Bug 1373952

Summary:

[extras-rhel-7.3.0] selinux issues prevent docker.service from starting

Product:

Red Hat Enterprise Linux 7

Reporter:

Lokesh Mandvekar <lsm5>

Component:

docker

Assignee:

Daniel Walsh <dwalsh>

Status:

CLOSED ERRATA

QA Contact:

atomic-bugs <atomic-bugs>

Severity:

urgent

Docs Contact:

Priority:

urgent

Version:

7.3

CC:

ajia, lsm5, lsu, walters

Target Milestone:

Keywords:

Extras, Reopened

Target Release:

---

Hardware:

Unspecified

OS:

Unspecified

Whiteboard:

Fixed In Version:

Doc Type:

If docs needed, set a value

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2017-01-17 20:43:27 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
strace for systemctl status docker	none

Description Lokesh Mandvekar 2016-09-07 14:04:13 UTC

Description of problem:

Dan, docker.service does start up fine in permissive mode. journalctl -xe gives me the logs below. 

Sep 07 10:00:48 rhel.os1.phx2.redhat.com systemd[1]: Starting Docker Storage Setup...
-- Subject: Unit docker-storage-setup.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit docker-storage-setup.service has begun starting up.
Sep 07 10:00:48 rhel.os1.phx2.redhat.com systemd[2660]: Failed at step EXEC spawning /usr/bin/docker-storage-setup: Permission denied
-- Subject: Process /usr/bin/docker-storage-setup could not be executed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- The process /usr/bin/docker-storage-setup could not be executed and failed.
-- 
-- The error number returned by this process is 13.
Sep 07 10:00:48 rhel.os1.phx2.redhat.com systemd[1]: docker-storage-setup.service: main process exited, code=exited, status=203/EXEC
Sep 07 10:00:48 rhel.os1.phx2.redhat.com systemd[1]: Failed to start Docker Storage Setup.
-- Subject: Unit docker-storage-setup.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit docker-storage-setup.service has failed.
-- 
-- The result is failed.
Sep 07 10:00:48 rhel.os1.phx2.redhat.com systemd[1]: Unit docker-storage-setup.service entered failed state.
Sep 07 10:00:48 rhel.os1.phx2.redhat.com systemd[1]: docker-storage-setup.service failed.
Sep 07 10:00:48 rhel.os1.phx2.redhat.com systemd[1]: Starting Docker Application Container Engine...
-- Subject: Unit docker.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit docker.service has begun starting up.
Sep 07 10:00:48 rhel.os1.phx2.redhat.com systemd[2662]: Failed at step EXEC spawning /usr/bin/docker-current: Permission denied
-- Subject: Process /usr/bin/docker-current could not be executed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- The process /usr/bin/docker-current could not be executed and failed.
-- 
-- The error number returned by this process is 13.
Sep 07 10:00:48 rhel.os1.phx2.redhat.com systemd[1]: docker.service: main process exited, code=exited, status=203/EXEC
Sep 07 10:00:48 rhel.os1.phx2.redhat.com systemd[1]: Failed to start Docker Application Container Engine.
-- Subject: Unit docker.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit docker.service has failed.
-- 
-- The result is failed.
Sep 07 10:00:48 rhel.os1.phx2.redhat.com systemd[1]: Unit docker.service entered failed state.
Sep 07 10:00:48 rhel.os1.phx2.redhat.com systemd[1]: docker.service failed.
Sep 07 10:00:48 rhel.os1.phx2.redhat.com polkitd[478]: Unregistered Authentication Agent for unix-process:2654:61726 (system bus name :1.39, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)

Comment 1 Colin Walters 2016-09-07 14:05:15 UTC


*** This bug has been marked as a duplicate of bug 1370935 ***

Comment 2 Lokesh Mandvekar 2016-09-07 14:11:15 UTC

Dan, just an fyi, this is not quite a duplicate of 1370935, in that I see this issue even after docker-selinux commit 3d17c3ffa79415a9c467802b24f1d1d8f6a41a23

Comment 3 Daniel Walsh 2016-09-07 15:25:55 UTC

Lokesh, please attach the AVC messages.

