Bug 1229207
| Summary: | SELinux denies docker to open a pseudo terminal "docker exec" | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Todor Todorov <todor.a.todorov> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 22 | CC: | dominick.grift, dwalsh, laurent.rineau__fedora, lvrabec, mgrepl, plautrba |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-06-08 14:02:43 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** This bug has been marked as a duplicate of bug 1221379 *** |
Description of problem: On Fedora-atomic 22.28 when trying to execute a command in a Docker container, SELinux denies "docker exec" to open a pseudo terminal. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: # docker exec -ti registry bash Actual results: After executing the above command the following events are being logged in journal: Jun 08 11:48:15 atomic.local docker[850]: time="2015-06-08T11:48:15+03:00" level=info msg="POST /v1.18/containers/registry/exec" Jun 08 11:48:15 atomic.local docker[850]: time="2015-06-08T11:48:15+03:00" level=info msg="+job execCreate(registry)" Jun 08 11:48:15 atomic.local docker[850]: time="2015-06-08T11:48:15+03:00" level=info msg="+job log(exec_create: bash , 7f5b883483c956aa9af4a79bea1fbe5d3beb55cad08d2629789739e4001a3534, docker.io/registry:2.0)" Jun 08 11:48:15 atomic.local docker[850]: time="2015-06-08T11:48:15+03:00" level=info msg="-job log(exec_create: bash , 7f5b883483c956aa9af4a79bea1fbe5d3beb55cad08d2629789739e4001a3534, docker.io/registry:2.0) = OK (0)" Jun 08 11:48:15 atomic.local docker[850]: time="2015-06-08T11:48:15+03:00" level=info msg="-job execCreate(registry) = OK (0)" Jun 08 11:48:15 atomic.local docker[850]: time="2015-06-08T11:48:15+03:00" level=info msg="POST /v1.18/exec/4486878987a06b5a047ae501cb83143be22c315adc3aa86f6ef9107692cea6ca/start" Jun 08 11:48:15 atomic.local docker[850]: time="2015-06-08T11:48:15+03:00" level=info msg="+job execStart(4486878987a06b5a047ae501cb83143be22c315adc3aa86f6ef9107692cea6ca)" Jun 08 11:48:15 atomic.local docker[850]: time="2015-06-08T11:48:15+03:00" level=info msg="+job log(exec_start: bash , 7f5b883483c956aa9af4a79bea1fbe5d3beb55cad08d2629789739e4001a3534, docker.io/registry:2.0)" Jun 08 11:48:15 atomic.local docker[850]: time="2015-06-08T11:48:15+03:00" level=info msg="-job log(exec_start: bash , 7f5b883483c956aa9af4a79bea1fbe5d3beb55cad08d2629789739e4001a3534, docker.io/registry:2.0) = OK (0)" Jun 08 11:48:15 atomic.local docker[850]: time="2015-06-08T11:48:15+03:00" level=info msg="POST /v1.18/exec/4486878987a06b5a047ae501cb83143be22c315adc3aa86f6ef9107692cea6ca/resize?h=44&w=171" Jun 08 11:48:15 atomic.local docker[850]: time="2015-06-08T11:48:15+03:00" level=info msg="+job execResize(4486878987a06b5a047ae501cb83143be22c315adc3aa86f6ef9107692cea6ca, 44, 171)" Jun 08 11:48:15 atomic.local audit[1829]: <audit-1400> avc: denied { read write } for pid=1829 comm="bash" path="/dev/pts/2" dev="devpts" ino=5 scontext=system_u:system_r:svirt_lxc_net_t:s0:c92,c108 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0 Jun 08 11:48:15 atomic.local audit[1829]: <audit-1400> avc: denied { read write } for pid=1829 comm="bash" path="/dev/pts/2" dev="devpts" ino=5 scontext=system_u:system_r:svirt_lxc_net_t:s0:c92,c108 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0 Jun 08 11:48:15 atomic.local audit[1829]: <audit-1400> avc: denied { read write } for pid=1829 comm="bash" path="/dev/pts/2" dev="devpts" ino=5 scontext=system_u:system_r:svirt_lxc_net_t:s0:c92,c108 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0 Jun 08 11:48:15 atomic.local audit[1829]: <audit-1400> avc: denied { read write } for pid=1829 comm="bash" path="/dev/pts/2" dev="devpts" ino=5 scontext=system_u:system_r:svirt_lxc_net_t:s0:c92,c108 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0 Jun 08 11:48:15 atomic.local docker[850]: bad file descriptor Expected results: -bash-4.3# docker exec -ti registry bash root@registry:/go/src/github.com/docker/distribution# Additional info: When trying to enter into the name space of the container using nsenter I do not encounter any issues. Also, I can enter into the container with "docker exec" after switching to SELinux Permissive mode.