Bug 1331007
| Summary: | SELinux regression in docker-selinux-1.9.1-37 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Ed Santiago <santiago> |
| Component: | docker | Assignee: | Lokesh Mandvekar <lsm5> |
| Status: | CLOSED ERRATA | QA Contact: | atomic-bugs <atomic-bugs> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.2 | CC: | lsm5, lsu |
| Target Milestone: | rc | Keywords: | Extras |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | docker-1.9.1-38.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-05-12 15:18:31 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
restorecon -v /usr/bin/docker systemctl restart docker Try again. No joy. I also tried restorecon -v /usr/bin/docker-current ls -lZ /usr/bin/docker* -rwxr-xr-x. root root system_u:object_r:docker_exec_t:s0 /usr/bin/docker -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/docker-current -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/docker-fetch -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/docker-storage-setup -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/dockertarsum Followup:
# chcon -t docker_exec_t /usr/bin/docker-current
# systemctl restart docker
# docker run registry.access.redhat.com/rhel7/rhel:latest echo hi
hi
(as expected)
Awesome, I asked Lokesh to rebuild docker and docker-selinux package, with corrected labeling. Nice catch. will be fixed in upcoming -38 In docker-1.9.1-38.el7.x86_64 by default: # ls -lZ /usr/bin/docker* -rwxr-xr-x. root root system_u:object_r:docker_exec_t:s0 /usr/bin/docker -rwxr-xr-x. root root system_u:object_r:docker_exec_t:s0 /usr/bin/docker-current -rwxr-xr-x. root root system_u:object_r:docker_exec_t:s0 /usr/bin/docker-storage-setup # /usr/bin/docker run registry.access.redhat.com/rhel7/rhel:latest echo hi hi Move to verified Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-1034.html |
# /usr/bin/docker run registry.access.redhat.com/rhel7/rhel:latest echo hi permission denied Error response from daemon: Cannot start container 3c8ecd5b317fc80da74cbae3cf0fad7fba29322af0fc371cfc42b9caf433305a: [8] System error: permission denied # tail /var/log/audit/audit.log ... type=ANOM_PROMISCUOUS msg=audit(1461760944.457:56521): dev=veth8b3f496 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295 type=SYSCALL msg=audit(1461760944.457:56521): arch=c000003e syscall=44 success=yes exit=40 a0=1b a1=c208d6b3e0 a2=28 a3=0 items=0 ppid=23060 pid=23063 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="docker-current" exe="/usr/bin/docker-current" subj=system_u:system_r:initrc_t:s0 key=(null) type=NETFILTER_CFG msg=audit(1461760944.882:56522): table=filter family=2 entries=0 type=NETFILTER_CFG msg=audit(1461760944.882:56522): table=raw family=2 entries=0 type=NETFILTER_CFG msg=audit(1461760944.882:56522): table=security family=2 entries=0 type=NETFILTER_CFG msg=audit(1461760944.882:56522): table=mangle family=2 entries=0 type=NETFILTER_CFG msg=audit(1461760944.882:56522): table=nat family=2 entries=0 type=NETFILTER_CFG msg=audit(1461760944.882:56522): table=filter family=10 entries=0 type=NETFILTER_CFG msg=audit(1461760944.882:56522): table=raw family=10 entries=0 type=NETFILTER_CFG msg=audit(1461760944.882:56522): table=security family=10 entries=0 type=NETFILTER_CFG msg=audit(1461760944.882:56522): table=mangle family=10 entries=0 type=NETFILTER_CFG msg=audit(1461760944.882:56522): table=nat family=10 entries=0 type=SYSCALL msg=audit(1461760944.882:56522): arch=c000003e syscall=56 success=yes exit=23566 a0=6c020011 a1=0 a2=0 a3=0 items=0 ppid=23060 pid=23063 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="docker-current" exe="/usr/bin/docker-current" subj=system_u:system_r:initrc_t:s0 key=(null) type=SERVICE_START msg=audit(1461760945.022:56523): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1461760945.156:56524): avc: denied { transition } for pid=23566 comm="exe" path="/usr/bin/echo" dev="dm-3" ino=100667430 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c202,c658 tclass=process type=SYSCALL msg=audit(1461760945.156:56524): arch=c000003e syscall=59 success=no exit=-13 a0=c2085352a0 a1=c208539180 a2=c20852fcb0 a3=0 items=0 ppid=23063 pid=23566 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="exe" exe="/usr/bin/docker-current" subj=system_u:system_r:initrc_t:s0 key=(null) type=ANOM_PROMISCUOUS msg=audit(1461760945.319:56525): dev=veth8b3f496 prom=0 old_prom=256 auid=4294967295 uid=0 gid=0 ses=4294967295 type=SYSCALL msg=audit(1461760945.319:56525): arch=c000003e syscall=44 success=yes exit=32 a0=1d a1=c208e9ba60 a2=20 a3=0 items=0 ppid=23060 pid=23146 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="docker-current" exe="/usr/bin/docker-current" subj=system_u:system_r:initrc_t:s0 key=(null)