Bug 1273110
| Summary: | SELinux is preventing /usr/bin/docker from 'write' accesses on the sock_file docker.sock. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Larry O'Leary <loleary> |
| Component: | abrt | Assignee: | abrt <abrt-devel-list> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 22 | CC: | abrt-devel-list, dominick.grift, dvlasenk, dwalsh, iprikryl, jfilak, lvrabec, mgrepl, mhabrnal, michal.toman, mmilata, plautrba |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:81e66233810f691333f2d4d60ae51ace0a62639152b76bbd8721eb538b30a1bd;VARIANT_ID=workstation; | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-10-21 16:12:38 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
How did you get he docker command to run as abrt_t? ps -eZ | grep docker It should be running as docker_t? systemctl restart docker Should launch it with the right context. Also make sure docker-selinux is installed properly dnf -y reinstall docker-selinux That is what is very strange. It is not running as abrt_t... not sure why the alert is reporting that.
system_u:system_r:docker_t:s0 1819 ? 00:00:28 docker
The abrt_t context continues to be reported even across machine restarts.
I reinstalled the docker-selinux package for good measure and received the same error:
Source Context system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context system_u:object_r:docker_var_run_t:s0
Target Objects docker.sock [ sock_file ]
Source docker
Source Path /usr/bin/docker
Port <Unknown>
Host (removed)
Source RPM Packages docker-1.8.2-1.gitf1db8f2.fc22.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-128.16.fc22.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 4.1.10-200.fc22.x86_64 #1 SMP Mon
Oct 5 14:22:49 UTC 2015 x86_64 x86_64
Alert Count 1
First Seen 2015-10-20 14:22:09 CDT
Last Seen 2015-10-20 14:22:09 CDT
Local ID 873359c9-9b40-4589-a393-43abcf8ba8a8
Raw Audit Messages
type=AVC msg=audit(1445368929.930:8995): avc: denied { write } for pid=2132 comm="docker" name="docker.sock" dev="tmpfs" ino=1363161 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:docker_var_run_t:s0 tclass=sock_file permissive=0
type=SYSCALL msg=audit(1445368929.930:8995): arch=x86_64 syscall=connect success=no exit=EACCES a0=6 a1=c20808f090 a2=17 a3=0 items=0 ppid=2131 pid=2132 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=docker exe=/usr/bin/docker subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
Hash: docker,abrt_t,docker_var_run_t,sock_file,write
Daniel, I just noticed that this error is actually number 4 of 4 when starting the container. The previous 3 are as follows:
SELinux is preventing /u01/app/oracle/product/11.2.0/xe/bin/oracle from execute access on the file /SYSV00000000 (deleted).
***** Plugin restorecon (99.5 confidence) suggests ************************
If you want to fix the label.
/SYSV00000000 (deleted) default label should be etc_runtime_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /SYSV00000000 (deleted)
***** Plugin catchall (1.49 confidence) suggests **************************
If you believe that oracle should be allowed execute access on the SYSV00000000 (deleted) file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep oracle /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:svirt_lxc_net_t:s0:c786,c811
Target Context system_u:object_r:tmpfs_t:s0
Target Objects /SYSV00000000 (deleted) [ file ]
Source oracle
Source Path /u01/app/oracle/product/11.2.0/xe/bin/oracle
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-128.16.fc22.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 4.1.10-200.fc22.x86_64 #1 SMP Mon
Oct 5 14:22:49 UTC 2015 x86_64 x86_64
Alert Count 3
First Seen 2015-10-20 14:22:09 CDT
Last Seen 2015-10-20 14:22:09 CDT
Local ID 4e4261d0-ab5f-4981-a0c1-995881b0bc35
Raw Audit Messages
type=AVC msg=audit(1445368929.193:8990): avc: denied { execute } for pid=2075 comm="oracle" path=2F535953563030303030303030202864656C6574656429 dev="tmpfs" ino=196608 scontext=system_u:system_r:svirt_lxc_net_t:s0:c786,c811 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1445368929.193:8990): arch=x86_64 syscall=shmat per=400000 success=no exit=EACCES a0=30000 a1=60000000 a2=0 a3=0 items=0 ppid=2074 pid=2075 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm=oracle exe=/u01/app/oracle/product/11.2.0/xe/bin/oracle subj=system_u:system_r:svirt_lxc_net_t:s0:c786,c811 key=(null)
Hash: oracle,svirt_lxc_net_t,tmpfs_t,file,execute
SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the sigchld access on a process.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that abrt-hook-ccpp should be allowed sigchld access on processes labeled kernel_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep abrt-hook-ccpp /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:svirt_lxc_net_t:s0:c786,c811
Target Context system_u:system_r:kernel_t:s0
Target Objects Unknown [ process ]
Source abrt-hook-ccpp
Source Path /usr/libexec/abrt-hook-ccpp
Port <Unknown>
Host (removed)
Source RPM Packages abrt-addon-coredump-helper-2.6.1-5.fc22.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-128.16.fc22.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 4.1.10-200.fc22.x86_64 #1 SMP Mon
Oct 5 14:22:49 UTC 2015 x86_64 x86_64