Comment 4 Lokesh Mandvekar 2016-09-07 15:47:41 UTC

----
time->Fri Sep  2 15:02:33 2016
type=SYSCALL msg=audit(1472842953.881:4761): arch=c000003e syscall=59 success=no exit=-13 a0=c8205634b8 a1=c8205634c0 a2=c820544a80 a3=0 items=0 ppid=8922 pid=9131 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=4294967295 comm="exe" exe="/usr/bin/docker-current" subj=system_u:system_r:unconfined_service_t:s0 key=(null)
type=AVC msg=audit(1472842953.881:4761): avc:  denied  { transition } for  pid=9131 comm="exe" path="/bin/sh" dev="dm-1" ino=4194433 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c738,c986 tclass=process
----
time->Fri Sep  2 15:02:45 2016
type=SYSCALL msg=audit(1472842965.816:4780): arch=c000003e syscall=59 success=yes exit=0 a0=c820658408 a1=c820658410 a2=c8205e1c20 a3=0 items=0 ppid=8922 pid=9209 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=4294967295 comm="sh" exe="/bin/sh" subj=system_u:system_r:svirt_lxc_net_t:s0:c595,c955 key=(null)
type=AVC msg=audit(1472842965.816:4780): avc:  denied  { transition } for  pid=9209 comm="exe" path="/bin/sh" dev="dm-1" ino=4194433 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c595,c955 tclass=process
----
time->Fri Sep  2 15:02:45 2016
type=SYSCALL msg=audit(1472842965.825:4781): arch=c000003e syscall=61 success=yes exit=9209 a0=23f9 a1=c8214c1284 a2=0 a3=c8213466c0 items=0 ppid=1 pid=8927 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="docker-current" exe="/usr/bin/docker-current" subj=system_u:system_r:unconfined_service_t:s0 key=(null)
type=AVC msg=audit(1472842965.825:4781): avc:  denied  { sigchld } for  pid=8927 comm="docker-current" scontext=system_u:system_r:svirt_lxc_net_t:s0:c595,c955 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process
----
time->Fri Sep  2 15:23:23 2016
type=SYSCALL msg=audit(1472844203.477:4859): arch=c000003e syscall=59 success=no exit=-13 a0=c82063f298 a1=c82063f2a0 a2=c8205e4ae0 a3=0 items=0 ppid=8922 pid=9781 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=4294967295 comm="exe" exe="/usr/bin/docker-current" subj=system_u:system_r:unconfined_service_t:s0 key=(null)
type=AVC msg=audit(1472844203.477:4859): avc:  denied  { transition } for  pid=9781 comm="exe" path="/bin/sh" dev="dm-1" ino=4194433 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c760,c970 tclass=process
----
time->Fri Sep  2 15:25:15 2016
type=SYSCALL msg=audit(1472844315.652:4873): arch=c000003e syscall=59 success=no exit=-13 a0=c820656cd8 a1=c820656ce0 a2=c820686840 a3=0 items=0 ppid=8922 pid=9923 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=4294967295 comm="exe" exe="/usr/bin/docker-current" subj=system_u:system_r:unconfined_service_t:s0 key=(null)
type=AVC msg=audit(1472844315.652:4873): avc:  denied  { transition } for  pid=9923 comm="exe" path="/bin/sh" dev="dm-1" ino=4194433 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c155,c823 tclass=process
----
time->Fri Sep  2 15:45:27 2016
type=SYSCALL msg=audit(1472845527.703:110): arch=c000003e syscall=59 success=no exit=-13 a0=c8205d4eb8 a1=c8205d4ec0 a2=c8205fa900 a3=0 items=0 ppid=2314 pid=2498 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="exe" exe="/usr/bin/docker-current" subj=system_u:system_r:unconfined_service_t:s0 key=(null)
type=AVC msg=audit(1472845527.703:110): avc:  denied  { transition } for  pid=2498 comm="exe" path="/bin/sh" dev="dm-1" ino=4194433 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c119,c137 tclass=process
----
time->Tue Sep  6 09:21:31 2016
type=SYSCALL msg=audit(1473168091.052:2453): arch=c000003e syscall=59 success=no exit=-13 a0=c8206562f0 a1=c820656300 a2=c8206be8a0 a3=0 items=0 ppid=26309 pid=26539 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="exe" exe="/usr/bin/docker-current" subj=system_u:system_r:unconfined_service_t:s0 key=(null)
type=AVC msg=audit(1473168091.052:2453): avc:  denied  { transition } for  pid=26539 comm="exe" path="/usr/bin/bash" dev="dm-1" ino=23068818 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c472,c540 tclass=process
