Bug 1113922
| Summary: | AVC denial when running docker build | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Pazdziora (Red Hat) <jpazdziora> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Dalibor Pospíšil <dapospis> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.0 | CC: | dapospis, dwalsh, mgrepl, mmalik |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-1.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-03-05 10:40:31 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Any idea which package is doing a mknod? Sadly I believe we will need to allow this... # rpm -qa selinux-policy\*
selinux-policy-3.13.1-1.el7.noarch
selinux-policy-devel-3.13.1-1.el7.noarch
selinux-policy-targeted-3.13.1-1.el7.noarch
selinux-policy-mls-3.13.1-1.el7.noarch
# sesearch -s svirt_lxc_net_t -t svirt_lxc_net_t -c capability -A -C -p mknod
Found 3 semantic av rules:
allow svirt_lxc_net_t svirt_lxc_net_t : capability { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_admin net_raw sys_chroot mknod audit_write setfcap } ;
DT allow svirt_lxc_net_t svirt_lxc_net_t : capability mknod ; [ virt_sandbox_use_mknod ]
DT allow svirt_lxc_net_t svirt_lxc_net_t : capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap } ; [ virt_sandbox_use_all_caps ]
#
It's already allowed in rebased policy for RHEL-7.1.
Yes. Fixed in 7.1 selinux-policy-3.13.1-1.el7.noarch Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0458.html |
Description of problem: Sometimes when running docker build, AVC denial type=AVC msg=audit(1403853327.352:480): avc: denied { mknod } for pid=2832 comm="mknod" capability=27 scontext=system_u:system_r:svirt_lxc_net_t:s0:c420,c758 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c420,c758 tclass=capability is logged. Version-Release number of selected component (if applicable): docker-0.11.1-19.el7.x86_64 selinux-policy-targeted-3.12.1-153.el7.noarch How reproducible: Not deterministic. Steps to Reproduce: 1. Run docker build for some Dockerfile. 2. Observe audit.log. Actual results: type=SYSCALL msg=audit(1403854285.106:579): arch=c000003e syscall=133 success=no exit=-1 a0=7fffae76abd7 a1=21b6 a2=10b a3=7fffae769130 items=0 ppid=5489 pid=77 78 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mknod" exe="/usr/bin/mknod" subj=system_u:system_r:sv irt_lxc_net_t:s0:c31,c293 key=(null) type=AVC msg=audit(1403854285.107:580): avc: denied { mknod } for pid=7779 comm="mknod" capability=27 scontext=system_u:system_r:svirt_lxc_net_t:s0:c31,c293 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c31,c293 tclass=capability Expected results: No AVC denial. Additional info: I also saw it on Fedora 20 with docker-io-1.0.0-4.fc20.x86_64.