Bug 1179488 - SELinux is preventing docker from using the 'setsched' accesses on a process.
Summary: SELinux is preventing docker from using the 'setsched' accesses on a process.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 21
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:d303cdc734eeea3293782d302eb...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-01-06 21:52 UTC by M. Edward (Ed) Borasky
Modified: 2015-01-30 23:55 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.13.1-105.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-01-30 23:55:19 UTC
Type: ---


Attachments (Terms of Use)

Description M. Edward (Ed) Borasky 2015-01-06 21:52:22 UTC
Description of problem:
SELinux is preventing docker from using the 'setsched' accesses on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that docker should be allowed setsched access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep docker /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:docker_t:s0
Target Context                system_u:system_r:unconfined_t:s0
Target Objects                Unknown [ process ]
Source                        docker
Source Path                   docker
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-103.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.17.7-300.fc21.x86_64 #1 SMP Wed
                              Dec 17 03:08:44 UTC 2014 x86_64 x86_64
Alert Count                   26
First Seen                    2015-01-05 19:37:59 PST
Last Seen                     2015-01-06 13:51:49 PST
Local ID                      106428f7-3f07-4135-8a77-e745d3a9aa88

Raw Audit Messages
type=AVC msg=audit(1420581109.584:608): avc:  denied  { setsched } for  pid=1297 comm="docker" scontext=system_u:system_r:docker_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=process permissive=1


Hash: docker,docker_t,unconfined_t,process,setsched

Version-Release number of selected component:
selinux-policy-3.13.1-103.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.7-300.fc21.x86_64
type:           libreport

Comment 1 Daniel Walsh 2015-01-06 22:02:32 UTC
1cb9223c43e08147321deaa3cdcfd6741777f1a6 fixes this in git.

Comment 2 Daniel Walsh 2015-01-06 22:03:20 UTC
Are you running with a BTRFS back end?  Or just disabling SELinux for docker?

Comment 3 M. Edward (Ed) Borasky 2015-01-07 01:42:41 UTC
(In reply to Daniel Walsh from comment #2)
> Are you running with a BTRFS back end?  Or just disabling SELinux for docker?

Neither - all my filesystems are ext4 and I'm only doing setbools as the troubleshooter recommends them.

Comment 4 Daniel Walsh 2015-01-07 16:39:50 UTC
What I can't understand then is why is your container running as unconfined_t and not svirt_lxc_net_t?

We have a fix coming for the setsched problem, but by default your containers should be running with a locked down context.
What does

ps -auxZ | grep docker

show?

Comment 5 M. Edward (Ed) Borasky 2015-01-07 18:33:14 UTC
(In reply to Daniel Walsh from comment #4)
> What I can't understand then is why is your container running as
> unconfined_t and not svirt_lxc_net_t?
> 
> We have a fix coming for the setsched problem, but by default your
> containers should be running with a locked down context.
> What does
> 
> ps -auxZ | grep docker
> 
> show?

$ ps -auxZ | grep docker
system_u:system_r:docker_t:s0   root     21985  0.0  0.0 359016 16140 ?        Ssl  Jan06   0:01 /usr/bin/docker -d -H fd:// --selinux-enabled

Is there a config or labelling step I missed? I just did "yum install docker-io", started and enabled the daemon and added myself to the 'docker' group.

Comment 6 Daniel Walsh 2015-01-07 18:35:40 UTC
What does

docker run --ti --rm fedora ps -eZ

Show?

Comment 7 M. Edward (Ed) Borasky 2015-01-07 18:41:37 UTC
(In reply to Daniel Walsh from comment #6)
> What does
> 
> docker run --ti --rm fedora ps -eZ
> 
> Show?

$ ps -eZ | grep docker
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16627 pts/1 00:00:00 docker
system_u:system_r:docker_t:s0   21985 ?        00:00:02 docker

Comment 8 Daniel Walsh 2015-01-07 18:43:31 UTC
That is not what I asked.

> What does
> 
> docker run --ti --rm fedora ps -eZ
> 
> Show?

Comment 9 M. Edward (Ed) Borasky 2015-01-07 18:57:02 UTC
(In reply to Daniel Walsh from comment #8)
> That is not what I asked.
> 
> > What does
> > 
> > docker run --ti --rm fedora ps -eZ
> > 
> > Show?

$ docker run -ti --rm fedora ps -eZ
LABEL                             PID TTY          TIME CMD
system_u:system_r:svirt_lxc_net_t:s0:c671,c755 1 ? 00:00:00 ps

Comment 10 Daniel Walsh 2015-01-07 20:38:01 UTC
Ok that looks good.  Not sure why it ran as unconfined_t for one of your runs.

Comment 11 Lukas Vrabec 2015-01-23 21:37:31 UTC
commit 839860456add3770d21bd66ec96b4d5d2f461490
Author: Dan Walsh <dwalsh@redhat.com>
Date:   Tue Dec 16 07:54:08 2014 -0500

    Allow docker to setsched on unconfined_t user

Comment 12 Fedora Update System 2015-01-27 16:49:59 UTC
selinux-policy-3.13.1-105.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.fc21

Comment 13 Fedora Update System 2015-01-30 04:32:50 UTC
Package selinux-policy-3.13.1-105.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-1337/selinux-policy-3.13.1-105.fc21
then log in and leave karma (feedback).

Comment 14 Fedora Update System 2015-01-30 23:55:19 UTC
selinux-policy-3.13.1-105.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.