Bug 1403254
Summary: | Running systemd in container produces AVC denial about writing to max_dgram_qlen | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Pazdziora <jpazdziora> | |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
Severity: | high | Docs Contact: | Mirek Jahoda <mjahoda> | |
Priority: | high | |||
Version: | 7.3 | CC: | adimania, admiller, amurdaca, dominick.grift, dwalsh, extras-qa, ichavero, jcajka, jchaloup, jpazdziora, lsm5, lvrabec, marianne, mgrepl, miminar, mjahoda, mmalik, nalin, plautrba, pvrabec, riek, ssekidde, vbatts | |
Target Milestone: | rc | Keywords: | Regression, ZStream | |
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | selinux-policy-3.13.1-117.el7 | Doc Type: | Bug Fix | |
Doc Text: |
Due to missing policy rules, SELinux denied running systemd in a container. The rules to allow containers to write to "unix_sysctls" and to use file descriptors leaked to them from parent processes were added, and the SELinux denials no longer occur.
|
Story Points: | --- | |
Clone Of: | 1373746 | |||
: | 1408126 (view as bug list) | Environment: | ||
Last Closed: | 2017-08-01 15:17:42 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1373746 | |||
Bug Blocks: | 1408126 |
Comment 1
Jan Pazdziora
2016-12-09 14:13:19 UTC
Looks like I added a commit to virt.te to take care of this back in Augues. commit 1014781f4b6f08bef0a1ffda852d3bcd97ea506b Author: Dan Walsh <dwalsh> Date: Mon Aug 22 10:06:39 2016 -0400 Fixes for containers Allow containers to attempt to write to unix_sysctls. Allow cotainers to use the FD's leaked to them from parent processes. Are you sure you have the latest policy installed? The dontaudit of usermodehelper happened back in March. 8c42cec0f7 virt.te (Dan Walsh 2016-03-07 10:50:07 -0500 1360) kernel_dontaudit_write_usermodehelper_state(svirt_sandbox_domain) Lukas what version of virt.te do we have for rhel7.3?\ Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1861 |