Alert Count 1
First Seen 2015-10-20 14:22:09 CDT
Last Seen 2015-10-20 14:22:09 CDT
Local ID da032ac9-b348-4ee7-8def-c3924571c0a1
Raw Audit Messages
type=AVC msg=audit(1445368929.884:8992): avc: denied { sigchld } for pid=2086 comm="abrt-hook-ccpp" scontext=system_u:system_r:svirt_lxc_net_t:s0:c786,c811 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=0
type=SYSCALL msg=audit(1445368929.884:8992): arch=x86_64 syscall=wait4 success=no exit=EACCES a0=825 a1=7fff5806a7cc a2=0 a3=0 items=0 ppid=31384 pid=2086 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=abrt-hook-ccpp exe=/usr/libexec/abrt-hook-ccpp subj=system_u:system_r:kernel_t:s0 key=(null)
Hash: abrt-hook-ccpp,svirt_lxc_net_t,kernel_t,process,sigchld
SELinux is preventing /usr/bin/docker from search access on the directory net.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that docker should be allowed search access on the net directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep docker /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context system_u:object_r:sysctl_net_t:s0
Target Objects net [ dir ]
Source docker
Source Path /usr/bin/docker
Port <Unknown>
Host (removed)
Source RPM Packages docker-1.8.2-1.gitf1db8f2.fc22.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-128.16.fc22.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 4.1.10-200.fc22.x86_64 #1 SMP Mon
Oct 5 14:22:49 UTC 2015 x86_64 x86_64
Alert Count 1
First Seen 2015-10-20 14:22:09 CDT
Last Seen 2015-10-20 14:22:09 CDT
Local ID b11c0df0-b169-42d6-81ac-94676b12aebc
Raw Audit Messages
type=AVC msg=audit(1445368929.922:8993): avc: denied { search } for pid=2132 comm="docker" name="net" dev="proc" ino=1193 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1445368929.922:8993): arch=x86_64 syscall=open success=no exit=EACCES a0=c20802c000 a1=80000 a2=0 a3=0 items=0 ppid=2131 pid=2132 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=docker exe=/usr/bin/docker subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
Hash: docker,abrt_t,sysctl_net_t,dir,search
This looks like you are running a non privileged container with oracle inside of it? Could you just remove abrt_t. It seems to be taking over the container for some reason. Do the abrt guys know what is going on here? (In reply to Daniel Walsh from comment #4) > This looks like you are running a non privileged container with oracle > inside of it? Correct. Host user belongs to group docker. Process in the container is running as user oracle. > Could you just remove abrt_t. It seems to be taking over the container for > some reason. What do you mean, remove it? (In reply to Daniel Walsh from comment #4) > Do the abrt guys know what is going on here? It looks like a process within the container crashed and abrtd tried to run `docker inspect $conatiner_id`. See bug #1194280 for more details. (In reply to Larry O'Leary from comment #4) > SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the sigchld access on a process.(In reply to Larry O'Leary from comment #3) abrt-hook-ccpp tried to get backtrace from the crashed process while it was dumping the process' core file. See bug #1245477 for more details. > SELinux is preventing /u01/app/oracle/product/11.2.0/xe/bin/oracle from execute access on the file /SYSV00000000 (deleted). If you do not want SELinux guys to fix this one. We can close this bug report as duplicate of bug #1194280. *** This bug has been marked as a duplicate of bug 1194280 *** |
Description of problem: Start Oracle XE in docker container: $ docker run -d alexeiled/docker-oracle-xe-11g:latest && sleep 180 SELinux is preventing /usr/bin/docker from 'write' accesses on the sock_file docker.sock. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that docker should be allowed write access on the docker.sock sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep docker /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:abrt_t:s0-s0:c0.c1023 Target Context system_u:object_r:docker_var_run_t:s0 Target Objects docker.sock [ sock_file ] Source docker Source Path /usr/bin/docker Port <Unknown> Host (removed) Source RPM Packages docker-1.8.2-1.gitf1db8f2.fc22.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-128.16.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.1.10-200.fc22.x86_64 #1 SMP Mon Oct 5 14:22:49 UTC 2015 x86_64 x86_64 Alert Count 3 First Seen 2015-10-02 11:22:29 CDT Last Seen 2015-10-19 10:40:01 CDT Local ID c5bb6279-dd01-447a-9d38-89fa59033353 Raw Audit Messages type=AVC msg=audit(1445269201.387:2769): avc: denied { write } for pid=13273 comm="docker" name="docker.sock" dev="tmpfs" ino=22487 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:docker_var_run_t:s0 tclass=sock_file permissive=0 type=SYSCALL msg=audit(1445269201.387:2769): arch=x86_64 syscall=connect success=no exit=EACCES a0=6 a1=c20805b090 a2=17 a3=0 items=0 ppid=13272 pid=13273 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=docker exe=/usr/bin/docker subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null) Hash: docker,abrt_t,docker_var_run_t,sock_file,write Version-Release number of selected component: selinux-policy-3.13.1-128.16.fc22.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.1.10-200.fc22.x86_64 type: libreport