Bug 1221379 (docker-selinux)
| Summary: | SELinux is preventing docker from 'unlink' accesses on the file state.json. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jared Smith <jsmith.fedora> |
| Component: | docker | Assignee: | Lokesh Mandvekar <lsm5> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 22 | CC: | admiller, alexander.janssen, antonio, autarch, dominick.grift, dwalsh, guillaumepoiriermorency, ichavero, jcajka, jchaloup, laurent.rineau__fedora, lsm5, lvrabec, mattdm, mgrepl, miminar, piette.simon, robberphex, sebastian.godelet, stefw, todor.a.todorov, vbatts, yajo.sk8, znmeb |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:94cfae893ab60521f81811d907f08acc6c28acfa1c6ea1f8bc6f3040b9fc512f | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-07-15 20:48:54 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** Bug 1221460 has been marked as a duplicate of this bug. *** *** Bug 1222316 has been marked as a duplicate of this bug. *** *** Bug 1222467 has been marked as a duplicate of this bug. *** Description of problem: docker-compose up Version-Release number of selected component: selinux-policy-3.13.1-105.13.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.19.7-200.fc21.x86_64 type: libreport *** Bug 1224040 has been marked as a duplicate of this bug. *** *** Bug 1215128 has been marked as a duplicate of this bug. *** *** Bug 1222669 has been marked as a duplicate of this bug. *** *** Bug 1221966 has been marked as a duplicate of this bug. *** Lokesh we need updated docker-1.6.2 packages with latest docker-selinux.pp files in F22 and F21. *** Bug 1218138 has been marked as a duplicate of this bug. *** *** Bug 1216265 has been marked as a duplicate of this bug. *** *** Bug 1215686 has been marked as a duplicate of this bug. *** *** Bug 1207537 has been marked as a duplicate of this bug. *** *** Bug 1227906 has been marked as a duplicate of this bug. *** *** Bug 1229207 has been marked as a duplicate of this bug. *** *** Bug 1229273 has been marked as a duplicate of this bug. *** Just upgraded to fedora-atomic 22.11 (testing). selinux-policy is the latest one: -bash-4.3# rpm -q selinux-policy selinux-policy-3.13.1-128.1.fc22.noarch However, again I can not execute commands inside the docker containers while SELinux is in Enforcing mode. -bash-4.3# getenforce Enforcing -bash-4.3# docker exec -ti registry bash -bash-4.3# -bash-4.3# setenforce 0 -bash-4.3# getenforce Permissive -bash-4.3# docker exec -ti registry bash Check the description of Bug 1229207 for details. -bash-4.3# setenforce 0 -bash-4.3# getenforce Permissive -bash-4.3# docker exec -ti registry bash nobody@registry:/go/src/github.com/docker/distribution$ This is an docker issue. You need at least docker-1.6.2 Is there a schedule for the publication of that version docker-1.6.2 (modified by Redhat)? Please push updates soon, because Docker has been unusable (in some use cases) on RHEL/CentOS and Fedora for one month. (In reply to Daniel Walsh from comment #19) > This is an docker issue. > > You need at least docker-1.6.2 Why do you believe it is an issue with docker? I mean, when I switch SELinux to Permissive and it works. However, when updated docker on my Fedora-atomic 22.30 to 1.6.2 I can still encounter the same issue. -bash-4.3# ostree admin status * fedora-atomic 7d87cf22aa0f98a8d0f17f79f670b5bb30373c8f5b75a2f2b508891ebffd69af.0 Version: 22.30 origin refspec: fedora-atomic:fedora-atomic/f22/x86_64/docker-host fedora-atomic 154fc5fb54496aad198591bbb1d24bee7466316696e9d50d151471f8e8f88aef.0 Version: 22.11 origin refspec: fedora-atomic:fedora-atomic/f22/x86_64/testing/docker-host -bash-4.3# docker version Client version: 1.6.2 Client API version: 1.18 Go version (client): go1.4.2 Git commit (client): 7c8fca2 OS/Arch (client): linux/amd64 Server version: 1.6.2 Server API version: 1.18 Go version (server): go1.4.2 Git commit (server): 7c8fca2 OS/Arch (server): linux/amd64 -bash-4.3# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES