Bug 1111750 - docker-related AVCs
Summary: docker-related AVCs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 20
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-06-20 23:54 UTC by Robin Powell
Modified: 2014-06-30 10:31 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.12.1-173.fc20
Clone Of:
Environment:
Last Closed: 2014-06-30 10:31:02 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Robin Powell 2014-06-20 23:54:24 UTC 
This is more of just an FYI thing, in case it's useful; if it's not, feel free to kill it.

On the stock Fedora 20 AWS AMI (i.e. *not* my usually extra-restricted setup, for those of you that recognize me), with the instances using an NFS mount, I required the following to git it working at all:

sudo setsebool -P docker_transition_unconfined 1

sudo setsebool -P virt_use_nfs 1

sudo semanage permissive -a svirt_lxc_net_t

sudo semanage permissive -a docker_t

And here's the resulting AVCs:

From the tomcat server:


type=AVC msg=audit(1403041761.935:960): avc:  denied  { read } for  pid=19343 comm="rsyslogd" name="kmsg" dev="proc" ino=4026532013 scontext=system_u:system_r:svirt_lxc_net_t:s0:c281,c984 tcontext=system_u:object_r:proc_kmsg_t:s0 tclass=file
type=AVC msg=audit(1403041761.935:960): avc:  denied  { open } for  pid=19343 comm="rsyslogd" path="/proc/kmsg" dev="proc" ino=4026532013 scontext=system_u:system_r:svirt_lxc_net_t:s0:c281,c984 tcontext=system_u:object_r:proc_kmsg_t:s0 tclass=file
type=AVC msg=audit(1403041770.188:961): avc:  denied  { read } for  pid=19587 comm="java" path=2F616E6F6E5F6875676570616765202864656C6574656429 dev="hugetlbfs" ino=69719 scontext=system_u:system_r:svirt_lxc_net_t:s0:c281,c984 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=file
type=AVC msg=audit(1403042723.789:969): avc:  denied  { search } for  pid=19956 comm="sudo" scontext=system_u:system_r:svirt_lxc_net_t:s0:c281,c984 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=key
type=AVC msg=audit(1403042748.942:970): avc:  denied  { read } for  pid=20009 comm="java" path=2F616E6F6E5F6875676570616765202864656C6574656429 dev="hugetlbfs" ino=69341 scontext=system_u:system_r:svirt_lxc_net_t:s0:c281,c984 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=file
type=AVC msg=audit(1403043543.872:1048): avc:  denied  { read } for  pid=11361 comm="rsyslogd" name="kmsg" dev="proc" ino=4026532013 scontext=system_u:system_r:svirt_lxc_net_t:s0:c13,c610 tcontext=system_u:object_r:proc_kmsg_t:s0 tclass=file
type=AVC msg=audit(1403043543.872:1048): avc:  denied  { open } for  pid=11361 comm="rsyslogd" path="/proc/kmsg" dev="proc" ino=4026532013 scontext=system_u:system_r:svirt_lxc_net_t:s0:c13,c610 tcontext=system_u:object_r:proc_kmsg_t:s0 tclass=file
type=AVC msg=audit(1403043552.176:1049): avc:  denied  { read } for  pid=11504 comm="java" path=2F616E6F6E5F6875676570616765202864656C6574656429 dev="hugetlbfs" ino=143675 scontext=system_u:system_r:svirt_lxc_net_t:s0:c13,c610 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=file
type=AVC msg=audit(1403043572.040:1050): avc:  denied  { search } for  pid=11905 comm="sudo" scontext=system_u:system_r:svirt_lxc_net_t:s0:c13,c610 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=key
type=AVC msg=audit(1403043603.286:1051): avc:  denied  { link } for  pid=11957 comm="sudo" scontext=system_u:system_r:svirt_lxc_net_t:s0:c13,c610 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=key
type=AVC msg=audit(1403043661.508:1052): avc:  denied  { search } for  pid=12282 comm="sudo" scontext=system_u:system_r:svirt_lxc_net_t:s0:c13,c610 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=key


