Bug 1349619

Please attach a complete setroubleshoot report or at least AVC denial message you see in your logs, and also my-openvpn.te file generated by audit2allow.

This is a conflict between docker-selinux or docker-engine-selinux and the selinux policy installed on the box.

If you are using docker-selinux please update to latest package.  If you are using docker-engine-selinux, then their is an open issue on this at github.con/docker

i don't have either of the docker packages installed. 

these are my installed packages related to selinux:

----
[root ~]# rpm -qa *selinux*
selinux-policy-3.13.1-191.fc24.3.noarch
libselinux-2.5-3.fc24.x86_64
rpm-plugin-selinux-4.13.0-0.rc1.27.fc24.x86_64
libselinux-python3-2.5-3.fc24.x86_64
selinux-policy-targeted-3.13.1-191.fc24.3.noarch
libselinux-devel-2.5-3.fc24.x86_64
libselinux-utils-2.5-3.fc24.x86_64
----


here is my-openvpn.te file:

----
[root ~]# cat my-openvpn.te 

module my-openvpn 1.0;

require {
	type user_home_t;
	type ssh_home_t;
	type openvpn_t;
	class file open;
}

#============= openvpn_t ==============
allow openvpn_t ssh_home_t:file open;

#!!!! The file '/home/mock/.ssh/mockmanor.com.pem' is mislabeled on your system.  
#!!!! Fix with $ restorecon -R -v /home/mock/.ssh/mockmanor.com.pem
allow openvpn_t user_home_t:file open;
----

on the date in question, i find this in the journalctl for setroubleshoot:

----
[root ~]# journalctl -t setrbouleshoot

Jun 24 07:44:33 liberia setroubleshoot[1399]: cannot chmod /var/lib/setroubleshoot/setroubleshoot_database.xml to 600 [Operation not permitted]
Jun 24 07:44:33 liberia setroubleshoot[1399]: cannot chown /var/lib/setroubleshoot/setroubleshoot_database.xml to setroubleshoot:setroubleshoot [Operation not permitted]
Jun 24 07:44:33 liberia setroubleshoot[1399]: read_xml_file() libxml2.parserError: xmlParseFile() failed
Jun 24 07:44:33 liberia setroubleshoot[1399]: cannot chmod /var/lib/setroubleshoot/email_alert_recipients to 600 [Operation not permitted]
Jun 24 07:44:33 liberia setroubleshoot[1399]: cannot chown /var/lib/setroubleshoot/email_alert_recipients to setroubleshoot:setroubleshoot [Operation not permitted]
Jun 24 07:44:33 liberia setroubleshoot[1399]: could not write /var/lib/setroubleshoot/setroubleshoot_database.xml: [Errno 13] Permission denied: '/var/lib/setroubleshoot/setroubleshoot_d
Jun 24 07:44:33 liberia setroubleshoot[1399]: SELinux is preventing (uetoothd) from mounton access on the directory /etc. For complete SELinux messages. run sealert -l 82d494f5-551b-499d
----

i did find the user label for the files in the /var/lib/setroubleshoot directory were owned by chrony:openvpn. i changed these to setroubleshoot:setroubleshoot to match the directory.

i also had to adjust /var/lib/selinux/target user label from system_u to unconfined_u. (i was matching these with a clean vm install of fedora 24.)

after making all these changes, i am still getting the same error. i have not rebooted yet. i cannot restart the audit.service. (i tried a reload with no difference.) i will check again after i get it restarted.

i tried to run semodule again after a reboot with no change.

Could you run this command.

# semodule -l | grep docker
docker
# semanage module --list | grep docker
docker                    400       pp

certainly.

[root ~]# semodule -l | grep docker
docker
[root ~]# semanage module --list | grep docker
docker                    400       pp

Looks like you have docker-selinux or docker-engine-selinux installed, or did at one point?

i did when i had f23 installed. i did an dnf system-upgrade to f24 about a month ago. i have not installed docker since the upgrade.

dnf remove docker-selinux

Should remove these policy packages.

tried that...

[root ~]# dnf remove docker-selinux
No match for argument: docker-selinux
Error: No packages marked for removal.

the policies are still in place.

would semodule -r docker work instead?

Yes that should work. I wonder if we had a bug removing it 

rpm -q --scripts docker-selinux 

Shows the following scriptlet

postuninstall scriptlet (using /bin/sh):
if [ $1 -eq 0 ]; then
/usr/sbin/semodule -n -r docker &> /dev/null || :
if /usr/sbin/selinuxenabled ; then
/usr/sbin/load_policy
/usr/sbin/restorecon -R /usr/bin/docker /var/run/containerd.sock /var/run/docker.sock /var/run/docker.pid /etc/docker /var/log/docker /var/log/lxc /var/lock/lxc /usr/lib/systemd/system/docker.service /usr/lib/systemd/system/docker-containerd.service /etc/docker &> /dev/null || :
fi
fi

success! 


[root ~]# semodule -n -r docker
libsemanage.semanage_direct_remove_key: Removing last docker module (no other docker module exists at another priority).

[root ~]# ausearch -c '(uetoothd)' --raw | audit2allow -M my-uetoothd
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-uetoothd.pp

[root ~]# semodule -i my-uetoothd.pp 
[root ~]#

...and...

[root ~]# ausearch -c 'openvpn' --raw | audit2allow -M my-openvpn
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-openvpn.pp

[root ~]# semodule -i my-openvpn.pp
[root ~]# 


thanks, dan. i've been making more of an effort to learn selinux rather than knee-jerk disabling. this exercise, which i'm sure has taxed you a bit, has been helpful to me.


i can't speak to the removal bit of the script you posted, but i had to --allowerasing for my dnf system-upgrade from f23 to f24. i had started the long upgrade process and walked away, so i didn't pay enough attention to what it was upgrading. since i was technically pre-release installing, i accepted certain packages wouldn't make the upgrade bit until the rpmfusion repos were approved for f24 gold. it wasn't until later that i ran into this situation.

if you need me to check anything else to help you do some debugging/forensics to this case, let me know. otherwise, i'm calling this a close on my end.

Just for grins do a 
dnf install docker-selinux

And see if it succeeds.  It should have the updated policy that works.

seems to work. and for the record, i was grinning as i did this. :D


[root ~]# dnf install docker-selinux
Failed to synchronize cache for repo 'google-chrome', disabling.
Last metadata expiration check: 0:17:40 ago on Mon Jul 11 09:00:22 2016.
Dependencies resolved.
========================================================================================================================
 Package                   Arch              Version                                   Repository                  Size
========================================================================================================================
Installing:
 docker-selinux            x86_64            2:1.10.3-23.git971d3bf.fc24               updates-testing             73 k

Transaction Summary
========================================================================================================================
Install  1 Package

Total download size: 73 k
Installed size: 27 k
Is this ok [y/N]: y
Downloading Packages:
docker-selinux-1.10.3-23.git971d3bf.fc24.x86_64.rpm                                     152 kB/s |  73 kB     00:00    
------------------------------------------------------------------------------------------------------------------------
Total                                                                                    56 kB/s |  73 kB     00:01     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Installing  : docker-selinux-2:1.10.3-23.git971d3bf.fc24.x86_64                                                   1/1 
  Verifying   : docker-selinux-2:1.10.3-23.git971d3bf.fc24.x86_64                                                   1/1 

Installed:
  docker-selinux.x86_64 2:1.10.3-23.git971d3bf.fc24                                                                     

Complete!