Bug 1335523

Summary: Docker run fails with "ApplyLayer exit status 1 stdout: stderr: invalid argument" and SELINUX alert is raised
Product: [Fedora] Fedora Reporter: Tomas Mlcoch <tmlcoch>
Component: dockerAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 23CC: adimania, admiller, amurdaca, dwalsh, golang-updates, ichavero, jcajka, jchaloup, lsm5, marianne, miminar, nalin, riek, ttomecek, vbatts
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-14 10:12:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Mlcoch 2016-05-12 12:15:38 UTC 
Description of problem:

When I try to use docker, it always fails with weird error and selinux alert:

The alert:

kvě 12 14:04:48 blackbox setroubleshoot[3720]: SELinux is preventing exe from mac_admin access on the capability2 Unknown. For complete SELinux messages. run sealert -l b8af2d9b-e0ca-45a6-89aa-1dd13f840c67

kvě 12 14:04:48 blackbox python3[3720]: SELinux is preventing exe from mac_admin access on the capability2 Unknown.
                                         
                                         *****  Plugin catchall (100. confidence) suggests   **************************
                                         
                                         If you believe that exe should be allowed mac_admin access on the Unknown capability2 by default.
                                         Then you should report this as a bug.
                                         You can generate a local policy module to allow this access.
                                         Do
                                         allow this access for now by executing:
                                         # ausearch -c exe --raw | audit2allow -M mypol
                                         # semodule -i mypol.pp

Reproducer:

$ sudo systemctl start docker
$ sudo docker run -ti registry.access.redhat.com/rhel6.7 bash 
Unable to find image 'registry.access.redhat.com/rhel6.7:latest' locally
0701b067a296: Error pulling image (latest) from registry.access.redhat.com/rhel6.7, ApplyLayer exit status 1 stdout:  stderr: invalid argument 
failed
Error pulling image (latest) from registry.access.redhat.com/rhel6.7, ApplyLayer exit status 1 stdout:  stderr: invalid argument


Version-Release number of selected component (if applicable):

$ uname -a
Linux blackbox 4.4.8-300.fc23.x86_64 #1 SMP Wed Apr 20 16:59:27 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

$ rpm -q docker docker-selinux libselinux selinux-policy selinux-policy-targeted
docker-1.9.1-9.gitee06d03.fc23.x86_64
docker-selinux-1.9.1-9.gitee06d03.fc23.x86_64
libselinux-2.4-4.fc23.x86_64
libselinux-2.4-4.fc23.i686
selinux-policy-3.13.1-158.14.fc23.noarch
selinux-policy-targeted-3.13.1-158.14.fc23.noarch

How reproducible:
Always
Comment 1 Tomas Mlcoch 2016-05-12 12:20:51 UTC 
Just a note, the solution suggested by selinux troubleshooter:

ausearch -c exe --raw | audit2allow -M mypol
semodule -i mypol.pp

worked and now I'm able to use docker correctly.
Comment 2 Tomas Tomecek 2016-05-12 14:01:19 UTC 
I think this should reported against "docker", not "docker-distribution".

When you disable selinux, are you able to pull images?
Comment 3 Tomas Mlcoch 2016-05-12 14:08:04 UTC 
As I wrote in comment #1 in the end, I was able to pull images even when selinux enabled, but I had to use the commands from selinux troubleshooter.
Comment 4 Daniel Walsh 2016-05-12 14:35:05 UTC 
What was the AVC that you were seeing?

ausearch -m avc
Comment 5 Tomas Mlcoch 2016-05-12 15:06:31 UTC 
time->Thu May 12 14:04:44 2016
type=AVC msg=audit(1463054684.400:380): avc:  denied  { mac_admin } for  pid=3679 comm="exe" capability=33  scontext=system_u:system_r:docker_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=capability2 permissive=0
Comment 6 Daniel Walsh 2016-05-12 18:10:13 UTC 
This means that docker attempted to write a label that the kernel did not understand.  This is not something you want to use.  Looks like their is something wrong with your selinux-policy install.

dnf -y reinstall selinux-policy\* docker-selinux

And see if this fixes the issue.
Comment 7 Tomas Mlcoch 2016-05-13 07:20:38 UTC 
I've reinstalled selinux-policy packages:
$ dnf -y reinstall selinux-policy\* docker-selinux

Removed the mypol package that fixed the issue before:
$ sudo semodule -r mypol

Restarted docker service:
$ sudo systemctl restart docker

And tried again:
$ sudo docker run -ti registry.access.redhat.com/rhel6.7 bash


I'm not sure if the revert of:
ausearch -c exe --raw | audit2allow -M mypol
semodule -i mypol.pp
was done correctly, but if so, then feel free to close this bug.