Bug 1194280

Summary: please allow abrtd to run "docker inspect $ID"
Product: [Fedora] Fedora Reporter: Jakub Filak <jfilak>
Component: dockerAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: high    
Version: 23CC: adimania, admiller, dominick.grift, dustymabe, dwalsh, ichavero, jberan, jcajka, jchaloup, jfilak, loleary, lsm5, lvrabec, mgrepl, miminar, plautrba, vbatts
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: docker-1.9.1-2.git78bc3ea.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-03 12:14:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jakub Filak 2015-02-19 13:23:23 UTC 
Description of problem:
The current version of ABRT adds support for collecting information about a container in which a process crashed. One of the supported container technologies is Docker and abrtd runs 'docker inspect $container_id' upon detection a new crash in a docker container.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-111.fc23.noarch

Additional info:
I got these AVC in Permissive mode:
----
time->Thu Feb 19 14:19:47 2015
type=PROCTITLE msg=audit(1424351987.389:1065): proctitle=6E6174697665002D636F6E736F6C65002F6465762F7074732F36002D706970650033002D726F6F74002F7661722F6C69622F646F636B65722F657865636472697665722F6E61746976652F6261393030343765323839623962303630333135363463306132393561636338393532393839303637343338333239643434663733
type=SYSCALL msg=audit(1424351987.389:1065): arch=c000003e syscall=59 success=yes exit=0 a0=c20839b0b0 a1=c2084533b0 a2=c2083f83e0 a3=0 items=0 ppid=8084 pid=19633 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dockerinit-1.5." exe="/var/lib/docker/init/dockerinit-1.5.0-dev" subj=system_u:system_r:spc_t:s0 key=(null)
type=AVC msg=audit(1424351987.389:1065): avc:  denied  { entrypoint } for  pid=19633 comm="docker" path="/var/lib/docker/init/dockerinit-1.5.0-dev" dev="dm-0" ino=168539 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:object_r:docker_var_lib_t:s0 tclass=file permissive=1
----
time->Thu Feb 19 14:19:47 2015
type=PROCTITLE msg=audit(1424351987.507:1069): proctitle=6E6174697665002D636F6E736F6C65002F6465762F7074732F36002D706970650033002D726F6F74002F7661722F6C69622F646F636B65722F657865636472697665722F6E61746976652F6261393030343765323839623962303630333135363463306132393561636338393532393839303637343338333239643434663733
type=SYSCALL msg=audit(1424351987.507:1069): arch=c000003e syscall=59 success=yes exit=0 a0=c208093780 a1=c208093790 a2=c2080bda40 a3=0 items=0 ppid=8084 pid=19633 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=4294967295 comm="bash" exe="/usr/bin/bash" subj=system_u:system_r:svirt_lxc_net_t:s0:c435,c767 key=(null)
type=AVC msg=audit(1424351987.507:1069): avc:  denied  { transition } for  pid=19633 comm="dockerinit-1.5." path="/usr/bin/bash" dev="dm-3" ino=393592 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c435,c767 tclass=process permissive=1
----
time->Thu Feb 19 14:19:57 2015
type=PROCTITLE msg=audit(1424351997.873:1072): proctitle=646F636B657200696E737065637400626139303034376532383962
type=SYSCALL msg=audit(1424351997.873:1072): arch=c000003e syscall=2 success=yes exit=3 a0=c20801e060 a1=80000 a2=0 a3=0 items=0 ppid=19687 pid=19688 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="docker" exe="/usr/bin/docker" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1424351997.873:1072): avc:  denied  { open } for  pid=19688 comm="docker" path="/proc/sys/net/core/somaxconn" dev="proc" ino=51756 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1424351997.873:1072): avc:  denied  { read } for  pid=19688 comm="docker" name="somaxconn" dev="proc" ino=51756 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1424351997.873:1072): avc:  denied  { search } for  pid=19688 comm="docker" name="net" dev="proc" ino=9305 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=1
----
time->Thu Feb 19 14:19:57 2015
type=PROCTITLE msg=audit(1424351997.902:1074): proctitle=646F636B657200696E737065637400626139303034376532383962
type=SYSCALL msg=audit(1424351997.902:1074): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=c208054190 a2=17 a3=0 items=0 ppid=19687 pid=19688 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="docker" exe="/usr/bin/docker" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1424351997.902:1074): avc:  denied  { connectto } for  pid=19688 comm="docker" path="/run/docker.sock" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:system_r:docker_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1424351997.902:1074): avc:  denied  { write } for  pid=19688 comm="docker" name="docker.sock" dev="tmpfs" ino=51775 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:docker_var_run_t:s0 tclass=sock_file permissive=1
Comment 1 Jan Kurik 2015-07-15 14:31:20 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle.
Changing version to '23'.

(As we did not run this process for some time, it could affect also pre-Fedora 23 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23
Comment 2 Lukas Vrabec 2015-10-13 14:13:31 UTC 
commit 1dd281e0169366f3671f477f423a97098100d5dd
Author: Lukas Vrabec <lvrabec>
Date:   Tue Oct 13 16:08:42 2015 +0200

    Allow abrt_t to read sysctl_net_t files. BZ(#1194280)

I add all fixes for this issue in distro selinux-policy. Also add fixes in docker-selinux package.
Comment 3 Lukas Vrabec 2015-10-13 14:15:31 UTC 
commit b1908e278581e75b97f1f7337988ef510e9646a5
Author: Lukas Vrabec <lvrabec>
Date:   Tue Oct 13 15:51:18 2015 +0200

    Allow abrt_t to stream connect do docker.

Lokesh, 
I'm going to create new updates for Fedora23, After then could you add this patch to docker? Thank you!
Comment 4 Daniel Walsh 2015-10-21 16:12:38 UTC 
*** Bug 1273110 has been marked as a duplicate of this bug. ***
Comment 5 Miroslav Grepl 2015-11-10 09:17:50 UTC 
Lukas,
what is a state of this bug?
Comment 6 Lokesh Mandvekar 2015-11-10 16:30:58 UTC 
Lukas, where's this patch present? I only see your commit message.
Comment 7 Lokesh Mandvekar 2015-11-10 16:31:52 UTC 
I wasn't supposed to clear needinfo on Lukas.
Comment 8 Lukas Vrabec 2015-11-23 12:20:05 UTC 
My changes are in docker-selinux github repo and also in current f23 docker package version. 

Jakub, 
Could you test it? 

Thank you!
Comment 9 Lukas Vrabec 2015-12-03 12:14:49 UTC 
This is fixed in docker-1.9.1-2.git78bc3ea.fc23
Comment 10 Red Hat Bugzilla 2023-09-14 02:55:03 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days