Bug 1461407
| Summary: | SELinux is preventing iptables from 'read' accesses on the file file. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Peter Hjalmarsson <kanelxake> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 26 | CC: | anass.1430, dominick.grift, dwalsh, lvrabec, mgrepl, mrfavadi, plautrba, pmoore, ssekidde, vilmos.nagy, wallner |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:0191a8b01a48a7eac76b97b9112236c049b5fa29fab34ac65348ee1abd0c7fec;VARIANT_ID=workstation; | ||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-07-19 10:49:01 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Description of problem: Everytime I create new container on docker under Fedora 26 Beta. I use a custom network in my docker-compose v2 file. Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.11.7-300.fc26.x86_64 type: libreport Only one time, the selinux alert program gave me the absolute path to the file: /var/run/docker/netns/<hash-with-letters>
The docker-compose file I use, which creates an internal network by default for its containers:
version: '2'
services:
db:
image: docker.io/library/postgres:9.4
environment:
- POSTGRES_USER=odoo
- POSTGRES_PASSWORD=odoo
volumes:
- postgres_data:/var/lib/postgresql
odoo:
build: .
image: centione/ravin:10.0
environment:
- POSTGRES_USER=odoo
- POSTGRES_PASSWORD=odoo
volumes:
- odoo_data:/var/lib/odoo
- ./:/mnt/extra-addons:ro,Z
ports:
- "8001:8069"
tty: true
volumes:
postgres_data:
odoo_data:
Sent patch upstream https://github.com/fedora-selinux/selinux-policy/pull/197 Description of problem:
I've started a docker image with docker-compose. Some useful info:
[vilmosnagy@vnagy-dell docker]$ ls -la
total 40
drwxrwxr-x. 5 vilmosnagy vilmosnagy 4096 Jul 12 16:50 .
drwxrwxr-x. 24 vilmosnagy vilmosnagy 4096 Jul 12 16:48 ..
drwxrwxr-x. 2 vilmosnagy vilmosnagy 4096 Jun 28 18:27 authentication
-rw-rw-r--. 1 vilmosnagy vilmosnagy 325 Jul 12 16:50 docker-compose.override.yml
-rw-rw-r--. 1 vilmosnagy vilmosnagy 1609 Jun 28 18:27 docker-compose.yml
-rw-rw-r--. 1 vilmosnagy vilmosnagy 1372 Jun 28 18:27 Dockerfile
drwxrwxr-x. 2 vilmosnagy vilmosnagy 4096 Jun 28 18:27 kfonix-server
drwxrwxr-x. 2 vilmosnagy vilmosnagy 4096 Jun 28 18:27 log
-rw-rw-r--. 1 vilmosnagy vilmosnagy 164 Jun 28 18:27 sample-docker-compose.override.yml
-rwxrwxr-x. 1 vilmosnagy vilmosnagy 349 Jun 28 18:27 start.sh
[vilmosnagy@vnagy-dell docker]$ cat docker-compose.yml
version: "2"
services:
master:
image: some_meaningful_url
networks:
kfonixnet:
ipv4_address: 172.30.255.17
ports:
- 9080:9080
- 8080:8080
- 9990:9990
- 8787:8787
- 8788:8788
- 10080:10080
# Ezeknek egy része leírva a wikiben itt: Wildfly run and deploy
environment:
- DB_USERNAME=
- DB_PASSWORD=
- KFONIX_ENV=wv
- KFONIX_STANDALONE=true
- LIQUIBASE_RUN_MANGLD=Mxiqz1xzE9
- FunctionExpressionResolver=43ereDS+!+SD+
- JVM_XMS=2g # -Xms az egyes node-kon
- JVM_XMX=4g # -Xmx az egyes node-kon
- DB_POOL_MIN_SIZE=10 # minimális DB connection pool size
- DB_POOL_MAX_SIZE=15 # maximális DB connection pool size
volumes:
- /tmp:/tmp
networks:
kfonixnet:
driver: bridge
ipam:
config:
- subnet: 172.30.255.0/24
[vilmosnagy@vnagy-dell docker]$ cat docker-compose.override.yml
version: "2"
services:
master:
environment:
- DB_USERNAME=ulykonyv_nv_empty
- DB_PASSWORD=pwd123
- KFONIX_ENV=wv
- KFONIX_STANDALONE=true
- DB_POOL_MIN_SIZE=3 # minimális DB connection pool size
- DB_POOL_MAX_SIZE=3 # maximális DB connection pool size
[vilmosnagy@vnagy-dell docker]$ cat Dockerfile
FROM openjdk:8
EXPOSE 8080 9990 8787
ENV HOME /root
COPY kfonix-server/ $HOME/kfonix-server
RUN cd /opt \
&& curl -O http://192.168.62.234:8080/nexus/service/local/repositories/thirdparty/content/hu/kfonix/wildfly/5.0.6/wildfly-5.0.6.tar.gz \
&& tar xvfz wildfly-5.0.6.tar.gz \
&& rm -rf wildfly-5.0.6.tar.gz
COPY start.sh $KFONIX_HOME/
