| Summary: | SELinux is preventing chown from 'setattr' access on the file 'postgres_run'. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Michael Hampton <error> |
| Component: | docker | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 25 | CC: | adimania, admiller, amurdaca, dwalsh, ichavero, jcajka, jchaloup, lsm5, marianne, miminar, nalin, riek, shane, tmoreira, vbatts |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-28 13:38:29 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Please specify the docker command you were using to get this error to happen. (In reply to Daniel Walsh from comment #1) > Please specify the docker command you were using to get this error to happen. The command that was run was: /usr/bin/docker run -e LANG=en_US.UTF-8 -e RAILS_ENV=production -e UNICORN_WORKERS=3 -e UNICORN_SIDEKIQS=1 -e RUBY_GLOBAL_METHOD_CACHE_SIZE=131072 -e RUBY_GC_HEAP_GROWTH_MAX_SLOTS=40000 -e RUBY_GC_HEAP_INIT_SLOTS=400000 -e RUBY_GC_HEAP_OLDOBJECT_LIMIT_FACTOR=1.5 -e DISCOURSE_DB_SOCKET=/var/run/postgresql -e DISCOURSE_DB_HOST= -e DISCOURSE_DB_PORT= -e HOME=/root -e DISCOURSE_DEVELOPER_EMAILS=error -e DISCOURSE_HOSTNAME=example.com -e DISCOURSE_SMTP_ADDRESS=smtp.sendgrid.net -e DISCOURSE_SMTP_PORT=587 -e DISCOURSE_SMTP_USER_NAME=apikey -e DISCOURSE_SMTP_PASSWORD= -e DISCOURSE_SMTP_ENABLE_START_TLS=true -e DOCKER_HOST_IP=172.17.0.1 --cidfile cids/app_bootstrap.cid -i -a stdin -a stdout -a stderr -v /var/lib/docker/data/discourse-shared:/shared -v /var/lib/docker/data/discourse-log:/var/log discourse/discourse:1.3.8 /bin/bash -c 'cd /pups && git pull && /pups/bin/pups --stdin' You need to add the :Z at the end so that docker will label the content private to the container -v /var/lib/docker/data/discourse-shared:/shared:Z -v /var/lib/docker/data/discourse-log:/var/log discourse/discourse:1.3.8:Z http://www.projectatomic.io/blog/2016/03/dwalsh_selinux_containers/ I've got the same issue, when running any docker container that volume-mounts a host directory. Adding the :Z flag to the mount doesn't solve the issue. Details:
```
SELinux is preventing chown from setattr access on the fifo_file .
***** Plugin catchall (100. confidence) suggests **************************
If you believe that chown should be allowed setattr access on the fifo_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'chown' --raw | audit2allow -M my-chown
# semodule -X 300 -i my-chown.pp
Additional Information:
Source Context system_u:system_r:spc_t:s0
Target Context system_u:system_r:docker_t:s0
Target Objects [ fifo_file ]
Source chown
Source Path chown
Port <Unknown>
Host sk-fed
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-225.13.fc25.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name sk-fed
Platform Linux sk-fed 4.10.15-200.fc25.x86_64 #1 SMP Mon
May 8 18:46:06 UTC 2017 x86_64 x86_64
Alert Count 3
First Seen 2017-05-18 13:00:16 BST
Last Seen 2017-05-18 13:00:35 BST
Local ID 9a5bb81c-dcdd-4eef-97e9-1b77e9790e76
Raw Audit Messages
type=AVC msg=audit(1495108835.983:760): avc: denied { setattr } for pid=13041 comm="chown" name="" dev="pipefs" ino=1572353 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=fifo_file permissive=0
Hash: chown,spc_t,docker_t,fifo_file,setattr
```
Docker command:
```
docker run --name sk-mongo -v /data/mongo/db:/data/db:Z -d mongo --storageEngine wiredTiger
```
You are running a spc_t container first of all, so did you disable SELinux inside of docker? This is an AVC that is denied. Looks like a fifo_file is being presented by docker into the container, this has nothing to do with the database. Did you force the label of docker_t onto a fifo object? IE Did you do a chcon -t docker_t at some point? Nope, I've done none of those things. I just installed docker and ran a container, which I would expect to Just Work(TM). I do know that SElinux is not enabled inside the container though, so that's one thing. Thanks for the help so far though :) Oh, I forgot, more info: Fedora 25, Docker version 17.03.1-ce, build c6d412e, installed via instructions here: https://docs.docker.com/engine/installation/linux/fedora/ No other actions taken, just ran a container with a volume mount. Same happens with any containers which have mounts. You will have to report this as an issue to them. This is not a Fedora package. I have no idea what is going on with a fifo_file being leaked into the container with a docker_t label. This looks very strange. docker_t is a process label, and would only be labeled in the /proc file system not sure what fifo file would be there or why a container process would be attempting to change the ownership/permissions of the fifo file. Please open an issue and cc me. Thanks, I've reported the bug here: https://github.com/moby/moby/issues/33270 Just ran into the same alert. The message came after I created the following container:
$ docker run -d --hostname victims-mongo --name victims-mongo -p 27017:27017 mongo:latest
My environment:
$ uname -a
Linux dev.localdomain 4.11.8-200.fc25.x86_64 #1 SMP Thu Jun 29 16:13:56 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ docker --version
Docker version 1.12.6, build ae7d637/1.12.6
$ sudo ausearch -c 'chown' --raw
type=AVC msg=audit(1499429225.595:675): avc: denied { setattr } for pid=9816 comm="chown" name="" dev="pipefs" ino=1097082 scontext=system_u:system_r:container_t:s0:c92,c375 tcontext=system_u:system_r:container_runtime_t:s0 tclass=fifo_file permissive=0
type=AVC msg=audit(1499429225.595:676): avc: denied { setattr } for pid=9816 comm="chown" name="" dev="pipefs" ino=1097083 scontext=system_u:system_r:container_t:s0:c92,c375 tcontext=system_u:system_r:container_runtime_t:s0 tclass=fifo_file permissive=0
Additional Information:
Source Context system_u:system_r:container_t:s0:c92,c375
Target Context system_u:system_r:container_runtime_t:s0
Target Objects [ fifo_file ]
Source chown
Source Path chown
Port <Unknown>
Host dev.localdomain
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-225.18.fc25.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name dev.localdomain
Platform Linux dev.localdomain 4.11.8-200.fc25.x86_64 #1
SMP Thu Jun 29 16:13:56 UTC 2017 x86_64 x86_64
Alert Count 2
First Seen 2017-07-07 08:07:05 EDT
Last Seen 2017-07-07 08:07:05 EDT
Local ID 1b1b100b-c1f2-4106-b3f4-0f2e56d672e8
Raw Audit Messages
type=AVC msg=audit(1499429225.595:676): avc: denied { setattr } for pid=9816 comm="chown" name="" dev="pipefs" ino=1097083 scontext=system_u:system_r:container_t:s0:c92,c375 tcontext=system_u:system_r:container_runtime_t:s0 tclass=fifo_file permissive=0
Hash: chown,container_t,container_runtime_t,fifo_file,setattr
The original AVC's were around a volume being mounted into the container the one you are seeing are different. These a FIFO_FILEs that are being used to communicated STDOUT,STDERR, STDIN into the container and back to the container runtime. Please open a separate bugzilla for these. The bug here is that we need the container runtime to label these correctly for the container. |
Description of problem: SELinux is preventing chown from 'setattr' access on the file 'postgres_run'. type=AVC msg=audit(1479950047.847:577): avc: denied { setattr } for pid=7878 comm="chown" name="postgres_run" dev="dm-0" ino=922109 scontext=system_u:system_r:container_t:s0:c102,c546 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=dir permissive=0 Version-Release number of selected component (if applicable): docker-1.12.3-7.git47e22f2.fc25.x86_64 How reproducible: Always Steps to Reproduce: 1. Start a docker container with a volume mounted on the host in a subdirectory under /var/lib/docker/data . In this case /var/lib/docker/data/discourse-shared is exposed to the docker container as /shared . 2. The app in the docker container shall attempt to chown a file within the /shared volume. Actual results: I, [2016-11-24T01:14:07.845321 #15] INFO -- : > chown postgres:postgres /shared/postgres_run chown: changing ownership of '/shared/postgres_run': Permission denied Expected results: I, [2016-11-24T01:18:44.356815 #14] INFO -- : > chown postgres:postgres /shared/postgres_run I, [2016-11-24T01:18:44.359506 #14] INFO -- : I, [2016-11-24T01:18:44.359813 #14] INFO -- : > chmod 775 /shared/postgres_run I, [2016-11-24T01:18:44.362028 #14] INFO -- : Additional info: This was encountered while attempting to install Discourse on Fedora 25 using (mostly) the instructions at https://github.com/discourse/discourse/blob/master/docs/INSTALL-cloud.md , changing in app.yml the paths to the host volumes. This app expects to be able to chown and chmod files in the host volumes it uses. On Fedora 24 this functionality worked fine. I filed this against docker as the relevant SELinux policy appears to be in the container-selinux package.