Bug 1210974

Summary: SELinux is preventing yum from 'setattr' accesses on a docker_log_t directory
Product: [Fedora] Fedora Reporter: Michael DePaulo <mikedep333>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: dominick.grift, dwalsh, lvrabec, mgrepl, mikedep333, plautrba
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:54af3382150797d5b35cf08c61f01beb71103b0f1340fd2bb26b033533a7bc00
Fixed In Version: selinux-policy-3.13.1-122.fc22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-04-21 19:28:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
The Dockerfile I was building none

Description Michael DePaulo 2015-04-11 16:55:16 UTC 
Description of problem:
I ran "docker build" to build a Docker image based on the "fedora" 21 Docker image.

I think what happened is that my Dockerfile contains this line:
RUN yum -y install systemd openssh-server sudo passwd pwgen x2goserver x2goserver-xsession && yum clean all

and package "x2goserver" involves installing the file:
/usr/lib64/x2go/x2gosqlitewrapper
With setgid.

From the Fedora x2goserver.spec file:
%attr(02755,root,x2gouser) %{_libdir}/x2go/x2gosqlitewrapper

In the built image, the file is owned by root:x2gouser but with 00755 permissions (no setgid.) This breaks x2goserver.
SELinux is preventing yum from 'setattr' accesses on the directory d9adf78fb080edf7cbf1b2143522da56.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that yum should be allowed setattr access on the d9adf78fb080edf7cbf1b2143522da56 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep yum /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:svirt_lxc_net_t:s0:c102,c214
Target Context                system_u:object_r:docker_log_t:s0
Target Objects                d9adf78fb080edf7cbf1b2143522da56 [ dir ]
Source                        yum
Source Path                   yum
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-119.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.0.0-0.rc5.git4.1.fc22.x86_64 #1
                              SMP Fri Mar 27 13:51:23 UTC 2015 x86_64 x86_64
Alert Count                   3
First Seen                    2015-04-11 10:07:09 EDT
Last Seen                     2015-04-11 10:07:15 EDT
Local ID                      2f78d62d-376d-4c76-b4ff-6320a22db24c

Raw Audit Messages
type=AVC msg=audit(1428761235.10:2478): avc:  denied  { setattr } for  pid=21577 comm="chmod" name="d9adf78fb080edf7cbf1b2143522da56" dev="sda1" ino=18000467 scontext=system_u:system_r:svirt_lxc_net_t:s0:c102,c214 tcontext=system_u:object_r:docker_log_t:s0 tclass=dir permissive=0


Hash: yum,svirt_lxc_net_t,docker_log_t,dir,setattr

Version-Release number of selected component:
selinux-policy-3.13.1-119.fc22.noarch

Additional info:
reporter:       libreport-2.5.0
hashmarkername: setroubleshoot
kernel:         4.0.0-0.rc5.git4.1.fc22.x86_64
type:           libreport
Comment 1 Michael DePaulo 2015-04-11 17:00:30 UTC 
Created attachment 1013487 [details]
The Dockerfile I was building
Comment 2 Michael DePaulo 2015-04-12 15:59:01 UTC 
FYI: This SELinux alert is generated immediately before the SELinux alert in bug #1209133 is generated.
Comment 3 Michael DePaulo 2015-04-12 18:40:59 UTC 
As Lokesh Mandvekar and I discussed on IRC, both SELinux alerts are only generated when running docker from a user account in the "docker" group rather than running docker with sudo.

Running docker with sudo does not fix the setgid on x2gosqlitewrapper, that appears to be caused by the fact that selinux-policy policy-f22-base.patch does not grant the fsetid capability to svirt_lxc_net_t. It also disables auditing for fsetid.
Comment 4 Daniel Walsh 2015-04-13 12:05:58 UTC 
*** Bug 1209133 has been marked as a duplicate of this bug. ***
Comment 5 Daniel Walsh 2015-04-13 12:08:58 UTC 
Are you using an LXC back end?  If so why?  The Only Content labeled docker_log_t is 

/var/log/lxc(/.*)?	system_u:object_r:docker_log_t:s0


Allowing a confined application to modify the logs is not something we want to allow.  We could add dontaudit rules, but I would prefer to just get rid of the LXC back end and just use native which should work fine.
Comment 6 Michael DePaulo 2015-04-13 13:40:38 UTC 
1. I was using the default configuration for Docker on 2 different F22 hosts, except for the fact that I ran docker as a member of the "docker" group (which I added) rather than running it with sudo. I assumed it would use native also.

This evening, I will run "docker info" on a fresh install with the docker group to see if it is using native or lxc.

2. That is not the only content with the docker_log_t label. /var/log/journal/ from the container's perspective is /var/log/journal/<uuid> from the host's perspective. See the argument --link-journal= in the systemd-nspawn manpage:
http://www.freedesktop.org/software/systemd/man/systemd-nspawn.html#--link-journal=

Won't writing to it be necessary in order for systemd to run under a container?
Comment 7 Daniel Walsh 2015-04-13 14:26:01 UTC 
Ok there is supposed to be fixed to create the journal directory with the correct SELinux label.

Which version of docker are you running?


This patch is supposed to be creating /var/log/journal/UUID with the private SELinux label  svirt_sandbox_file_t:MCS label.
Comment 8 Michael DePaulo 2015-04-14 02:44:42 UTC 
Version     : 1.5.0
Release     : 25.git5ebfacd.fc22
Comment 9 Michael DePaulo 2015-04-14 11:43:44 UTC 
This is weird. On my existing Fedora 22 VM, 1st I was able to reproduce this bug. Yesterday I was unable to. Today I am able to again. Output from the VM today:
$ docker info | grep Execution
Execution Driver: native-0.2

I also just created a new Fedora 22 VM and am unable to reproduce it.

Both VMs have all the latest updates for Fedora 22 (but not the testing updates.)

When I am unable to reproduce it, the container's /var/log/journal is labeled:
system_u:object_r:svirt_sandbox_file_t:s0
Comment 10 Michael DePaulo 2015-04-16 13:28:05 UTC 
This appears to be fixed by me upgrading to docker 1.6.0-0.2.rc6.fc22 :)
Comment 11 Daniel Walsh 2015-04-16 14:46:12 UTC 
Good, that is where I have been working.

Fixed in docker-1.6.0
Comment 12 Fedora Update System 2015-04-16 20:17:31 UTC 
selinux-policy-3.13.1-122.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-122.fc22
Comment 13 Fedora Update System 2015-04-17 18:36:34 UTC 
Package selinux-policy-3.13.1-122.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-122.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-6236/selinux-policy-3.13.1-122.fc22
then log in and leave karma (feedback).
Comment 14 Fedora Update System 2015-04-21 19:28:51 UTC 
selinux-policy-3.13.1-122.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.