----
time->Tue Sep  6 16:39:59 2016
type=SYSCALL msg=audit(1473194399.272:104): arch=c000003e syscall=59 success=no exit=-13 a0=c820573050 a1=c820573060 a2=c820672b10 a3=0 items=0 ppid=2209 pid=2392 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="exe" exe="/usr/bin/docker-current" subj=system_u:system_r:unconfined_service_t:s0 key=(null)
type=AVC msg=audit(1473194399.272:104): avc:  denied  { transition } for  pid=2392 comm="exe" path="/usr/bin/bash" dev="dm-1" ino=23068818 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c502,c964 tclass=process
----
time->Tue Sep  6 16:54:18 2016
type=SYSCALL msg=audit(1473195258.800:194): arch=c000003e syscall=59 success=no exit=-13 a0=c820682e90 a1=c820682ea0 a2=c82055e660 a3=0 items=0 ppid=2209 pid=2836 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=4294967295 comm="exe" exe="/usr/bin/docker-current" subj=system_u:system_r:unconfined_service_t:s0 key=(null)
type=AVC msg=audit(1473195258.800:194): avc:  denied  { transition } for  pid=2836 comm="exe" path="/usr/bin/bash" dev="dm-1" ino=23068818 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c677,c896 tclass=process
----
time->Tue Sep  6 17:37:25 2016
type=SYSCALL msg=audit(1473197845.405:317): arch=c000003e syscall=59 success=no exit=-13 a0=7fa844aa4070 a1=7fa844aa5cc0 a2=7fa844cbbd40 a3=3 items=0 ppid=1 pid=13799 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(ge-setup)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473197845.405:317): avc:  denied  { transition } for  pid=13799 comm="(ge-setup)" path="/usr/bin/docker-storage-setup" dev="vda1" ino=9939018 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
type=SELINUX_ERR msg=audit(1473197845.405:317): op=security_compute_av reason=bounds scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process perms=transition
----
time->Tue Sep  6 17:37:25 2016
type=SYSCALL msg=audit(1473197845.438:319): arch=c000003e syscall=59 success=no exit=-13 a0=7fa844b31810 a1=7fa844d43bd0 a2=7fa844d5bd00 a3=7fa842ad11b0 items=0 ppid=1 pid=13801 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(-current)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473197845.438:319): avc:  denied  { transition } for  pid=13801 comm="(-current)" path="/usr/bin/docker-current" dev="vda1" ino=8411862 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
----
time->Tue Sep  6 17:37:44 2016
type=SYSCALL msg=audit(1473197864.975:326): arch=c000003e syscall=59 success=no exit=-13 a0=7fa844aa4070 a1=7fa844cd2270 a2=7fa844ba8d30 a3=3 items=0 ppid=1 pid=13815 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(ge-setup)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473197864.975:326): avc:  denied  { transition } for  pid=13815 comm="(ge-setup)" path="/usr/bin/docker-storage-setup" dev="vda1" ino=9939018 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
----
time->Tue Sep  6 17:37:44 2016
type=SYSCALL msg=audit(1473197864.982:328): arch=c000003e syscall=59 success=no exit=-13 a0=7fa844b31810 a1=7fa844b401c0 a2=7fa844b3fee0 a3=5 items=0 ppid=1 pid=13817 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(-current)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473197864.982:328): avc:  denied  { transition } for  pid=13817 comm="(-current)" path="/usr/bin/docker-current" dev="vda1" ino=8411862 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
----
time->Tue Sep  6 17:37:55 2016
type=SYSCALL msg=audit(1473197875.425:345): arch=c000003e syscall=59 success=no exit=-13 a0=7fa844aa4070 a1=7fa844cd2270 a2=7fa844b83b70 a3=3 items=0 ppid=1 pid=13849 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(ge-setup)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473197875.425:345): avc:  denied  { transition } for  pid=13849 comm="(ge-setup)" path="/usr/bin/docker-storage-setup" dev="vda1" ino=9939018 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