COPY authentication/ $KFONIX_HOME/domain/configuration/
COPY authentication/ $KFONIX_HOME/standalone/configuration/
COPY log/logback.xml $KFONIX_HOME/configuration/logback.xml
CMD sed -i "s/\${db_username}/$DB_USERNAME/g" /root/kfonix-server/server-wv.properties \
&& sed -i "s/\${db_password}/$DB_PASSWORD/g" /root/kfonix-server/server-wv.properties \
&& sed -i "s/\${jvm_xms}/$JVM_XMS/g" /root/kfonix-server/server-wv.properties \
&& sed -i "s/\${jvm_xmx}/$JVM_XMX/g" /root/kfonix-server/server-wv.properties \
&& sed -i "s/\${db_pool_min_size}/$DB_POOL_MIN_SIZE/g" /root/kfonix-server/server-wv.properties \
&& sed -i "s/\${db_pool_max_size}/$DB_POOL_MAX_SIZE/g" /root/kfonix-server/server-wv.properties \
&& sed -i "s/\${env}/$KFONIX_ENV/g" /root/kfonix-server/server-local.properties \
&& cd $KFONIX_HOME \
&& ./start.sh
[vilmosnagy@vnagy-dell docker]$ docker version
Client:
Version: 17.06.0-ce
API version: 1.30
Go version: go1.8.3
Git commit: 02c1d87
Built: Fri Jun 23 21:22:33 2017
OS/Arch: linux/amd64
Server:
Version: 17.06.0-ce
API version: 1.30 (minimum version 1.12)
Go version: go1.8.3
Git commit: 02c1d87
Built: Fri Jun 23 21:23:51 2017
OS/Arch: linux/amd64
Experimental: false
[vilmosnagy@vnagy-dell docker]$ docker-compose version
docker-compose version 1.13.0, build 1719ceb
docker-py version: 2.2.1
CPython version: 2.7.13
OpenSSL version: OpenSSL 1.1.0f-fips 25 May 2017
[vilmosnagy@vnagy-dell docker]$
Version-Release number of selected component:
selinux-policy-3.13.1-259.fc26.noarch
Additional info:
reporter: libreport-2.9.1
hashmarkername: setroubleshoot
kernel: 4.11.8-300.fc26.x86_64
type: libreport
Description of problem: Happens when I'm trying to use docker-compose. The instlalled docker package is from official repository. Version-Release number of selected component: selinux-policy-3.13.1-259.fc26.noarch Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.11.9-300.fc26.x86_64 type: libreport Description of problem: I use docker-compose to start a cluster definition on localhost. Everytime the container come up,this alert pops up. Version-Release number of selected component: selinux-policy-3.13.1-259.fc26.noarch Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.11.9-300.fc26.x86_64 type: libreport I think this is a duplicate of Bug 1461817 which was fixed by this update: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c2721b7375 You may close it as a duplicate and confirm it's resolved with the patch of the original bug. |
Description of problem: Upgraded my system including firewalld SELinux is preventing iptables from 'read' accesses on the file file. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that iptables should be allowed read access on the file file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'iptables' --raw | audit2allow -M my-iptables # semodule -X 300 -i my-iptables.pp Additional Information: Source Context system_u:system_r:iptables_t:s0 Target Context system_u:system_r:container_runtime_t:s0 Target Objects file [ file ] Source iptables Source Path iptables Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-257.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.11.4-300.fc26.x86_64 #1 SMP Wed Jun 7 18:07:41 UTC 2017 x86_64 x86_64 Alert Count 43 First Seen 2017-06-14 14:04:09 CEST Last Seen 2017-06-14 14:04:09 CEST Local ID 74383695-243b-46fe-814d-861c133e6b4b Raw Audit Messages type=AVC msg=audit(1497441849.565:703): avc: denied { read } for pid=451 comm="iptables" path="net:[4026531967]" dev="nsfs" ino=4026531967 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=file permissive=0 Hash: iptables,iptables_t,container_runtime_t,file,read Version-Release number of selected component: selinux-policy-3.13.1-257.fc26.noarch Additional info: component: selinux-policy reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.11.4-300.fc26.x86_64 type: libreport