Description of problem: I did a yum-update and then rebooted. SELinux is preventing docker from 'getattr' accesses on the sock_file /run/openvswitch/db.sock. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that docker should be allowed getattr access on the db.sock sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep docker /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:docker_t:s0 Target Context system_u:object_r:openvswitch_var_run_t:s0 Target Objects /run/openvswitch/db.sock [ sock_file ] Source docker Source Path docker Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-105.3.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.18.7-200.fc21.x86_64 #1 SMP Wed Feb 11 21:53:17 UTC 2015 x86_64 x86_64 Alert Count 4 First Seen 2015-02-22 23:03:06 GMT Last Seen 2015-02-23 09:38:17 GMT Local ID 85645643-f1a7-421b-9ee5-74370ae984c5 Raw Audit Messages type=AVC msg=audit(1424684297.86:708): avc: denied { getattr } for pid=1612 comm="docker" path="/run/openvswitch/db.sock" dev="tmpfs" ino=21446 scontext=system_u:system_r:docker_t:s0 tcontext=system_u:object_r:openvswitch_var_run_t:s0 tclass=sock_file permissive=1 Hash: docker,docker_t,openvswitch_var_run_t,sock_file,getattr Version-Release number of selected component: selinux-policy-3.13.1-105.3.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.18.7-200.fc21.x86_64 type: libreport
Posted from SELinux Alert Browser Referenced in comment #3 https://bugzilla.redhat.com/show_bug.cgi?id=1186669
Any idea why this would happen? Were you doing something with openvswitch in a containe?
Hi Daniel, > Any idea why this would happen? It all used to work fine, then after update it was/is unuseable. So I guessed that the 'yum update' broke it. > Were you doing something with openvswitch in a containe? I don't think so - OVS is in root namespace and started by systemd. and besides- I haven't even started any containers yet, Just to be certain i removed any expired containers with 'docker rm' and removed any stored OVS bridges with 'ovs-vsctl del-br' and rebooted, but still get the same SELinux errors. [root@vm117 ~]# ovs-vsctl show 81233a61-02a6-4440-b027-afcc844bbd86 ovs_version: "2.3.1-git3282e51" [root@vm117 ~]# brctl show bridge name bridge id STP enabled interfaces virbr0 8000.5254004e59f4 yes virbr0-nic [root@vm117 ~]# docker ps -a FATA[0000] Cannot connect to the Docker daemon. Is 'docker -d' running on this host? [root@vm117 ~]# [root@vm117 ~]# systemctl status -l docker.service ● docker.service - Docker Application Container Engine Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled) Active: failed (Result: timeout) since Mon 2015-03-09 17:22:00 GMT; 6min ago Docs: http://docs.docker.com Process: 1538 ExecStart=/usr/bin/docker -d $OPTIONS $DOCKER_STORAGE_OPTIONS $DOCKER_NETWORK_OPTIONS $INSECURE_REGISTRY (code=exited, status=0/SUCCESS) Main PID: 1538 (code=exited, status=0/SUCCESS) Mar 09 17:20:32 vm117 docker[1538]: time="2015-03-09T17:20:32Z" level="info" msg="+job serveapi(unix:///var/run/docker.sock)" Mar 09 17:20:32 vm117 docker[1538]: time="2015-03-09T17:20:32Z" level="info" msg="Listening for HTTP on unix (/var/run/docker.sock)" Mar 09 17:21:35 vm117 python[2161]: SELinux is preventing docker from getattr access on the directory /run/openvswitch. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that docker should be allowed getattr access on the openvswitch directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep docker /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Mar 09 17:21:35 vm117 python[2161]: SELinux is preventing docker from getattr access on the sock_file /run/openvswitch/db.sock. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that docker should be allowed getattr access on the db.sock sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep docker /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Mar 09 17:21:47 vm117 python[2161]: SELinux is preventing docker from getattr access on the directory /run/openvswitch. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that docker should be allowed getattr access on the openvswitch directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep docker /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Mar 09 17:22:00 vm117 systemd[1]: docker.service start operation timed out. Terminating. Mar 09 17:22:00 vm117 docker[1538]: time="2015-03-09T17:22:00Z" level="info" msg="Received signal 'terminated', starting shutdown of docker..." Mar 09 17:22:00 vm117 systemd[1]: Failed to start Docker Application Container Engine. Mar 09 17:22:00 vm117 systemd[1]: Unit docker.service entered failed state. Mar 09 17:22:00 vm117 systemd[1]: docker.service failed. if I manually execute [root@vm117 ~]# systemctl start docker.service The docker bridge appears, but so does SEinux errors. :-( [root@vm117 ~]# brctl show bridge name bridge id STP enabled interfaces docker0 8000.56847afe9799 no virbr0 8000.5254004e59f4 yes virbr0-nic [root@vm117 ~]# F22 Alpha is due out tomorrow, I intend to do a fresh default install tomorrow an hope that SELinux, Docker, OVS, NetWorkManager and Teamd can function together there. I will report back with the result.
