Bug 1194280 - please allow abrtd to run "docker inspect $ID"
Summary: please allow abrtd to run "docker inspect $ID"
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: docker
Version: 23
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
Assignee: Lokesh Mandvekar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1273110 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-02-19 13:23 UTC by Jakub Filak
Modified: 2023-09-14 02:55 UTC (History)
17 users (show)

Fixed In Version: docker-1.9.1-2.git78bc3ea.fc23
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-12-03 12:14:49 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1273110 0 unspecified CLOSED SELinux is preventing /usr/bin/docker from 'write' accesses on the sock_file docker.sock. 2021-02-22 00:41:40 UTC

Internal Links: 1273110

Description Jakub Filak 2015-02-19 13:23:23 UTC
Description of problem:
The current version of ABRT adds support for collecting information about a container in which a process crashed. One of the supported container technologies is Docker and abrtd runs 'docker inspect $container_id' upon detection a new crash in a docker container.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-111.fc23.noarch

Additional info:
I got these AVC in Permissive mode:
----
time->Thu Feb 19 14:19:47 2015
type=PROCTITLE msg=audit(1424351987.389:1065): proctitle=6E6174697665002D636F6E736F6C65002F6465762F7074732F36002D706970650033002D726F6F74002F7661722F6C69622F646F636B65722F657865636472697665722F6E61746976652F6261393030343765323839623962303630333135363463306132393561636338393532393839303637343338333239643434663733
type=SYSCALL msg=audit(1424351987.389:1065): arch=c000003e syscall=59 success=yes exit=0 a0=c20839b0b0 a1=c2084533b0 a2=c2083f83e0 a3=0 items=0 ppid=8084 pid=19633 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dockerinit-1.5." exe="/var/lib/docker/init/dockerinit-1.5.0-dev" subj=system_u:system_r:spc_t:s0 key=(null)
type=AVC msg=audit(1424351987.389:1065): avc:  denied  { entrypoint } for  pid=19633 comm="docker" path="/var/lib/docker/init/dockerinit-1.5.0-dev" dev="dm-0" ino=168539 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:object_r:docker_var_lib_t:s0 tclass=file permissive=1
----
time->Thu Feb 19 14:19:47 2015
type=PROCTITLE msg=audit(1424351987.507:1069): proctitle=6E6174697665002D636F6E736F6C65002F6465762F7074732F36002D706970650033002D726F6F74002F7661722F6C69622F646F636B65722F657865636472697665722F6E61746976652F6261393030343765323839623962303630333135363463306132393561636338393532393839303637343338333239643434663733
type=SYSCALL msg=audit(1424351987.507:1069): arch=c000003e syscall=59 success=yes exit=0 a0=c208093780 a1=c208093790 a2=c2080bda40 a3=0 items=0 ppid=8084 pid=19633 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=4294967295 comm="bash" exe="/usr/bin/bash" subj=system_u:system_r:svirt_lxc_net_t:s0:c435,c767 key=(null)
type=AVC msg=audit(1424351987.507:1069): avc:  denied  { transition } for  pid=19633 comm="dockerinit-1.5." path="/usr/bin/bash" dev="dm-3" ino=393592 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c435,c767 tclass=process permissive=1
----
time->Thu Feb 19 14:19:57 2015
type=PROCTITLE msg=audit(1424351997.873:1072): proctitle=646F636B657200696E737065637400626139303034376532383962
type=SYSCALL msg=audit(1424351997.873:1072): arch=c000003e syscall=2 success=yes exit=3 a0=c20801e060 a1=80000 a2=0 a3=0 items=0 ppid=19687 pid=19688 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="docker" exe="/usr/bin/docker" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1424351997.873:1072): avc:  denied  { open } for  pid=19688 comm="docker" path="/proc/sys/net/core/somaxconn" dev="proc" ino=51756 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1424351997.873:1072): avc:  denied  { read } for  pid=19688 comm="docker" name="somaxconn" dev="proc" ino=51756 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1424351997.873:1072): avc:  denied  { search } for  pid=19688 comm="docker" name="net" dev="proc" ino=9305 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=1
----
time->Thu Feb 19 14:19:57 2015
type=PROCTITLE msg=audit(1424351997.902:1074): proctitle=646F636B657200696E737065637400626139303034376532383962
type=SYSCALL msg=audit(1424351997.902:1074): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=c208054190 a2=17 a3=0 items=0 ppid=19687 pid=19688 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="docker" exe="/usr/bin/docker" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1424351997.902:1074): avc:  denied  { connectto } for  pid=19688 comm="docker" path="/run/docker.sock" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:system_r:docker_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1424351997.902:1074): avc:  denied  { write } for  pid=19688 comm="docker" name="docker.sock" dev="tmpfs" ino=51775 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:docker_var_run_t:s0 tclass=sock_file permissive=1

Comment 1 Jan Kurik 2015-07-15 14:31:20 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle.
Changing version to '23'.

(As we did not run this process for some time, it could affect also pre-Fedora 23 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23

Comment 2 Lukas Vrabec 2015-10-13 14:13:31 UTC
commit 1dd281e0169366f3671f477f423a97098100d5dd
Author: Lukas Vrabec <lvrabec>
Date:   Tue Oct 13 16:08:42 2015 +0200

    Allow abrt_t to read sysctl_net_t files. BZ(#1194280)

I add all fixes for this issue in distro selinux-policy. Also add fixes in docker-selinux package.

Comment 3 Lukas Vrabec 2015-10-13 14:15:31 UTC
commit b1908e278581e75b97f1f7337988ef510e9646a5
Author: Lukas Vrabec <lvrabec>
Date:   Tue Oct 13 15:51:18 2015 +0200

    Allow abrt_t to stream connect do docker.

Lokesh, 
I'm going to create new updates for Fedora23, After then could you add this patch to docker? Thank you!

Comment 4 Daniel Walsh 2015-10-21 16:12:38 UTC
*** Bug 1273110 has been marked as a duplicate of this bug. ***

Comment 5 Miroslav Grepl 2015-11-10 09:17:50 UTC
Lukas,
what is a state of this bug?

Comment 6 Lokesh Mandvekar 2015-11-10 16:30:58 UTC
Lukas, where's this patch present? I only see your commit message.

Comment 7 Lokesh Mandvekar 2015-11-10 16:31:52 UTC
I wasn't supposed to clear needinfo on Lukas.

Comment 8 Lukas Vrabec 2015-11-23 12:20:05 UTC
My changes are in docker-selinux github repo and also in current f23 docker package version. 

Jakub, 
Could you test it? 

Thank you!

Comment 9 Lukas Vrabec 2015-12-03 12:14:49 UTC
This is fixed in docker-1.9.1-2.git78bc3ea.fc23

Comment 10 Red Hat Bugzilla 2023-09-14 02:55:03 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days


Note You need to log in before you can comment on or make changes to this bug.