Description of problem: SELinux is preventing yum from 'name_connect' accesses on the tcp_socket port 54748. ***** Plugin catchall_boolean (47.5 confidence) suggests ****************** If you want to allow nis to enabled Then you must tell SELinux about this by enabling the 'nis_enabled' boolean. You can read 'None' man page for more details. Do setsebool -P nis_enabled 1 ***** Plugin catchall_boolean (47.5 confidence) suggests ****************** If you want to allow docker to connect any Then you must tell SELinux about this by enabling the 'docker_connect_any' boolean. You can read 'None' man page for more details. Do setsebool -P docker_connect_any 1 ***** Plugin catchall (6.38 confidence) suggests ************************** If you believe that yum should be allowed name_connect access on the port 54748 tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep yum /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:docker_t:s0 Target Context system_u:object_r:ephemeral_port_t:s0 Target Objects port 54748 [ tcp_socket ] Source yum Source Path yum Port 54748 Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-105.1.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.18.5-201.fc21.x86_64 #1 SMP Mon Feb 2 21:00:58 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-02-11 13:28:55 PST Last Seen 2015-02-11 13:28:55 PST Local ID 643e1c10-bd4d-40e8-8d30-f0a5ad9d022a Raw Audit Messages type=AVC msg=audit(1423690135.215:588): avc: denied { name_connect } for pid=6583 comm="yum" dest=54748 scontext=system_u:system_r:docker_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket permissive=1 Hash: yum,docker_t,ephemeral_port_t,tcp_socket,name_connect Version-Release number of selected component: selinux-policy-3.13.1-105.1.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.18.5-201.fc21.x86_64 type: libreport
Follow this step to fix your issue. ***** Plugin catchall_boolean (47.5 confidence) suggests ****************** If you want to allow docker to connect any Then you must tell SELinux about this by enabling the 'docker_connect_any' boolean. You can read 'None' man page for more details. Do setsebool -P docker_connect_any 1
This is actually a bug in docker, which should be fixed in docker-1.5
Dan OK, Ed, after release of docker-1.5, you could turn off this boolean again.
Lokesh is docker-1.5 out in Fedora?
the upstream 1.5.0 has been out on fedora for quite some time now.
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
closing this as it's been fixed in 1.5.0 which is already on fedora. Please re-open this if you notice this issue.