Bug 1221461

Summary: SELinux is preventing docker from 'getattr' accesses on the directory /etc/audit.
Product: [Fedora] Fedora Reporter: Alexander W. Janssen <alexander.janssen>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: dominick.grift, dwalsh, lvrabec, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:1966335d4ea3b31fbd034bc696ce4fd21fd613091a57b2dc0155126659697b61
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-05-14 12:30:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alexander W. Janssen 2015-05-14 05:39:48 UTC 
Description of problem:
This occured during yum upgrade, but now I'm not sure anymore if it's related at all.
While I'm writing this, another AVC denial occured which will follow shortly.
SELinux is preventing docker from 'getattr' accesses on the directory /etc/audit.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that docker should be allowed getattr access on the audit directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep docker /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:docker_t:s0
Target Context                system_u:object_r:auditd_etc_t:s0
Target Objects                /etc/audit [ dir ]
Source                        docker
Source Path                   docker
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           audit-2.4.1-1.fc21.x86_64
                              audit-2.4.2-1.fc21.x86_64
Policy RPM                    selinux-policy-3.13.1-105.13.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.19.5-200.fc21.x86_64 #1 SMP Mon
                              Apr 20 19:51:56 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-05-14 07:33:48 CEST
Last Seen                     2015-05-14 07:33:48 CEST
Local ID                      434e106b-cdce-49ae-83df-62a37412a59e

Raw Audit Messages
type=AVC msg=audit(1431581628.134:1023): avc:  denied  { getattr } for  pid=6133 comm="docker" path="/etc/audit" dev="dm-2" ino=2883611 scontext=system_u:system_r:docker_t:s0 tcontext=system_u:object_r:auditd_etc_t:s0 tclass=dir permissive=1


Hash: docker,docker_t,auditd_etc_t,dir,getattr

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.5-200.fc21.x86_64
type:           libreport

Potential duplicate: bug 1218132
Comment 1 Daniel Walsh 2015-05-14 12:30:19 UTC 

*** This bug has been marked as a duplicate of bug 1221460 ***