----
time->Tue Sep  6 17:37:55 2016
type=SYSCALL msg=audit(1473197875.432:347): arch=c000003e syscall=59 success=no exit=-13 a0=7fa844b31810 a1=7fa844b401c0 a2=7fa844b403c0 a3=5 items=0 ppid=1 pid=13851 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(-current)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473197875.432:347): avc:  denied  { transition } for  pid=13851 comm="(-current)" path="/usr/bin/docker-current" dev="vda1" ino=8411862 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
----
time->Tue Sep  6 17:53:27 2016
type=SYSCALL msg=audit(1473198807.798:125): arch=c000003e syscall=59 success=no exit=-13 a0=c8206903a0 a1=c8206903b0 a2=c8205d5b60 a3=0 items=0 ppid=2463 pid=2649 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="exe" exe="/usr/bin/docker-current" subj=system_u:system_r:unconfined_service_t:s0 key=(null)
type=AVC msg=audit(1473198807.798:125): avc:  denied  { transition } for  pid=2649 comm="exe" path="/usr/bin/bash" dev="dm-1" ino=23068818 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c818,c936 tclass=process
----
time->Wed Sep  7 09:49:19 2016
type=SYSCALL msg=audit(1473256159.307:1887): arch=c000003e syscall=59 success=no exit=-13 a0=7f5fcee5f2f0 a1=7f5fcee2e570 a2=7f5fcee2af20 a3=3 items=0 ppid=1 pid=5826 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(ge-setup)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473256159.307:1887): avc:  denied  { transition } for  pid=5826 comm="(ge-setup)" path="/usr/bin/docker-storage-setup" dev="vda1" ino=8411864 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
type=SELINUX_ERR msg=audit(1473256159.307:1887): op=security_compute_av reason=bounds scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process perms=transition
----
time->Wed Sep  7 09:49:19 2016
type=SYSCALL msg=audit(1473256159.341:1889): arch=c000003e syscall=59 success=no exit=-13 a0=7f5fcee29580 a1=7f5fcee48150 a2=7f5fcee40360 a3=7f5fcd2a71b0 items=0 ppid=1 pid=5828 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(-current)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473256159.341:1889): avc:  denied  { transition } for  pid=5828 comm="(-current)" path="/usr/bin/docker-current" dev="vda1" ino=8411862 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
----
time->Wed Sep  7 09:49:30 2016
type=SYSCALL msg=audit(1473256170.699:1896): arch=c000003e syscall=59 success=no exit=-13 a0=7f5fcee5f2f0 a1=7f5fced8edb0 a2=7f5fced43950 a3=3 items=0 ppid=1 pid=5841 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(ge-setup)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473256170.699:1896): avc:  denied  { transition } for  pid=5841 comm="(ge-setup)" path="/usr/bin/docker-storage-setup" dev="vda1" ino=8411864 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
----
time->Wed Sep  7 09:49:30 2016
type=SYSCALL msg=audit(1473256170.710:1898): arch=c000003e syscall=59 success=no exit=-13 a0=7f5fcee29580 a1=7f5fcedb2c60 a2=7f5fcedf98c0 a3=7f5fcd2a71b0 items=0 ppid=1 pid=5843 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(-current)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473256170.710:1898): avc:  denied  { transition } for  pid=5843 comm="(-current)" path="/usr/bin/docker-current" dev="vda1" ino=8411862 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
----
time->Wed Sep  7 09:49:41 2016
type=SYSCALL msg=audit(1473256181.027:1910): arch=c000003e syscall=59 success=no exit=-13 a0=7f5fcee5f2f0 a1=7f5fced43950 a2=7f5fcee2b3e0 a3=3 items=0 ppid=1 pid=5865 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(ge-setup)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473256181.027:1910): avc:  denied  { transition } for  pid=5865 comm="(ge-setup)" path="/usr/bin/docker-storage-setup" dev="vda1" ino=8411864 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
----
time->Wed Sep  7 09:49:41 2016
