Bug 1461817

Summary: Starting docker daemon produces AVC denial about iptables_t and container_runtime_t
Product: [Fedora] Fedora Reporter: Jan Pazdziora (Red Hat) <jpazdziora>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 26CC: adimania, admiller, amurdaca, dominick.grift, dwalsh, fkluknav, ichavero, jcajka, jpazdziora, lsm5, lvrabec, marianne, mgrepl, mueller, nalin, plautrba, pmoore, riek, ssekidde, vbatts
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-260.1.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-17 04:51:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Pazdziora (Red Hat) 2017-06-15 11:46:46 UTC 
Description of problem:

Starting docker daemon produces AVC denials like

type=AVC msg=audit(1497521828.624:143): avc:  denied  { read } for  pid=2472 comm="iptables" path="net:[4026531961]" dev="nsfs" ino=4026531961 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=file permissive=0

Version-Release number of selected component (if applicable):

docker-1.13.1-13.git51eb16e.fc26
container-selinux-2.18-1.fc26

How reproducible:

Deterministic.

Steps to Reproduce:
1. dnf install -y docker
2. systemctl start docker
3. Check audit.log.

Actual results:

time->Thu Jun 15 06:17:08 2017
type=AVC msg=audit(1497521828.605:139): avc:  denied  { read } for  pid=2464 comm="iptables" path="net:[4026531961]" dev="nsfs" ino=4026531961 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=file permissive=0
----
time->Thu Jun 15 06:17:08 2017
type=AVC msg=audit(1497521828.608:140): avc:  denied  { read } for  pid=2466 comm="iptables" path="net:[4026531961]" dev="nsfs" ino=4026531961 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=file permissive=0
----
time->Thu Jun 15 06:17:08 2017
type=AVC msg=audit(1497521828.623:142): avc:  denied  { read } for  pid=2471 comm="iptables" path="net:[4026531961]" dev="nsfs" ino=4026531961 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=file permissive=0
----
time->Thu Jun 15 06:17:08 2017
type=AVC msg=audit(1497521828.624:143): avc:  denied  { read } for  pid=2472 comm="iptables" path="net:[4026531961]" dev="nsfs" ino=4026531961 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=file permissive=0
----
time->Thu Jun 15 06:17:08 2017
type=AVC msg=audit(1497521828.625:145): avc:  denied  { read } for  pid=2473 comm="iptables" path="net:[4026531961]" dev="nsfs" ino=4026531961 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=file permissive=0
----
time->Thu Jun 15 06:17:08 2017
type=AVC msg=audit(1497521828.626:146): avc:  denied  { read } for  pid=2474 comm="iptables" path="net:[4026531961]" dev="nsfs" ino=4026531961 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=file permissive=0

Expected results:

No AVC denial.

Additional info:
Comment 2 Daniel Walsh 2017-06-15 12:23:56 UTC 
Need to add

container_read_state(iptables_t)

This pull request adds this interface

b22d1515cb3e164c0ac3cdc2020c2e8c4d7a55fd
Comment 3 Jan Pazdziora (Red Hat) 2017-07-04 08:39:14 UTC 
Which repo is this pull request against? Any chance of getting this merged and updated policy shipped to Fedora 26?
Comment 5 Thomas Mueller 2017-07-05 10:56:52 UTC 
Jan, the PR is here: https://github.com/fedora-selinux/selinux-policy/pull/197
Comment 6 Jan Pazdziora (Red Hat) 2017-07-10 07:04:12 UTC 
Awesome.

Lukáš, can we get the PR merged and new policy built?
Comment 7 Lukas Vrabec 2017-07-10 07:42:28 UTC 
Jan, 

Yes, sure. 

Build is in progress:
https://koji.fedoraproject.org/koji/taskinfo?taskID=20437433
Comment 8 Fedora Update System 2017-07-11 17:07:08 UTC 
selinux-policy-3.13.1-260.1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c2721b7375
Comment 9 Fedora Update System 2017-07-12 08:38:21 UTC 
selinux-policy-3.13.1-260.1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c2721b7375
Comment 12 Fedora Update System 2017-07-17 04:51:59 UTC 
selinux-policy-3.13.1-260.1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.