Description of problem: The docker daemon while started with service docker start creates (in permissive) file /.docker/key.json which causes AVC denials type=AVC msg=audit(1417516329.990:76): avc: denied { add_name } for pid=17382 comm="docker" name=".docker" scontext=system_u:system_r:docker_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1417516329.990:77): avc: denied { create } for pid=17382 comm="docker" name=".docker" scontext=system_u:system_r:docker_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1417516330.009:78): avc: denied { create } for pid=17382 comm="docker" name="key.json" scontext=system_u:system_r:docker_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1 type=AVC msg=audit(1417516330.009:79): avc: denied { write open } for pid=17382 comm="docker" path="/.docker/key.json" dev="dm-1" ino=1966082 scontext=system_u:system_r:docker_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1 The content of the file is # cat /.docker/key.json { "crv": "P-256", "d": "P26swnaqdOlv1BTVxFX4sovmfazqGCTbwpDobXOn68I", "kid": "5MPO:WGMK:B2WZ:YAUE:7WC3:6YGV:VVHO:7A2H:IPHA:RRV7:CN5Q:ZW3W", "kty": "EC", "x": "_FkP8EvVH6dia4iVBYmmy5c43tHkzxWC4f1QD7TlE_A", "y": "X2BQ1cXpAucYcBN3FmY8T2gFXR10pLmqJRQFKGfY2zY" } Version-Release number of selected component (if applicable): docker-io-1.3.2-3.git353ff40.fc21.x86_64 selinux-policy-3.13.1-92.fc21.noarch How reproducible: Seen once, assume deterministic. Steps to Reproduce: 1. Install docker-io. 2. Start the service. 3. Check /var/log/audit/audit.log. Actual results: AVC denial and in permissive, root directory polluted with /.docker/key.json. Expected results: No AVC denial, docker keeps its files to itself. Additional info:
Fixed in 1.3.2-4 https://admin.fedoraproject.org/updates/docker-io-1.3.2-4.fc21 . This should land in testing sometime today. Similar to bug 1169593, but that's for rawhide and not a duplicate.
(In reply to Lokesh Mandvekar from comment #1) > Fixed in 1.3.2-4 > https://admin.fedoraproject.org/updates/docker-io-1.3.2-4.fc21 . This should > land in testing sometime today. > > Similar to bug 1169593, but that's for rawhide and not a duplicate. Confirming, docker-io-1.3.2-4.fc21.x86_64 makes the AVC denial go away. Thank you!
AVC denial alert still occurs in docker-io-1.4-0. When docker is started for the very first time creates the folder '/etc/docker/' and the file '/etc/docker/key.json' (They were moved under '/etc') but no care is taken for selinux contexts so the default type 'etc_t' is assigned. Selinux policy expects 'docker_config_t' for this path. The command # restorecon -Rv /etc/docker sets the right context type. Everything seems to work properly but the AVC alert is a bit annoying. Package versions: selinux-policy-targeted-3.13.1-103.fc21 docker-io-1.4-0-1.fc21