type=SYSCALL msg=audit(1473256181.035:1912): arch=c000003e syscall=59 success=no exit=-13 a0=7f5fcee29580 a1=7f5fcee45e10 a2=7f5fcedf98c0 a3=7f5fcd2a71b0 items=0 ppid=1 pid=5867 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(-current)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473256181.035:1912): avc:  denied  { transition } for  pid=5867 comm="(-current)" path="/usr/bin/docker-current" dev="vda1" ino=8411862 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
----
time->Wed Sep  7 09:55:42 2016
type=SYSCALL msg=audit(1473256542.578:72): arch=c000003e syscall=59 success=no exit=-13 a0=7f66818d8030 a1=7f66818d8000 a2=7f66818d80b0 a3=3 items=0 ppid=1 pid=2227 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(ge-setup)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473256542.578:72): avc:  denied  { transition } for  pid=2227 comm="(ge-setup)" path="/usr/bin/docker-storage-setup" dev="vda1" ino=8411864 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
type=SELINUX_ERR msg=audit(1473256542.578:72): op=security_compute_av reason=bounds scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process perms=transition
----
time->Wed Sep  7 09:55:42 2016
type=SYSCALL msg=audit(1473256542.775:74): arch=c000003e syscall=59 success=no exit=-13 a0=7f66818b6b40 a1=7f66818d9fb0 a2=7f66818d5790 a3=7f667f2701b0 items=0 ppid=1 pid=2229 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(-current)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473256542.775:74): avc:  denied  { transition } for  pid=2229 comm="(-current)" path="/usr/bin/docker-current" dev="vda1" ino=8411862 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
----
time->Wed Sep  7 09:55:50 2016
type=SYSCALL msg=audit(1473256550.226:81): arch=c000003e syscall=59 success=no exit=-13 a0=7f66818d8030 a1=7f66818c7b90 a2=7f66818b6b20 a3=3 items=0 ppid=1 pid=2240 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(ge-setup)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473256550.226:81): avc:  denied  { transition } for  pid=2240 comm="(ge-setup)" path="/usr/bin/docker-storage-setup" dev="vda1" ino=8411864 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
----
time->Wed Sep  7 09:55:50 2016
type=SYSCALL msg=audit(1473256550.241:83): arch=c000003e syscall=59 success=no exit=-13 a0=7f66818b6b40 a1=7f66818d9ff0 a2=7f66818d7fc0 a3=5 items=0 ppid=1 pid=2242 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(-current)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473256550.241:83): avc:  denied  { transition } for  pid=2242 comm="(-current)" path="/usr/bin/docker-current" dev="vda1" ino=8411862 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
----
time->Wed Sep  7 09:58:22 2016
type=SYSCALL msg=audit(1473256702.180:113): arch=c000003e syscall=59 success=no exit=-13 a0=7f66818d84c0 a1=7f6681826190 a2=7f66818b2550 a3=3 items=0 ppid=1 pid=2382 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(ge-setup)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473256702.180:113): avc:  denied  { transition } for  pid=2382 comm="(ge-setup)" path="/usr/bin/docker-storage-setup" dev="vda1" ino=9556611 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
type=SELINUX_ERR msg=audit(1473256702.180:113): op=security_compute_av reason=bounds scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process perms=transition
----
time->Wed Sep  7 09:58:22 2016
type=SYSCALL msg=audit(1473256702.225:115): arch=c000003e syscall=59 success=no exit=-13 a0=7f66818b03d0 a1=7f6681856e10 a2=7f66818d9300 a3=746e65674100 items=0 ppid=1 pid=2384 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(-current)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473256702.225:115): avc:  denied  { transition } for  pid=2384 comm="(-current)" path="/usr/bin/docker-current" dev="vda1" ino=9556610 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
----
time->Wed Sep  7 09:59:14 2016
