ]
+}
+
+@test "runc run (custom selinux label, RUNC_DMZ=legacy)" {
+	export RUNC_DMZ=legacy
+	update_config '	  .process.selinuxLabel |= "system_u:system_r:container_t:s0:c4,c5"
+			| .process.args = ["/bin/true"]'
+	runc run tst
+	[ "$status" -eq 0 ]
+}