1182596 – AVC denials when running docker build

Bug 1182596 - AVC denials when running docker build

Summary: AVC denials when running docker build

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	docker-io
Sub Component:
Version:	21
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-01-15 14:27 UTC by Petra Kamenickova
Modified:	2015-08-18 23:03 UTC (History)
CC List:	16 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2015-03-09 18:50:54 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Petra Kamenickova 2015-01-15 14:27:04 UTC

Description of problem:
Sometimes when running docker build, these AVC denials appear:
type=AVC msg=audit(1421329727.232:1403): avc:  denied  { name_connect } for  pid=14266 comm="yum" dest=21 scontext=system_u:system_r:docker_t:s0 tcontext=system_u:object_r:ftp_port_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1421329730.463:1404): avc:  denied  { name_connect } for  pid=14266 comm="yum" dest=55226 scontext=system_u:system_r:docker_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1421329735.658:1405): avc:  denied  { name_connect } for  pid=14327 comm="urlgrabber-ext-" dest=63179 scontext=system_u:system_r:docker_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=1


Note: Because we are not sure what is correct behaviour of this, I have opened it as docker-io issue, not selinux.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-103.fc21.noarch
docker-io-1.4.1-4.fc21.x86_64


How reproducible:
Force yum to use some ftp repository, use RUN yum install command in Dockerfile
Example: RUN yum install --enablerepo=fedoraftp -y zsh
Run docker build

Steps to Reproduce:
1. yum install --enablerepo=updates-testing -y docker-io
2. service docker start
3. fedoraftp.repo:
     [fedoraftp]
     name=fedoraftp
     baseurl=ftp://ftp.linux.cz/pub/linux/fedora/linux/releases/20/Everything/x86_64/os/
     gpgcheck=0
     enabled=1
4. Dockerfile:
     FROM fedora:20
     ADD fedoraftp.repo /etc/yum.repos.d/fedoraftp.repo
     RUN yum install --disablerepo='*' --enablerepo=fedoraftp -y zsh
5. docker build -t example .

Actual results:


Expected results:
No AVC denial

Additional info:
Output of sesearch on Fedora21:
sesearch --allow -s docker_t -t ftp_port_t
Found 6 semantic av rules:
   allow docker_t port_type : tcp_socket name_bind ; 
   allow docker_t port_type : udp_socket { recv_msg send_msg name_bind } ; 
   allow nsswitch_domain port_type : tcp_socket { recv_msg send_msg } ; 
   allow nsswitch_domain port_type : udp_socket { recv_msg send_msg } ; 
   allow docker_t port_type : tcp_socket { recv_msg send_msg name_connect } ; 
   allow nsswitch_domain reserved_port_type : tcp_socket name_connect ; 

I've tried to reproduce this issue on Fedora 20 (selinux-policy-3.12.1-196.fc20.noarch) and RHEL 7 (selinux-policy-3.12.1-153.el7.noarch) - it seems these versions of selinux already have the rules for this kind of thing (maybe ??). 

Fedora20 sesearch:
sesearch --allow -s docker_t -t ftp_port_t
Found 10 semantic av rules:
   allow corenet_unconfined_type port_type : tcp_socket { recv_msg send_msg name_bind name_connect } ; 
   allow corenet_unconfined_type port_type : udp_socket { recv_msg send_msg name_bind } ; 
   allow corenet_unconfined_type port_type : rawip_socket name_bind ; 
   allow corenet_unconfined_type port_type : dccp_socket { recv_msg send_msg name_bind name_connect } ; 
   allow docker_t port_type : tcp_socket name_bind ; 
   allow docker_t port_type : udp_socket { recv_msg send_msg name_bind } ; 
   allow nsswitch_domain port_type : tcp_socket { recv_msg send_msg } ; 
   allow nsswitch_domain port_type : udp_socket { recv_msg send_msg } ; 
   allow nsswitch_domain reserved_port_type : tcp_socket name_connect ; 
   allow docker_t port_type : tcp_socket { recv_msg send_msg name_connect } ;

Comment 1 Lokesh Mandvekar 2015-01-15 21:27:05 UTC

Hi Petra, could you please retry this with docker-io-1.4.1-5? It should be in updates-testing now

$ rpm -q docker-io selinux-policy
docker-io-1.4.1-5.fc21.x86_64
selinux-policy-3.13.1-103.fc21.noarch

I tried reproducing this with the steps you mentioned, worked totally fine for me on an f21 instance (for both "FROM fedora" and "FROM fedora:20").

I suspect in your case docker 1.4.1-4 was using /.docker instead of /etc/docker which might be the case here too. 1.4.1-5 should take care of that.

Also see: Bug 1180059

Comment 2 Petra Kamenickova 2015-01-19 12:25:31 UTC

Hi,
I used the 1.4.1-5 version and the same AVC denials appeared.

Comment 3 Daniel Walsh 2015-01-19 14:59:31 UTC

setsebool -P docker_transition_unconfined 1

Will fix this for now.

We need to fix docker build to use a confined build.

Comment 4 Petra Kamenickova 2015-01-19 15:36:00 UTC

Thanks, it works fine for my yum/ftp problem. 
However when I set docker_transition_unconfined to 1, a new AVC denial appeared:

type=AVC msg=audit(1421680260.588:280): avc:  denied  { setsched } for  pid=32550 comm="docker" scontext=system_u:system_r:docker_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=process permissive=1


Is it possible that this AVC denial is somehow related to the setsebool use? And do you have any advice how can I get rid of it?

Comment 5 Daniel Walsh 2015-01-19 18:27:45 UTC

No that is a known issue and will be fixed in the next selinux-policy package.

I just found why docker build is not running with SELinux confinement and pushed a fix for it to docker.

Note You need to log in before you can comment on or make changes to this bug.