Description of problem: The current version of ABRT adds support for collecting information about a container in which a process crashed. One of the supported container technologies is Docker and abrtd runs 'docker inspect $container_id' upon detection a new crash in a docker container. Version-Release number of selected component (if applicable): selinux-policy-3.13.1-111.fc23.noarch Additional info: I got these AVC in Permissive mode: ---- time->Thu Feb 19 14:19:47 2015 type=PROCTITLE msg=audit(1424351987.389:1065): proctitle=6E6174697665002D636F6E736F6C65002F6465762F7074732F36002D706970650033002D726F6F74002F7661722F6C69622F646F636B65722F657865636472697665722F6E61746976652F6261393030343765323839623962303630333135363463306132393561636338393532393839303637343338333239643434663733 type=SYSCALL msg=audit(1424351987.389:1065): arch=c000003e syscall=59 success=yes exit=0 a0=c20839b0b0 a1=c2084533b0 a2=c2083f83e0 a3=0 items=0 ppid=8084 pid=19633 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dockerinit-1.5." exe="/var/lib/docker/init/dockerinit-1.5.0-dev" subj=system_u:system_r:spc_t:s0 key=(null) type=AVC msg=audit(1424351987.389:1065): avc: denied { entrypoint } for pid=19633 comm="docker" path="/var/lib/docker/init/dockerinit-1.5.0-dev" dev="dm-0" ino=168539 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:object_r:docker_var_lib_t:s0 tclass=file permissive=1 ---- time->Thu Feb 19 14:19:47 2015 type=PROCTITLE msg=audit(1424351987.507:1069): proctitle=6E6174697665002D636F6E736F6C65002F6465762F7074732F36002D706970650033002D726F6F74002F7661722F6C69622F646F636B65722F657865636472697665722F6E61746976652F6261393030343765323839623962303630333135363463306132393561636338393532393839303637343338333239643434663733 type=SYSCALL msg=audit(1424351987.507:1069): arch=c000003e syscall=59 success=yes exit=0 a0=c208093780 a1=c208093790 a2=c2080bda40 a3=0 items=0 ppid=8084 pid=19633 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=4294967295 comm="bash" exe="/usr/bin/bash" subj=system_u:system_r:svirt_lxc_net_t:s0:c435,c767 key=(null) type=AVC msg=audit(1424351987.507:1069): avc: denied { transition } for pid=19633 comm="dockerinit-1.5." path="/usr/bin/bash" dev="dm-3" ino=393592 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c435,c767 tclass=process permissive=1 ---- time->Thu Feb 19 14:19:57 2015 type=PROCTITLE msg=audit(1424351997.873:1072): proctitle=646F636B657200696E737065637400626139303034376532383962 type=SYSCALL msg=audit(1424351997.873:1072): arch=c000003e syscall=2 success=yes exit=3 a0=c20801e060 a1=80000 a2=0 a3=0 items=0 ppid=19687 pid=19688 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="docker" exe="/usr/bin/docker" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1424351997.873:1072): avc: denied { open } for pid=19688 comm="docker" path="/proc/sys/net/core/somaxconn" dev="proc" ino=51756 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1 type=AVC msg=audit(1424351997.873:1072): avc: denied { read } for pid=19688 comm="docker" name="somaxconn" dev="proc" ino=51756 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1 type=AVC msg=audit(1424351997.873:1072): avc: denied { search } for pid=19688 comm="docker" name="net" dev="proc" ino=9305 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=1 ---- time->Thu Feb 19 14:19:57 2015 type=PROCTITLE msg=audit(1424351997.902:1074): proctitle=646F636B657200696E737065637400626139303034376532383962 type=SYSCALL msg=audit(1424351997.902:1074): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=c208054190 a2=17 a3=0 items=0 ppid=19687 pid=19688 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="docker" exe="/usr/bin/docker" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1424351997.902:1074): avc: denied { connectto } for pid=19688 comm="docker" path="/run/docker.sock" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:system_r:docker_t:s0 tclass=unix_stream_socket permissive=1 type=AVC msg=audit(1424351997.902:1074): avc: denied { write } for pid=19688 comm="docker" name="docker.sock" dev="tmpfs" ino=51775 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:docker_var_run_t:s0 tclass=sock_file permissive=1
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle. Changing version to '23'. (As we did not run this process for some time, it could affect also pre-Fedora 23 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23
commit 1dd281e0169366f3671f477f423a97098100d5dd Author: Lukas Vrabec <lvrabec> Date: Tue Oct 13 16:08:42 2015 +0200 Allow abrt_t to read sysctl_net_t files. BZ(#1194280) I add all fixes for this issue in distro selinux-policy. Also add fixes in docker-selinux package.
commit b1908e278581e75b97f1f7337988ef510e9646a5 Author: Lukas Vrabec <lvrabec> Date: Tue Oct 13 15:51:18 2015 +0200 Allow abrt_t to stream connect do docker. Lokesh, I'm going to create new updates for Fedora23, After then could you add this patch to docker? Thank you!
*** Bug 1273110 has been marked as a duplicate of this bug. ***
Lukas, what is a state of this bug?
Lukas, where's this patch present? I only see your commit message.
I wasn't supposed to clear needinfo on Lukas.
My changes are in docker-selinux github repo and also in current f23 docker package version. Jakub, Could you test it? Thank you!
This is fixed in docker-1.9.1-2.git78bc3ea.fc23
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days