| Summary: | [SELinux AVC Alert] SELinux is preventing /usr/bin/id from mounton access on the directory /proc. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Laurent Rineau <laurent.rineau__fedora> |
| Component: | docker | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | atomic-bugs <atomic-bugs> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.2 | CC: | amurdaca, dwalsh, lsm5, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde |
| Target Milestone: | rc | Keywords: | Extras |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-09-24 08:56:25 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
This AVC indicates the "ID" command is trying to mount something on /proc, which should be denied. What is your container attempting to do? I do not know. Nothing special involving `id` or `/proc`. This bug was reported several months ago, before the upgrade of Docker to 1.10.x. I no longer have that AVC, even though I still launch the test suite with 30 containers every days. Probably the Docker environment has changed, and `id` no longer needs to mount `/proc` by itself. It seems I cannot close the bug by myself. Can you please close it as `CURRENTRELEASE`? |
Here is a bug I have already reported to CentOS bug tracker (see the "external bug" field), but got no answer. In a discussion on the SELinux mailing, I was told to report the bug here. Every day, a test script of mines launches new containers, and everyday, since 2016/03/22, I receive the mail below. On 2016/03/21, I have rebooted to the kernel 3.10.0-327.10.1.el7.x86_64, after an upgrade. That must be related. Now the mail: =============== quote ================= From: SELinux_Troubleshoot To: laurent, sebastien Date: 2016/03/22 Tue 15:32 SELinux is preventing /usr/bin/id from mounton access on the directory /proc. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that id should be allowed mounton access on the proc directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep id /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_lxc_net_t:s0:c121,c379 Target Context system_u:object_r:proc_t:s0 Target Objects /proc [ dir ] Source id Source Path /usr/bin/id Port <Unknown> Host cgal.geometryfactory.com Source RPM Packages coreutils-8.22-15.el7_2.1.x86_64 Target RPM Packages filesystem-3.2-20.el7.x86_64 Policy RPM selinux-policy-3.13.1-60.el7_2.3.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name cgal.geometryfactory.com Platform Linux cgal.geometryfactory.com 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16 17:03:50 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-03-22 15:31:58 CET Last Seen 2016-03-22 15:31:58 CET Local ID 93da552e-6673-4857-809a-433607c3a00e Raw Audit Messages type=AVC msg=audit(1458657118.393:90225): avc: denied { mounton } for pid=5174 comm="id" path="/proc" dev="proc" ino=1 scontext=system_u:system_r:svirt_lxc_net_t:s0:c121,c379 tcontext=system_u:object_r:proc_t:s0 tclass=dir type=SYSCALL msg=audit(1458657118.393:90225): arch=x86_64 syscall=mount success=no exit=EACCES a0=7f17b7535c86 a1=7f17b7535c85 a2=7f17b7535c86 a3=0 items=0 ppid=5173 pid=5174 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=id exe=/usr/bin/id subj=system_u:system_r:svirt_lxc_net_t:s0:c121,c379 key=(null) Hash: id,svirt_lxc_net_t,proc_t,dir,mounton ============end of quote =================