Bug 1266325

Summary: SELinux is preventing exe from 'entrypoint' accesses on the file /bin/dash.
Product: [Fedora] Fedora Reporter: Joshua Rich <joshua.rich>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: dominick.grift, dwalsh, lvrabec, mgrepl, plautrba
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:043a7719579978310ce7ec8e21c65c23f3398c4e09fb293b6f37480338ef43fc;VARIANT_ID=workstation;
Fixed In Version: selinux-policy-3.13.1-128.18.fc22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-28 16:26:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joshua Rich 2015-09-25 04:01:21 UTC 
Description of problem:
Since the most recent docker and docker-selinux updates:

docker-1.8.2-1.gitf1db8f2.fc22.x86_64
docker-selinux-1.8.2-1.gitf1db8f2.fc22.x86_64

When I go to rebuild some of my docker containers, I get an error similar to this for what looks like any RUN line in my Dockerfile.  I'm running SELinux in enforcing mode and using the overlayfs storage driver for Docker.  Before the upgrades above, this setup was able to generate containers without issues.

If I disable SELinux, containers build fine.
Since the most recent docker and docker-selinux updates:

docker-1.8.2-1.gitf1db8f2.fc22.x86_64
docker-selinux-1.8.2-1.gitf1db8f2.fc22.x86_64

When I go to rebuild some of my docker containers, I get an error similar to this for what looks like any RUN line in my Dockerfile.  I'm running SELinux in enforcing mode and using the overlayfs storage driver for Docker.  Before the upgrades above, this setup was able to generate containers without issues.

If I disable SELinux, containers build fine.

SELinux is preventing exe from 'entrypoint' accesses on the file /bin/dash.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/bin/dash default label should be shell_exec_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /bin/dash

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that exe should be allowed entrypoint access on the dash file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep exe /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:spc_t:s0
Target Context                system_u:object_r:docker_var_lib_t:s0
Target Objects                /bin/dash [ file ]
Source                        exe
Source Path                   exe
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.13.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.1.7-200.fc22.x86_64 #1 SMP Mon
                              Sep 14 20:19:24 UTC 2015 x86_64 x86_64
Alert Count                   2
First Seen                    2015-09-25 12:32:29 AEST
Last Seen                     2015-09-25 13:57:00 AEST
Local ID                      0e25455e-2d8a-4519-85fe-b412c7a9bb82

Raw Audit Messages
type=AVC msg=audit(1443153420.130:1111): avc:  denied  { entrypoint } for  pid=11334 comm="exe" path="/bin/dash" dev="dm-1" ino=3935470 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:object_r:docker_var_lib_t:s0 tclass=file permissive=0


Hash: exe,spc_t,docker_var_lib_t,file,entrypoint

Version-Release number of selected component:
selinux-policy-3.13.1-128.13.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.7-200.fc22.x86_64
type:           libreport
Comment 1 Daniel Walsh 2015-09-25 13:45:53 UTC 
Should be fixed in docker-1.8.2-4.gitcb216be.fc22

yum update docker --enable=updates-testing
Comment 2 Fedora Update System 2015-10-09 14:16:52 UTC 
selinux-policy-3.13.1-128.18.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-946cd8d690
Comment 3 Fedora Update System 2015-10-09 23:22:31 UTC 
selinux-policy-3.13.1-128.18.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update selinux-policy'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-946cd8d690
Comment 4 Fedora Update System 2015-10-28 16:26:06 UTC 
selinux-policy-3.13.1-128.18.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.