fc32a44d2583 registry:2.0 "registry cmd/regist 26 hours ago Up 5 minutes 172.16.3.171:5000->5000/tcp registry bd32ff68d319 cockpit/ws:latest "/container/atomic-r 2 days ago Up 5 minutes cockpit -bash-4.3# getenforce Enforcing -bash-4.3# docker exec -ti registry bash -bash-4.3# docker exec -ti registry bash -bash-4.3# docker exec -ti registry bash -bash-4.3# This is what audit logs when I try to execute the above: Jun 11 15:51:05 atomic-1 audit[1479]: <audit-1400> avc: denied { read write } for pid=1479 comm="bash" path="/dev/pts/2" dev="devpts" ino=5 scontext=system_u:system_r:svirt_lxc_net_t:s0:c838,c959 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0 Jun 11 15:51:05 atomic-1 audit[1479]: <audit-1400> avc: denied { read write } for pid=1479 comm="bash" path="/dev/pts/2" dev="devpts" ino=5 scontext=system_u:system_r:svirt_lxc_net_t:s0:c838,c959 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0 Jun 11 15:51:05 atomic-1 audit[1479]: <audit-1400> avc: denied { read write } for pid=1479 comm="bash" path="/dev/pts/2" dev="devpts" ino=5 scontext=system_u:system_r:svirt_lxc_net_t:s0:c838,c959 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0 Jun 11 15:51:05 atomic-1 audit[1479]: <audit-1400> avc: denied { read write } for pid=1479 comm="bash" path="/dev/pts/2" dev="devpts" ino=5 scontext=system_u:system_r:svirt_lxc_net_t:s0:c838,c959 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0 Docker ships with its own SELInux package now. Could you try out https://admin.fedoraproject.org/updates/FEDORA-2015-9797/docker-1.7.0-4.git5b82e1d.fc22 yum -y update docker --enablerepo=updates-testing Thank you Dan!
This package is included in Fedora-atomic 22.12 (testing).
So, I did an upgrade.
The problem has been resolved.
-bash-4.3# ostree admin status
* fedora-atomic 9aec321c52c1aed0c8016cd79e7e777ab0cdcc022e425105ec12c8cf0601c820.0
Version: 22.12
origin refspec: fedora-atomic:fedora-atomic/f22/x86_64/testing/docker-host
fedora-atomic 154fc5fb54496aad198591bbb1d24bee7466316696e9d50d151471f8e8f88aef.0
Version: 22.11
origin refspec: fedora-atomic:fedora-atomic/f22/x86_64/testing/docker-host
-bash-4.3# docker exec -ti registry bash
root@registry:/go/src/github.com/docker/distribution# exit
-bash-4.3#
As you already stated, there is a separate SELinux package for Docker:
docker-selinux-1.7.0-4.git5b82e1d.fc22.x86_64
Thanks again for the assistance!
docker-selinux is not available in Fedora 22. This is still a bug: No package docker-selinux available. [stef@dragon kubernetes]$ rpm -q selinux-policy-targeted selinux-policy-targeted-3.13.1-128.1.fc22.noarch [stef@dragon kubernetes]$ rpm -q docker docker-1.6.0-3.git9d26a07.fc22.x86_64 I updated it from updates-testing to get it. Yes it is in updates-testing. dnf -y update docker --enablerepo=updates-testing |
Description of problem: SELinux is preventing docker from 'unlink' accesses on the file state.json. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that docker should be allowed unlink access on the state.json file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep docker /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:docker_t:s0 Target Context system_u:object_r:var_run_t:s0 Target Objects state.json [ file ] Source docker Source Path docker Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-126.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.0.2-300.fc22.x86_64 #1 SMP Thu May 7 16:05:02 UTC 2015 x86_64 x86_64 Alert Count 3 First Seen 2015-05-13 14:34:31 PDT Last Seen 2015-05-13 14:34:54 PDT Local ID fec28122-8821-47b3-be53-6d638d35d295 Raw Audit Messages type=AVC msg=audit(1431552894.530:2107): avc: denied { unlink } for pid=5916 comm="docker" name="state.json" dev="tmpfs" ino=131777 scontext=system_u:system_r:docker_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 Hash: docker,docker_t,var_run_t,file,unlink Version-Release number of selected component: selinux-policy-3.13.1-126.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.2-300.fc22.x86_64 type: libreport