Bug 1388623

Summary: [SELinux] Router creation is failing with AVC's
Product: Red Hat Enterprise Linux 7 Reporter: Prasanth <pprakash>
Component: dockerAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED WORKSFORME QA Contact: atomic-bugs <atomic-bugs>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 7.3CC: amurdaca, annair, dwalsh, hchiramm, lpabon, lsm5, lvrabec, mgrepl, mliyazud, mmalik, plautrba, pprakash, pvrabec, rcyriac, rhs-bugs, sankarshan, ssekidde
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1388621 Environment:
Last Closed: 2016-11-08 06:41:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1388621    

Description Prasanth 2016-10-25 19:02:48 UTC 
+++ This bug was initially created as a clone of Bug #1388621 +++

Description of problem:

I'm seeing the following AVC's while trying to create a router:

Version-Release number of selected component (if applicable):
docker-selinux-1.10.3-46.el7.14.x86_64
docker-1.10.3-46.el7.14.x86_64
selinux-policy-3.13.1-102.el7.noarch
atomic-openshift-3.4.0.15-1.git.0.9c963ec.el7.x86_64

# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.3 (Maipo)

# uname -r
3.10.0-514.el7.x86_64

How reproducible: 100%


Steps to Reproduce:
1. # oadm router storage-project-router --replicas=1
2.
3.

Actual results: Router creation is NOT successful and AVC's are seen


Expected results: Router creation should be successful and NO AVC's should be seen


Additional info:

############
type=AVC msg=audit(1477421059.638:30124): avc:  denied  { transition } for  pid=3075 comm="exe" path="/usr/bin/pod" dev="dm-8" ino=27266165 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c2,c3 tclass=process
type=AVC msg=audit(1477421062.021:30126): avc:  denied  { transition } for  pid=3095 comm="exe" path="/usr/bin/pod" dev="dm-9" ino=27266165 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c4,c9 tclass=process
type=AVC msg=audit(1477421069.356:30130): avc:  denied  { transition } for  pid=3169 comm="exe" path="/usr/bin/pod" dev="dm-8" ino=27266165 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c2,c3 tclass=process


----
type=SYSCALL msg=audit(Wednesday 26 October 2016 A.863:30816) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0xc8205af290 a1=0xc8205af2a0 a2=0xc8200878c0 a3=0x0 items=0 ppid=3803 pid=11016 auid=unset uid=unknown(1001) gid=root euid=unknown(1001) suid=unknown(1001) fsuid=unknown(1001) egid=root sgid=root fsgid=root tty=(none) ses=unset comm=exe exe=/usr/bin/docker-current subj=system_u:system_r:unconfined_service_t:s0 key=(null) 
type=AVC msg=audit(Wednesday 26 October 2016 A.863:30816) : avc:  denied  { transition } for  pid=11016 comm=exe path=/usr/bin/pod dev="dm-6" ino=27266165 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c4,c9 tclass=process 


allow svirt_lxc_net_t unconfined_service_t:process sigchld;
allow unconfined_service_t svirt_lxc_net_t:process transition;
#################

--- Additional comment from Red Hat Bugzilla Rules Engine on 2016-10-25 14:59:01 EDT ---

This bug is automatically being proposed for the current release of Red Hat Gluster Storage 3 under active development, by setting the release flag 'rhgs‑3.2.0' to '?'. 

If this bug should be proposed for a different release, please manually change the proposed release flag.
Comment 1 Daniel Walsh 2016-11-04 12:38:49 UTC 
We seem to have a bad version of docker and docker-selinux in the release?
Comment 2 Prasanth 2016-11-08 06:41:00 UTC 
I've re-tested this using the latest RHEL-7.3 GA bits and looks like the router creation works well with SELinux in Enforcing mode.

#######
selinux-policy-3.13.1-102.el7_3.4.noarch
docker-selinux-1.10.3-57.el7.x86_64



NAME                        REVISION   DESIRED   CURRENT   TRIGGERED BY
dc/storage-project-router   1          1         1         config

NAME                          DESIRED   CURRENT   READY     AGE
rc/storage-project-router-1   1         1         1         4m

NAME                         CLUSTER-IP       EXTERNAL-IP   PORT(S)                   AGE
svc/storage-project-router   172.30.131.240   <none>        80/TCP,443/TCP,1936/TCP   4m

NAME                                READY     STATUS    RESTARTS   AGE
po/storage-project-router-1-uuomp   1/1       Running   0          4m


# oc get pods
NAME                             READY     STATUS    RESTARTS   AGE
storage-project-router-1-uuomp   1/1       Running   0          1m
#######