Bug 1226374

Summary: Selinux breaks 'docker exec -ti container /bin/sh'
Product: [Fedora] Fedora Reporter: Stef Walter <stefw>
Component: dockerAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: admiller, dwalsh, ichavero, jcajka, jchaloup, lsm5, miminar, vbatts, znmeb
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-06-01 12:45:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stef Walter 2015-05-29 15:03:07 UTC
Description of problem:

Selinux is preventing docker exec from working:

May 29 14:57:32 node-3.rha audit[8250]: <audit-1400> avc:  denied  { read write } for  pid=8250 comm="sh" path="/dev/pts/2" dev="devpts" ino=5 scontext=system_u:system_r:svirt_lxc_net_t:s0:c58,c493 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0
May 29 14:57:32 node-3.rha audit[8250]: <audit-1400> avc:  denied  { read write } for  pid=8250 comm="sh" path="/dev/pts/2" dev="devpts" ino=5 scontext=system_u:system_r:svirt_lxc_net_t:s0:c58,c493 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0
May 29 14:57:32 node-3.rha audit[8250]: <audit-1400> avc:  denied  { read write } for  pid=8250 comm="sh" path="/dev/pts/2" dev="devpts" ino=5 scontext=system_u:system_r:svirt_lxc_net_t:s0:c58,c493 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0
May 29 14:57:32 node-3.rha audit[8250]: <audit-1400> avc:  denied  { read write } for  pid=8250 comm="sh" path="/dev/pts/2" dev="devpts" ino=5 scontext=system_u:system_r:svirt_lxc_net_t:s0:c58,c493 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0


Version-Release number of selected component (if applicable):

[cloud-user@node-3 ~]$ rpm -q selinux-policy-targetted
package selinux-policy-targetted is not installed
[cloud-user@node-3 ~]$ rpm -q selinux-policy-targeted
selinux-policy-targeted-3.13.1-126.fc22.noarch

How reproducible:

Every time


Steps to Reproduce:
1. docker exec -ti my_container /bin/sh

Actual results:

Nothing displayed at all, not even an error message.

Expected results:

A shell.

Additional info:

Fedora Atomic 22 release.

Comment 1 Daniel Walsh 2015-05-29 16:56:54 UTC
What version of docker?

This should be fixed in the latest docker-1.6.2 version of docker with the updated docker-selinux package.

Comment 2 M. Edward (Ed) Borasky 2015-05-31 18:24:58 UTC
This might be a duplicate of bug 1216265

Comment 3 Daniel Walsh 2015-06-01 12:45:47 UTC

*** This bug has been marked as a duplicate of bug 1216265 ***