Selinux warning when running lxc


#1

What could cause this warning? I’m on Ubuntu 19.04 now

cmd_run.go:876: WARNING: cannot create user data directory: failed to verify SELinux context


#2

Tha’s unexpected. Is your Ubuntu somehow using SELinux?

Can you post the output of the following commands?

  • snap debug sandbox-features
  • snap version
  • snap list |grep -e core -e snapd
  • mount |grep selinux

#3

Ah, you made a point, I didn’t remember that regular Ubuntu has selinux enabled. I see other reports said that this is only happens on 5.0 kernels. I have mainline kernel because my mouse has problems which fixed in 5.0.8. I’ll try stock kernel tomorrow.

alvin@alvin-BM1AF:~$ snap debug sandbox-features
confinement-options:  classic devmode
dbus:                 mediated-bus-access
kmod:                 mediated-modprobe
mount:                freezer-cgroup-v1 layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation
seccomp:              bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif
udev:                 device-cgroup-v1 tagging
alvin@alvin-BM1AF:~$ snap version
snap    2.38+19.04
snapd   2.38+19.04
series  16
ubuntu  19.04
kernel  5.0.9-050009-generic
alvin@alvin-BM1AF:~$ snap list |grep -e core -e snapd
core                  16-2.38                     6673   stable    canonical*  core
core18                20190409                    941    stable    canonical*  base
alvin@alvin-BM1AF:~$ mount |grep selinux
selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime)

[SOLVED] Rocket.Chat https support - SELinux issues, libraries inside snap not linked correctly?
#4

This is bit puzzling. You’re running a mainline kernel, which comes up with SELinux enabled, but actually have no policy defined. Things that see that SELinux is enabled and try to use that will fail, probably in some interesting ways. I would suspect there’s more trouble from snapd ahead too.

For starters, strict confinement is not supported, because AppArmor appears to be disabled, so you do not benefit from sandboxing of snaps.

The upcoming snapd release 2.39, may also cause trouble as we assume that you actually have a SELinux policy if you boot with SELinux enabled (why would it be otherwise?). In which case, installation of new snaps will probably fail.

If you need to use a mainline kernel, please try to use a sensible config that would match the userland.


#5

when you say ‘mainline’, do you mean one of the ones from https://kernel.ubuntu.com/~kernel-ppa/mainline/v5.0.8/ ? (those should mostly work afaik?)


#6

Maybe we can work around this somehow. Can you provide the output of the following commands?

  • cat /sys/fs/selinux/policyvers
  • od -x /sys/fs/selinux/status
  • sestatus
  • ls /etc/selinux/targeted

#7

Hi chipaca that’s correct. https://kernel.ubuntu.com/~kernel-ppa/mainline/v5.0.9/ actually.


#8

alvin@alvin-BM1AF:~$ cat /sys/fs/selinux/policyvers
31alvin@alvin-BM1AF:~$ od -x /sys/fs/selinux/status
0000000 0001 0000 0000 0000 0000 0000 0000 0000
0000020 0001 0000
0000024
alvin@alvin-BM1AF:~$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: permissive
Mode from config file: permissive
Policy MLS status: disabled
Policy deny_unknown status: denied
Memory protection checking: requested (insecure)
Max kernel policy version: 31
alvin@alvin-BM1AF:~$ ls /etc/selinux/targeted
ls: cannot access ‘/etc/selinux/targeted’: No such file or directory


#9

Thanks. I’ve left a note under the github ticket as well.

I would strongly suggest using a kernel that is known to work with the userspace. Perhaps getting in touch with poeple that maintain the PPA and letting them know would be useful too.


#10

Confirmed that stock kernels does not have this problem.


#11

As a workaround, install selinux-policy-default, and set SELINUX=disabled in /etc/selinux/config, like so:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
...

Then reboot the system.


#13

since these kernels seem to show up more often here recently, a quote from

https://wiki.ubuntu.com/Kernel/MainlineBuilds

“These kernels are not supported and are not appropriate for production use.”

people using such kernels for more than verifying upstream fixes should really keep in mind that they do not receive any security support/fixes and might have bugs a tested ubuntu kernel does not have.