bb62bcdc913ddb0d7bd3486fa2a9448f0b85e84f fixes this in git. Lukas can you update the policy. And lets complete pulling docker policy into the docker package.
commit 3e9e1df8f1d470eb820c358abf2433759ae2bbad Author: Dan Walsh <dwalsh> Date: Mon Mar 9 17:13:19 2015 -0400 Allow docker to communicate with openvswitch
So I spent a fair bit of time hunting for selinux-policy-3.13.1-105.8.fc21 but I cannot see it in koji or Bodhi. http://koji.fedoraproject.org/koji/packageinfo?packageID=32 http://koji.fedoraproject.org/koji/userinfo?userID=2643 https://admin.fedoraproject.org/updates/FEDORA-2015-3476/selinux-policy-3.13.1-105.6.fc21?_csrf_token=c483fb03286739a3837112588ca3889ad3c6fc03 Can you post a link that I can use to test please? thanks Colin.
Looks like selinux-policy-3.13.1-105.7.fc21 was built yesterday but no selinux-policy-3.13.1-105.8.fc21
Hi, I'm not build -105.8.fc21 yet. Do it during this day.
selinux-policy-3.13.1-105.9.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.9.fc21
I can report that 'yum update' to selinux-policy-3.13.1-105.6.fc21.noarch still did not allow Docker daemon to start, either from boot or manually as root but subsequently also updating Resolving Dependencies --> Running transaction check ---> Package systemd.x86_64 0:216-20.fc21 will be updated --> Processing Dependency: systemd = 216-20.fc21 for package: libgudev1-216-20.fc21.x86_64 ---> Package systemd.x86_64 0:216-21.fc21 will be an update ---> Package systemd-compat-libs.x86_64 0:216-20.fc21 will be updated ---> Package systemd-compat-libs.x86_64 0:216-21.fc21 will be an update ---> Package systemd-libs.x86_64 0:216-20.fc21 will be updated ---> Package systemd-libs.x86_64 0:216-21.fc21 will be an update ---> Package systemd-python.x86_64 0:216-20.fc21 will be updated ---> Package systemd-python.x86_64 0:216-21.fc21 will be an update ---> Package systemd-python3.x86_64 0:216-20.fc21 will be updated ---> Package systemd-python3.x86_64 0:216-21.fc21 will be an update --> Running transaction check ---> Package libgudev1.x86_64 0:216-20.fc21 will be updated ---> Package libgudev1.x86_64 0:216-21.fc21 will be an update --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Updating: systemd x86_64 216-21.fc21 updates 5.2 M systemd-compat-libs x86_64 216-21.fc21 updates 126 k systemd-libs x86_64 216-21.fc21 updates 322 k systemd-python x86_64 216-21.fc21 updates 93 k systemd-python3 x86_64 216-21.fc21 updates 95 k Updating for dependencies: libgudev1 x86_64 216-21.fc21 updates 60 k Transaction Summary ================================================================================ : At least finally allows manual systemctl start docker.service to succeed. :-) which is an improvement. selinux-policy-3.13.1-105.9.fc21 seems not available at mirrors.
[root@vm117 yum]# brctl show bridge name bridge id STP enabled interfaces docker0 8000.56847afe9799 no virbr0 8000.5254004e59f4 yes virbr0-nic :-)
Are you seeing additional AVC messages? ausearch -m avc -i -ts recent
Hi Dan. [root@vm117 yum]# ausearch -m avc -i -ts recent <no matches> [root@vm117 yum]# I did do a 'grep -i 'avc: denied' /var/log/audit/audit.log > grep_avc_denied.out' Output attached to RHBZ#1181338 Comment 14 https://bugzilla.redhat.com/show_bug.cgi?id=1181338#c14 [update...] AVC errors seem to have stopped after I installed: 'selinux-policy-3.13.1-105.9.fc21 critical path bugfix update' from bodhi: https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.9.fc21 THANK YOU Lukas :-) :-) :-) Karma left. :-)
No problem, Thanks for +1 karma :)
selinux-policy-3.13.1-105.9.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.