Bug 1229207

Summary: SELinux denies docker to open a pseudo terminal "docker exec"
Product: [Fedora] Fedora Reporter: Todor Todorov <todor.a.todorov>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: 22CC: dominick.grift, dwalsh, laurent.rineau__fedora, lvrabec, mgrepl, plautrba
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-06-08 14:02:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Todor Todorov 2015-06-08 09:27:03 UTC
Description of problem:
On Fedora-atomic 22.28 when trying to execute a command in a Docker container, SELinux denies "docker exec" to open a pseudo terminal.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
# docker exec -ti registry bash

Actual results:
After executing the above command the following events are being logged in journal:

Jun 08 11:48:15 atomic.local docker[850]: time="2015-06-08T11:48:15+03:00" level=info msg="POST /v1.18/containers/registry/exec"
Jun 08 11:48:15 atomic.local docker[850]: time="2015-06-08T11:48:15+03:00" level=info msg="+job execCreate(registry)"
Jun 08 11:48:15 atomic.local docker[850]: time="2015-06-08T11:48:15+03:00" level=info msg="+job log(exec_create: bash , 7f5b883483c956aa9af4a79bea1fbe5d3beb55cad08d2629789739e4001a3534, docker.io/registry:2.0)"
Jun 08 11:48:15 atomic.local docker[850]: time="2015-06-08T11:48:15+03:00" level=info msg="-job log(exec_create: bash , 7f5b883483c956aa9af4a79bea1fbe5d3beb55cad08d2629789739e4001a3534, docker.io/registry:2.0) = OK (0)"
Jun 08 11:48:15 atomic.local docker[850]: time="2015-06-08T11:48:15+03:00" level=info msg="-job execCreate(registry) = OK (0)"
Jun 08 11:48:15 atomic.local docker[850]: time="2015-06-08T11:48:15+03:00" level=info msg="POST /v1.18/exec/4486878987a06b5a047ae501cb83143be22c315adc3aa86f6ef9107692cea6ca/start"
Jun 08 11:48:15 atomic.local docker[850]: time="2015-06-08T11:48:15+03:00" level=info msg="+job execStart(4486878987a06b5a047ae501cb83143be22c315adc3aa86f6ef9107692cea6ca)"
Jun 08 11:48:15 atomic.local docker[850]: time="2015-06-08T11:48:15+03:00" level=info msg="+job log(exec_start: bash , 7f5b883483c956aa9af4a79bea1fbe5d3beb55cad08d2629789739e4001a3534, docker.io/registry:2.0)"
Jun 08 11:48:15 atomic.local docker[850]: time="2015-06-08T11:48:15+03:00" level=info msg="-job log(exec_start: bash , 7f5b883483c956aa9af4a79bea1fbe5d3beb55cad08d2629789739e4001a3534, docker.io/registry:2.0) = OK (0)"
Jun 08 11:48:15 atomic.local docker[850]: time="2015-06-08T11:48:15+03:00" level=info msg="POST /v1.18/exec/4486878987a06b5a047ae501cb83143be22c315adc3aa86f6ef9107692cea6ca/resize?h=44&w=171"
Jun 08 11:48:15 atomic.local docker[850]: time="2015-06-08T11:48:15+03:00" level=info msg="+job execResize(4486878987a06b5a047ae501cb83143be22c315adc3aa86f6ef9107692cea6ca, 44, 171)"

Jun 08 11:48:15 atomic.local audit[1829]: <audit-1400> avc:  denied  { read write } for  pid=1829 comm="bash" path="/dev/pts/2" dev="devpts" ino=5 scontext=system_u:system_r:svirt_lxc_net_t:s0:c92,c108 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0
Jun 08 11:48:15 atomic.local audit[1829]: <audit-1400> avc:  denied  { read write } for  pid=1829 comm="bash" path="/dev/pts/2" dev="devpts" ino=5 scontext=system_u:system_r:svirt_lxc_net_t:s0:c92,c108 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0
Jun 08 11:48:15 atomic.local audit[1829]: <audit-1400> avc:  denied  { read write } for  pid=1829 comm="bash" path="/dev/pts/2" dev="devpts" ino=5 scontext=system_u:system_r:svirt_lxc_net_t:s0:c92,c108 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0
Jun 08 11:48:15 atomic.local audit[1829]: <audit-1400> avc:  denied  { read write } for  pid=1829 comm="bash" path="/dev/pts/2" dev="devpts" ino=5 scontext=system_u:system_r:svirt_lxc_net_t:s0:c92,c108 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0

Jun 08 11:48:15 atomic.local docker[850]: bad file descriptor

Expected results:

-bash-4.3# docker exec -ti registry bash
root@registry:/go/src/github.com/docker/distribution#

Additional info:

When trying to enter into the name space of the container using nsenter I do not encounter any issues.

Also, I can enter into the container with "docker exec" after switching to SELinux Permissive mode.

Comment 1 Daniel Walsh 2015-06-08 14:02:43 UTC

*** This bug has been marked as a duplicate of bug 1221379 ***