Hide Forgot
Description of problem: as root: fresh install of fedora core 20 (12-july-2014) updated installation yum -y update installed docker yum -y install docker-io started docker systemctl start docker.service as normal user Download sources for couchdb from https://registry.hub.docker.com/u/fedora/couchdb/ using build bundle http://trustedbuilds-staging.s3.amazonaws.com/sources/bbxpjv5ah2xndl3poh4abqq.tar.gz create $HOME/couchdb directory extract downloaded bundle in couchdb directory Edit Docker file from $HOME/couchdb directory, result: FROM fedora:20 MAINTAINER dockerxxxxx <xxxxxx@gmail.com> RUN yum -y update; yum clean all RUN yum -y install couchdb; yum clean all RUN sed -e 's/^bind_address = .*$/bind_address = 0.0.0.0/' -i /etc/couchdb/default.ini EXPOSE 5984 CMD ["/bin/sh", "-e", "/usr/bin/couchdb", "-a", "/etc/couchdb/default.ini", "-a", "/etc/couchdb/local.ini", "-b", "-r", "5", "-p", "/var/run/couchdb/couchdb.pid", "-o", "/dev/null", "-e", "/dev/null", "-R"] get docker version # docker version build docker image using Dockerfile from $HOME/couchdb directory # docker build -rm -t dockerpinguin/couchdb . Start docker image docker run -d -p 5984:5984 dockerpinguin/couchdb SELinux is preventing /usr/lib64/erlang/erts-5.10.4/bin/beam.smp from 'write' accesses on the directory . ***** Plugin catchall (100. confidence) suggests ************************** If you believe that beam.smp should be allowed write access on the directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep beam.smp /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_lxc_net_t:s0:c391,c673 Target Context system_u:object_r:proc_t:s0 Target Objects [ dir ] Source beam.smp Source Path /usr/lib64/erlang/erts-5.10.4/bin/beam.smp Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.12.1-176.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.15.4-200.fc20.x86_64 #1 SMP Mon Jul 7 14:24:41 UTC 2014 x86_64 x86_64 Alert Count 1 First Seen 2014-07-14 19:39:26 CEST Last Seen 2014-07-14 19:39:26 CEST Local ID a3522a1a-f1c2-4b80-a7e2-375ec5d7f2ed Raw Audit Messages type=AVC msg=audit(1405359566.829:469): avc: denied { write } for pid=3169 comm="beam.smp" name="/" dev="proc" ino=1 scontext=system_u:system_r:svirt_lxc_net_t:s0:c391,c673 tcontext=system_u:object_r:proc_t:s0 tclass=dir type=SYSCALL msg=audit(1405359566.829:469): arch=x86_64 syscall=access success=no exit=EACCES a0=7f65c9f01078 a1=2 a2=0 a3=1 items=0 ppid=3155 pid=3169 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=beam.smp exe=/usr/lib64/erlang/erts-5.10.4/bin/beam.smp subj=system_u:system_r:svirt_lxc_net_t:s0:c391,c673 key=(null) Hash: beam.smp,svirt_lxc_net_t,proc_t,dir,write Additional info: reporter: libreport-2.2.2 hashmarkername: setroubleshoot kernel: 3.15.4-200.fc20.x86_64 type: libreport
Lukas is going to work on erlang SELinux issues soon.
Actually it relates also with docker.
This is just an access check, I guess we can add a dontaudit check for it.
540a3bb0eea31d85bbfc1c1c3bcb418fbc8e7b93 fixes this in git. Needs back port to RHEL7 also.
(In reply to Daniel Walsh from comment #3) > This is just an access check, I guess we can add a dontaudit check for it. Ah yes, I overlooked it.
commit 8b235e3aa3a4ab372736489fee47bf4631d3aeda Author: Dan Walsh <dwalsh@redhat.com> Date: Wed Jul 16 08:51:26 2014 -0400 Dontaudit svirt_sandbox_domain doing access checks on /proc https://github.com/selinux-policy/selinux-policy/commit/8b235e3aa3a4ab372736489fee47bf4631d3aeda
selinux-policy-3.12.1-182.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-182.fc20
Package selinux-policy-3.12.1-182.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-182.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-9819/selinux-policy-3.12.1-182.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-182.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.