Bug 1169769 - Docker attempts to create /.docker/key.json, AVC denial logged
Summary: Docker attempts to create /.docker/key.json, AVC denial logged
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: docker-io
Version: 21
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lokesh Mandvekar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-12-02 12:19 UTC by Jan Pazdziora
Modified: 2014-12-24 16:43 UTC (History)
15 users (show)

Fixed In Version: docker-io-1.3.2-4.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-12-02 14:11:52 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Jan Pazdziora 2014-12-02 12:19:40 UTC 
Description of problem:

The docker daemon while started with

  service docker start

creates (in permissive) file /.docker/key.json which causes AVC denials

type=AVC msg=audit(1417516329.990:76): avc:  denied  { add_name } for  pid=17382 comm="docker" name=".docker" scontext=system_u:system_r:docker_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1417516329.990:77): avc:  denied  { create } for  pid=17382 comm="docker" name=".docker" scontext=system_u:system_r:docker_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1417516330.009:78): avc:  denied  { create } for  pid=17382 comm="docker" name="key.json" scontext=system_u:system_r:docker_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1
type=AVC msg=audit(1417516330.009:79): avc:  denied  { write open } for  pid=17382 comm="docker" path="/.docker/key.json" dev="dm-1" ino=1966082 scontext=system_u:system_r:docker_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1

The content of the file is

# cat /.docker/key.json
{
    "crv": "P-256",
    "d": "P26swnaqdOlv1BTVxFX4sovmfazqGCTbwpDobXOn68I",
    "kid": "5MPO:WGMK:B2WZ:YAUE:7WC3:6YGV:VVHO:7A2H:IPHA:RRV7:CN5Q:ZW3W",
    "kty": "EC",
    "x": "_FkP8EvVH6dia4iVBYmmy5c43tHkzxWC4f1QD7TlE_A",
    "y": "X2BQ1cXpAucYcBN3FmY8T2gFXR10pLmqJRQFKGfY2zY"
}

Version-Release number of selected component (if applicable):

docker-io-1.3.2-3.git353ff40.fc21.x86_64
selinux-policy-3.13.1-92.fc21.noarch

How reproducible:

Seen once, assume deterministic.

Steps to Reproduce:
1. Install docker-io.
2. Start the service.
3. Check /var/log/audit/audit.log.

Actual results:

AVC denial and in permissive, root directory polluted with /.docker/key.json.

Expected results:

No AVC denial, docker keeps its files to itself.

Additional info:
Comment 1 Lokesh Mandvekar 2014-12-02 14:11:52 UTC 
Fixed in 1.3.2-4 https://admin.fedoraproject.org/updates/docker-io-1.3.2-4.fc21 . This should land in testing sometime today.

Similar to bug 1169593, but that's for rawhide and not a duplicate.
Comment 2 Jan Pazdziora 2014-12-03 13:01:47 UTC 
(In reply to Lokesh Mandvekar from comment #1)
> Fixed in 1.3.2-4
> https://admin.fedoraproject.org/updates/docker-io-1.3.2-4.fc21 . This should
> land in testing sometime today.
> 
> Similar to bug 1169593, but that's for rawhide and not a duplicate.

Confirming, docker-io-1.3.2-4.fc21.x86_64 makes the AVC denial go away.

Thank you!
Comment 3 J. Sastre 2014-12-24 16:43:06 UTC 
AVC denial alert still occurs in docker-io-1.4-0.

When docker is started for the very first time creates the folder '/etc/docker/' and the file '/etc/docker/key.json' (They were moved under '/etc') but no care is taken for selinux contexts so the default type 'etc_t' is assigned. Selinux policy expects 'docker_config_t' for this path. The command

# restorecon -Rv /etc/docker

sets the right context type. Everything seems to work properly but the AVC alert is a bit annoying.


Package versions:

selinux-policy-targeted-3.13.1-103.fc21
docker-io-1.4-0-1.fc21
Note You need to log in before you can comment on or make changes to this bug.