Created attachment 930610 [details] C program to demonstrate the issue Description of problem: With docker installed in Fedora 20, and selinux in enforcing/targetted mode, an attempt to bind a raw socket within a docker container fails with EPERM, with a selinux AVC logged. Note that creating a raw socket is not prevented, only the bind. As a bind of a raw socket actually restricts the data received on the socket, it is hard to see why preventing this might be beneficial. Version-Release number of selected component (if applicable): 3.12.1-180.fc20 How reproducible: Always Steps to Reproduce: 1. Start a docker container (e.g. with 'docker run -t -i fedora /bin/bash') 2. Copy the attached program raw.c into the container and compile it with 'gcc raw.c', or compile it outside and copy the resulting binary in. 3. Run the binary inside the container (as root) with no arguments. Actual results: bash-4.2# /tmp/a.out bind: Permission denied To confirm the program's behaviour, here is the relevant output from 'strace /tmp/a.out': [...] socket(PF_INET, SOCK_RAW, IPPROTO_TCP) = 3 bind(3, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EACCES (Permission denied) [...] On the host, in /var/log/audit/audit.log, the following AVC message appears: type=AVC msg=audit(1408987654.899:52228): avc: denied { node_bind } for pid=31187 comm="a.out" saddr=127.0.0.1 scontext=system_u:system_r:svirt_lxc_net_t:s0:c509,c751 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket Expected results: The program should run without error, printing messages of the form 'Got packet of size N' when the raw socket yields packets. Additional info: The attached program is a simple example to demonstrate the problem; the issue was encountered while trying to run a real application under docker. The program operates as expected outside of a docker container, or inside a docker container with selinux set to permissive mode. Examination of serefpolicy-contrib-3.12.1/virt.te, lines 1081 onwards, seems to confirm that svirt_lxc_net_t processes can create, read and write raw sockets, but not bind them.
Well from a security point of view, preventing people from looking at raw packets on the network is a good thing, but since this is supposed to be a fully network aware container, I have allowed it in git. 9227fd76a93588ead44d47d2373e2d3325c389fc
commit 3e6050a6e58b22ac397eff56bab1c59e832c5045 Author: Dan Walsh <dwalsh> Date: Tue Aug 26 06:32:23 2014 -0400 Allow sandbox net domains to bind to rawip socket https://github.com/selinux-policy/selinux-policy/commit/3e6050a6e58b22ac397eff56bab1c59e832c5045
selinux-policy-3.12.1-182.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-182.fc20
Package selinux-policy-3.12.1-182.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-182.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-9819/selinux-policy-3.12.1-182.fc20 then log in and leave karma (feedback).
Works for me. Thanks for the impressively quick fix!
selinux-policy-3.12.1-182.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.