From the mysql server:


type=AVC msg=audit(1403041483.683:802): avc:  denied  { read } for  pid=30441 comm="rsyslogd" name="kmsg" dev="proc" ino=4026531977 scontext=system_u:system_r:svirt_lxc_net_t:s0:c38,c1016 tcontext=system_u:object_r:proc_kmsg_t:s0 tclass=file
type=AVC msg=audit(1403041483.683:802): avc:  denied  { open } for  pid=30441 comm="rsyslogd" path="/proc/kmsg" dev="proc" ino=4026531977 scontext=system_u:system_r:svirt_lxc_net_t:s0:c38,c1016 tcontext=system_u:object_r:proc_kmsg_t:s0 tclass=file
type=AVC msg=audit(1403041484.127:803): avc:  denied  { read } for  pid=30527 comm="rsyslogd" name="kmsg" dev="proc" ino=4026531977 scontext=system_u:system_r:svirt_lxc_net_t:s0:c27,c151 tcontext=system_u:object_r:proc_kmsg_t:s0 tclass=file
type=AVC msg=audit(1403041484.127:803): avc:  denied  { open } for  pid=30527 comm="rsyslogd" path="/proc/kmsg" dev="proc" ino=4026531977 scontext=system_u:system_r:svirt_lxc_net_t:s0:c27,c151 tcontext=system_u:object_r:proc_kmsg_t:s0 tclass=file
type=AVC msg=audit(1403041506.276:804): avc:  denied  { unlink } for  pid=32404 comm="mysqld" name="mysql.sock" dev="0:33" ino=272711743 scontext=system_u:system_r:svirt_lxc_net_t:s0:c38,c1016 tcontext=system_u:object_r:nfs_t:s0 tclass=sock_file
type=AVC msg=audit(1403041506.277:805): avc:  denied  { create } for  pid=32404 comm="mysqld" name="mysql.sock" scontext=system_u:system_r:svirt_lxc_net_t:s0:c38,c1016 tcontext=system_u:object_r:nfs_t:s0 tclass=sock_file
type=AVC msg=audit(1403042495.207:813): avc:  denied  { search } for  pid=32744 comm="sudo" scontext=system_u:system_r:svirt_lxc_net_t:s0:c38,c1016 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=key
type=AVC msg=audit(1403043560.173:881): avc:  denied  { read } for  pid=725 comm="rsyslogd" name="kmsg" dev="proc" ino=4026531977 scontext=system_u:system_r:svirt_lxc_net_t:s0:c361,c372 tcontext=system_u:object_r:proc_kmsg_t:s0 tclass=file
type=AVC msg=audit(1403043560.173:881): avc:  denied  { open } for  pid=725 comm="rsyslogd" path="/proc/kmsg" dev="proc" ino=4026531977 scontext=system_u:system_r:svirt_lxc_net_t:s0:c361,c372 tcontext=system_u:object_r:proc_kmsg_t:s0 tclass=file
type=AVC msg=audit(1403043561.165:882): avc:  denied  { read } for  pid=637 comm="rsyslogd" name="kmsg" dev="proc" ino=4026531977 scontext=system_u:system_r:svirt_lxc_net_t:s0:c360,c482 tcontext=system_u:object_r:proc_kmsg_t:s0 tclass=file
type=AVC msg=audit(1403043561.165:882): avc:  denied  { open } for  pid=637 comm="rsyslogd" path="/proc/kmsg" dev="proc" ino=4026531977 scontext=system_u:system_r:svirt_lxc_net_t:s0:c360,c482 tcontext=system_u:object_r:proc_kmsg_t:s0 tclass=file
type=AVC msg=audit(1403043584.111:883): avc:  denied  { unlink } for  pid=2581 comm="mysqld" name="mysql.sock" dev="0:33" ino=274399241 scontext=system_u:system_r:svirt_lxc_net_t:s0:c360,c482 tcontext=system_u:object_r:nfs_t:s0 tclass=sock_file
type=AVC msg=audit(1403043584.112:884): avc:  denied  { create } for  pid=2581 comm="mysqld" name="mysql.sock" scontext=system_u:system_r:svirt_lxc_net_t:s0:c360,c482 tcontext=system_u:object_r:nfs_t:s0 tclass=sock_file

Hope it helps.
Comment 1 Daniel Walsh 2014-06-23 18:09:32 UTC 
ee6c9df49652e54608765b18491c600935427a2e adds these rules to git.
Comment 2 Fedora Update System 2014-06-26 15:31:05 UTC 
selinux-policy-3.12.1-173.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-173.fc20
Comment 3 Fedora Update System 2014-06-27 02:27:44 UTC 
Package selinux-policy-3.12.1-173.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-173.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-7794/selinux-policy-3.12.1-173.fc20
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2014-06-30 10:31:02 UTC 
selinux-policy-3.12.1-173.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.