type=SYSCALL msg=audit(1473256754.449:134): arch=c000003e syscall=59 success=no exit=-13 a0=7f66818d84c0 a1=7f66818b2550 a2=7f6681857680 a3=3 items=0 ppid=1 pid=2437 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(ge-setup)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473256754.449:134): avc:  denied  { transition } for  pid=2437 comm="(ge-setup)" path="/usr/bin/docker-storage-setup" dev="vda1" ino=9556611 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
type=SELINUX_ERR msg=audit(1473256754.449:134): op=security_compute_av reason=bounds scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process perms=transition
----
time->Wed Sep  7 09:59:14 2016
type=SYSCALL msg=audit(1473256754.459:136): arch=c000003e syscall=59 success=no exit=-13 a0=7f66818b03d0 a1=7f66818d9300 a2=7f668187cfa0 a3=5 items=0 ppid=1 pid=2439 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(-current)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473256754.459:136): avc:  denied  { transition } for  pid=2439 comm="(-current)" path="/usr/bin/docker-current" dev="vda1" ino=9556610 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
----
time->Wed Sep  7 10:00:04 2016
type=SYSCALL msg=audit(1473256804.963:152): arch=c000003e syscall=59 success=yes exit=0 a0=7f66818d84c0 a1=7f66818b2550 a2=7f6681857680 a3=3 items=0 ppid=1 pid=2483 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="docker-storage-" exe="/usr/bin/bash" subj=system_u:system_r:docker_t:s0 key=(null)
type=AVC msg=audit(1473256804.963:152): avc:  denied  { transition } for  pid=2483 comm="(ge-setup)" path="/usr/bin/docker-storage-setup" dev="vda1" ino=9556611 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
----
time->Wed Sep  7 10:00:48 2016
type=SYSCALL msg=audit(1473256848.826:191): arch=c000003e syscall=59 success=no exit=-13 a0=7f66818d84c0 a1=7f66818b7280 a2=7f66818b0f90 a3=3 items=0 ppid=1 pid=2660 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(ge-setup)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473256848.826:191): avc:  denied  { transition } for  pid=2660 comm="(ge-setup)" path="/usr/bin/docker-storage-setup" dev="vda1" ino=9556611 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
type=SELINUX_ERR msg=audit(1473256848.826:191): op=security_compute_av reason=bounds scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process perms=transition
----
time->Wed Sep  7 10:00:48 2016
type=SYSCALL msg=audit(1473256848.841:193): arch=c000003e syscall=59 success=no exit=-13 a0=7f66818b03d0 a1=7f6681828d10 a2=7f668187ce40 a3=5 items=0 ppid=1 pid=2662 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(-current)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473256848.841:193): avc:  denied  { transition } for  pid=2662 comm="(-current)" path="/usr/bin/docker-current" dev="vda1" ino=9556610 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
----
time->Wed Sep  7 11:46:42 2016
type=SYSCALL msg=audit(1473263202.608:423): arch=c000003e syscall=59 success=no exit=-13 a0=7f66818d84c0 a1=7f66818b6240 a2=7f66818b7500 a3=3 items=0 ppid=1 pid=5533 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(ge-setup)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473263202.608:423): avc:  denied  { transition } for  pid=5533 comm="(ge-setup)" path="/usr/bin/docker-storage-setup" dev="vda1" ino=9556611 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
type=SELINUX_ERR msg=audit(1473263202.608:423): op=security_compute_av reason=bounds scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process perms=transition
----
time->Wed Sep  7 11:46:42 2016
type=SYSCALL msg=audit(1473263202.619:425): arch=c000003e syscall=59 success=no exit=-13 a0=7f66818b03d0 a1=7f668184a7e0 a2=7f6681828da0 a3=5 items=0 ppid=1 pid=5535 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(-current)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473263202.619:425): avc:  denied  { transition } for  pid=5535 comm="(-current)" path="/usr/bin/docker-current" dev="vda1" ino=9556610 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process

