Bug 1373430

Summary: SELinux prevents docker from starting any container
Product: Red Hat Enterprise Linux 7 Reporter: Stef Walter <stefw>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: amurdaca, dwalsh, lvrabec, mgrepl, mmalik, pasteur, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-07 12:47:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stef Walter 2016-09-06 09:20:00 UTC 
Description of problem:

Sep 05 03:13:52 localhost.localdomain kernel: type=1400 audit(1473059632.888:21): avc:  denied  { search } for  pid=1499 comm="systemd-machine" name="2725" dev="proc" ino=39033 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir
Sep 05 03:13:52 localhost.localdomain oci-register-machine[2729]: 2016/09/05 03:13:52 Register machine failed: Failed to determine unit of process 2725 : Permission denied

Version-Release number of selected component (if applicable):

 oci-register-machine   x86_64 1:0-1.7.git31bbcd2.el7
                                                rhel-7-server-extras-rpms 929 k
 oci-systemd-hook       x86_64 1:0.1.4-4.git41491a3.el7
                                                rhel-7-server-extras-rpms  27 k
 docker-selinux         x86_64 1.10.3-46.el7.10 rhel-7-server-extras-rpms  78 k

  selinux-policy-targeted.noarch 0:3.13.1-93.el7                                

How reproducible:

Happens in Cockpit integration tests: https://fedorapeople.org/groups/cockpit/logs/pull-4928-65231a35-verify-rhel-7/TestKubernetes-testDashboard-10.111.118.238-FAIL.log
Comment 2 Stef Walter 2016-09-07 10:21:19 UTC 
This affects all use of Docker or Kubernetes on RHEL.

Can reproduce this on RHEL 7.3 Beta
Comment 3 Stef Walter 2016-09-07 10:29:15 UTC 
Same failure on 7.3 Beta:

docker-1.10.3-46.el7.10.x86_64
docker-selinux-1.10.3-46.el7.10.x86_64
oci-register-machine-0-1.7.git31bbcd2.el7.x86_64
oci-systemd-hook-0.1.4-4.git41491a3.el7.x86_64
selinux-policy-targeted-3.13.1-93.el7.noarch

[root@localhost ~]# docker run -ti busybox /bin/sh
[   59.032970] type=1400 audit(1473243975.900:4): avc:  denied  { search } for  pid=1146 comm="systemd-machine" name="1138" dev="proc" ino=23553 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir
docker: Error response from daemon: Cannot start container 3be591f72ec5c85630406bd20e3cc10e1573ce6ee0c33b6054083620d7b3062b: [9] System error: exit status 1.
Comment 4 Stef Walter 2016-09-07 10:30:41 UTC 
When I try a workaround suggested by Antonio:

rm -rf /usr/libexec/oci/hooks.d/oci-register-machine

I get another AVC:

[  268.266642] type=1400 audit(1473244185.134:5): avc:  denied  { transition } for  pid=1262 comm="exe" path="/bin/sh" dev="dm-1" ino=4194433 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c35,c359 tclass=process
Comment 5 Stef Walter 2016-09-07 10:35:55 UTC 
This bug was found by the Cockpit integration tests. 

Upstream known issue tracking failures in tests: https://github.com/cockpit-project/cockpit/issues/4978
Comment 8 Milos Malik 2016-09-07 11:59:15 UTC 
The problem is that there should be 2 docker policy modules in the output, each of them having a different priority.
Comment 9 Daniel Walsh 2016-09-07 12:47:01 UTC 

*** This bug has been marked as a duplicate of bug 1358819 ***