Bug 1210974
Summary: | SELinux is preventing yum from 'setattr' accesses on a docker_log_t directory | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Michael DePaulo <mikedep333> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 22 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl, mikedep333, plautrba | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Unspecified | ||||||
Whiteboard: | abrt_hash:54af3382150797d5b35cf08c61f01beb71103b0f1340fd2bb26b033533a7bc00 | ||||||
Fixed In Version: | selinux-policy-3.13.1-122.fc22 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2015-04-21 19:28:51 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Michael DePaulo
2015-04-11 16:55:16 UTC
Created attachment 1013487 [details]
The Dockerfile I was building
FYI: This SELinux alert is generated immediately before the SELinux alert in bug #1209133 is generated. As Lokesh Mandvekar and I discussed on IRC, both SELinux alerts are only generated when running docker from a user account in the "docker" group rather than running docker with sudo. Running docker with sudo does not fix the setgid on x2gosqlitewrapper, that appears to be caused by the fact that selinux-policy policy-f22-base.patch does not grant the fsetid capability to svirt_lxc_net_t. It also disables auditing for fsetid. *** Bug 1209133 has been marked as a duplicate of this bug. *** Are you using an LXC back end? If so why? The Only Content labeled docker_log_t is /var/log/lxc(/.*)? system_u:object_r:docker_log_t:s0 Allowing a confined application to modify the logs is not something we want to allow. We could add dontaudit rules, but I would prefer to just get rid of the LXC back end and just use native which should work fine. 1. I was using the default configuration for Docker on 2 different F22 hosts, except for the fact that I ran docker as a member of the "docker" group (which I added) rather than running it with sudo. I assumed it would use native also. This evening, I will run "docker info" on a fresh install with the docker group to see if it is using native or lxc. 2. That is not the only content with the docker_log_t label. /var/log/journal/ from the container's perspective is /var/log/journal/<uuid> from the host's perspective. See the argument --link-journal= in the systemd-nspawn manpage: http://www.freedesktop.org/software/systemd/man/systemd-nspawn.html#--link-journal= Won't writing to it be necessary in order for systemd to run under a container? Ok there is supposed to be fixed to create the journal directory with the correct SELinux label. Which version of docker are you running? This patch is supposed to be creating /var/log/journal/UUID with the private SELinux label svirt_sandbox_file_t:MCS label. Version : 1.5.0 Release : 25.git5ebfacd.fc22 This is weird. On my existing Fedora 22 VM, 1st I was able to reproduce this bug. Yesterday I was unable to. Today I am able to again. Output from the VM today: $ docker info | grep Execution Execution Driver: native-0.2 I also just created a new Fedora 22 VM and am unable to reproduce it. Both VMs have all the latest updates for Fedora 22 (but not the testing updates.) When I am unable to reproduce it, the container's /var/log/journal is labeled: system_u:object_r:svirt_sandbox_file_t:s0 This appears to be fixed by me upgrading to docker 1.6.0-0.2.rc6.fc22 :) Good, that is where I have been working. Fixed in docker-1.6.0 selinux-policy-3.13.1-122.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-122.fc22 Package selinux-policy-3.13.1-122.fc22: * should fix your issue, * was pushed to the Fedora 22 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-122.fc22' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-6236/selinux-policy-3.13.1-122.fc22 then log in and leave karma (feedback). selinux-policy-3.13.1-122.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. |