Comment 5 Daniel Walsh 2016-09-07 16:31:15 UTC

Looks like typebounds are not properly supported in rhel kernel.  Removal of typebounds from policy should fix this issue.

I have pushed an update to docker-selinux.

Comment 7 Daniel Walsh 2016-09-07 17:07:37 UTC

Fixed in docker-1.10.3-53.el7.x86_64

Comment 8 Alex Jia 2016-09-09 04:55:44 UTC

(In reply to Daniel Walsh from comment #7)
> Fixed in docker-1.10.3-53.el7.x86_64

Daniel, I met other AVC denied in docker-1.10.3-53.el7.x86_64.

# getenforce
Enforcing

# systemctl start docker
Failed to get properties: Access denied

<audit>
type=USER_AVC msg=audit(1473396275.252:48576): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=1000 uid=0 gid=0 path="/usr/lib/systemd/system/docker.service" cmdline="systemctl start docker" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:docker_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
</audit>

# setenforce 0

# getenforce
Permissive

# systemctl start docker
# systemctl is-active docker
active

Comment 9 Daniel Walsh 2016-09-09 11:53:36 UTC

That is allowed in Rawhide.

audit2allow  -i /tmp/t


#============= unconfined_t ==============

#!!!! This avc is allowed in the current policy
allow unconfined_t docker_unit_file_t:service status;

Comment 10 Daniel Walsh 2016-09-09 11:56:07 UTC

On RHEL I also see this as allowed.

sudo sh
sh-4.2# audit2allow 
type=USER_AVC msg=audit(1473396275.252:48576): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=1000 uid=0 gid=0 path="/usr/lib/systemd/system/docker.service" cmdline="systemctl start docker" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:docker_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'


#============= unconfined_t ==============

#!!!! This avc is allowed in the current policy
allow unconfined_t docker_unit_file_t:service status;

# rpm -q selinux-policy docker-selinux
selinux-policy-3.13.1-97.el7.noarch
docker-selinux-1.10.3-53.el7.x86_64
# getenforce 
Enforcing
# systemctl restart docker
#

Comment 11 Alex Jia 2016-09-09 16:04:13 UTC

(In reply to Daniel Walsh from comment #10)

It also allowed for me, but I can't stasu/stop/start docker service w/ SELinux enforcing mode, and got "Access denied", I will attach strace message as attachment.

[root@dhcp-2-50 ~]# audit2allow -i /tmp/t


#============= unconfined_t ==============

#!!!! This avc is allowed in the current policy
allow unconfined_t docker_unit_file_t:service status;
[root@dhcp-2-50 ~]# getenforce
Permissive
[root@dhcp-2-50 ~]# setenforce 1
[root@dhcp-2-50 ~]# audit2allow -i /tmp/t


#============= unconfined_t ==============

#!!!! This avc is allowed in the current policy
allow unconfined_t docker_unit_file_t:service status;
[root@dhcp-2-50 ~]# getenforce
Enforcing


[root@dhcp-2-50 ~]# systemctl status docker
Failed to get properties: Access denied

[root@dhcp-2-50 ~]# systemctl stop docker
Failed to stop docker.service: Access denied

Failed to get load state of docker.service: Access denied
[root@dhcp-2-50 ~]# systemctl start docker
Failed to start docker.service: Access denied


[root@dhcp-2-50 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.2 (Maipo)

[root@dhcp-2-50 ~]# rpm -q selinux-policy docker docker-selinux
selinux-policy-3.13.1-97.el7.noarch
docker-1.10.3-53.el7.x86_64
docker-selinux-1.10.3-53.el7.x86_64

Comment 12 Alex Jia 2016-09-09 16:05:19 UTC

Created attachment 1199528 [details]
strace for systemctl status docker

Comment 13 Daniel Walsh 2016-09-09 17:45:41 UTC

Alex could you try 

yum reinstall docker-selinux

It seems like the policy is not currently loaded.

Comment 14 Alex Jia 2016-09-10 02:53:11 UTC

(In reply to Daniel Walsh from comment #13)
> Alex could you try 
> 
> yum reinstall docker-selinux
> 
> It seems like the policy is not currently loaded.

Daniel, I can start docker service in another RHEL7 system, it may be a ENV issue.

Comment 16 Luwen Su 2016-11-10 09:56:37 UTC

# getenforce
Enforcing
# rpm -q selinux-policy
selinux-policy-3.13.1-102.el7_3.4.noarch
# rpm -q container-selinux
container-selinux-1.12.3-4.el7.x86_64
# rpm -q docker
docker-1.12.3-4.el7.x86_64
# service docker restart
Redirecting to /bin/systemctl restart  docker.service
# echo $?
0


Move to verified

Comment 18 errata-xmlrpc 2017-01-17 20:43:27 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2017-0116.html