Bug 1206751 - Docker with overlay cannot run bash(prevented by SELinx)
Summary: Docker with overlay cannot run bash(prevented by SELinx)
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Fedora
Classification: Fedora
Component: docker
Version: 21
Hardware: Unspecified
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Lokesh Mandvekar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-03-28 01:12 UTC by robberphex
Modified: 2015-11-09 21:47 UTC (History)
27 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-04-29 01:57:36 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description robberphex 2015-03-28 01:12:18 UTC
Description of problem:

the container cannot read .so file in overlay, and cannot relabel the file system.

How reproducible:


Steps to Reproduce:
1. Add "DOCKER_STORAGE_OPTIONS= --storage-driver=overlay" to /etc/sysconfig/docker-storage, and restart docker service.
2. repull the image(in my case, pull debian:jessie)
3. Run container(sudo docker run -it debian:jessie /bin/bash)

Actual results:

/bin/bash: error while loading shared libraries: libncurses.so.5: cannot open shared object file: No such file or directory
(preventing by SELinx)

Expected results:

bash prompt in container

Additional info:

There is 4 SeLinux Alert:
----1----
SELinux is preventing docker from mount access on the filesystem /.

*****  Plugin file (47.5 confidence) suggests   ******************************

If you think this is caused by a badly mislabeled machine.
Then you need to fully relabel.
Do
touch /.autorelabel; reboot

*****  Plugin file (47.5 confidence) suggests   ******************************

If you think this is caused by a badly mislabeled machine.
Then you need to fully relabel.
Do
touch /.autorelabel; reboot

*****  Plugin catchall (6.38 confidence) suggests   **************************

If you believe that docker should be allowed mount access on the  filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep docker /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:docker_t:s0
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                / [ filesystem ]
Source                        docker
Source Path                   docker
Port                          <Unknown>
Host                          rp.fedora
Source RPM Packages           
Target RPM Packages           filesystem-3.2-28.fc21.x86_64
Policy RPM                    selinux-policy-3.13.1-105.6.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     rp.fedora
Platform                      Linux rp.fedora 3.19.1-201.fc21.x86_64 #1 SMP Wed
                              Mar 18 04:29:24 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-03-28 09:08:17 CST
Last Seen                     2015-03-28 09:08:17 CST
Local ID                      fcd44130-63b9-4680-9975-4dc6a416b566

Raw Audit Messages
type=AVC msg=audit(1427504897.987:739): avc:  denied  { mount } for  pid=1337 comm="docker" name="/" dev="overlay" ino=65132 scontext=system_u:system_r:docker_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1


Hash: docker,docker_t,unlabeled_t,filesystem,mount

----2----
SELinux is preventing docker from unmount access on the filesystem .

*****  Plugin file (47.5 confidence) suggests   ******************************

If you think this is caused by a badly mislabeled machine.
Then you need to fully relabel.
Do
touch /.autorelabel; reboot

*****  Plugin file (47.5 confidence) suggests   ******************************

If you think this is caused by a badly mislabeled machine.
Then you need to fully relabel.
Do
touch /.autorelabel; reboot

*****  Plugin catchall (6.38 confidence) suggests   **************************

If you believe that docker should be allowed unmount access on the  filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep docker /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:docker_t:s0
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                 [ filesystem ]
Source                        docker
Source Path                   docker
Port                          <Unknown>
Host                          rp.fedora
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-105.6.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     rp.fedora
Platform                      Linux rp.fedora 3.19.1-201.fc21.x86_64 #1 SMP Wed
                              Mar 18 04:29:24 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-03-28 09:08:17 CST
Last Seen                     2015-03-28 09:08:17 CST
Local ID                      c4a57cd0-ae92-4521-ad81-40a5e30a5627

Raw Audit Messages
type=AVC msg=audit(1427504897.990:740): avc:  denied  { unmount } for  pid=1337 comm="docker" scontext=system_u:system_r:docker_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1


Hash: docker,docker_t,unlabeled_t,filesystem,unmount

----3----
SELinux is preventing docker from relabelfrom access on the filesystem .

*****  Plugin file (47.5 confidence) suggests   ******************************

If you think this is caused by a badly mislabeled machine.
Then you need to fully relabel.
Do
touch /.autorelabel; reboot

*****  Plugin file (47.5 confidence) suggests   ******************************

If you think this is caused by a badly mislabeled machine.
Then you need to fully relabel.
Do
touch /.autorelabel; reboot

*****  Plugin catchall (6.38 confidence) suggests   **************************

If you believe that docker should be allowed relabelfrom access on the  filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep docker /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:docker_t:s0
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                 [ filesystem ]
Source                        docker
Source Path                   docker
Port                          <Unknown>
Host                          rp.fedora
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-105.6.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     rp.fedora
Platform                      Linux rp.fedora 3.19.1-201.fc21.x86_64 #1 SMP Wed
                              Mar 18 04:29:24 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-03-28 09:08:17 CST
Last Seen                     2015-03-28 09:08:17 CST
Local ID                      ad86497a-be89-4611-8686-7aa67e73f523

Raw Audit Messages
type=AVC msg=audit(1427504897.998:741): avc:  denied  { relabelfrom } for  pid=1337 comm="docker" scontext=system_u:system_r:docker_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1


Hash: docker,docker_t,unlabeled_t,filesystem,relabelfrom

----4----
SELinux is preventing bash from read access on the file /var/lib/docker/overlay/1cbc0c1b2084b5f3c8fdc283032c124f6fb461242cc5b82fb183095a414869b9/root/lib/x86_64-linux-gnu/libncurses.so.5.9.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that bash should be allowed read access on the libncurses.so.5.9 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep bash /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:svirt_lxc_net_t:s0:c156,c1000
Target Context                system_u:object_r:docker_var_lib_t:s0
Target Objects                /var/lib/docker/overlay/1cbc0c1b2084b5f3c8fdc28303
                              2c124f6fb461242cc5b82fb183095a414869b9/root/lib/x8
                              6_64-linux-gnu/libncurses.so.5.9 [ file ]
Source                        bash
Source Path                   bash
Port                          <Unknown>
Host                          rp.fedora
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-105.6.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     rp.fedora
Platform                      Linux rp.fedora 3.19.1-201.fc21.x86_64 #1 SMP Wed
                              Mar 18 04:29:24 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-03-28 09:08:18 CST
Last Seen                     2015-03-28 09:08:18 CST
Local ID                      2a5fbf0f-dc4e-489b-a9ca-2541bb55209e

Raw Audit Messages
type=AVC msg=audit(1427504898.269:754): avc:  denied  { read } for  pid=10156 comm="bash" name="libncurses.so.5.9" dev="dm-0" ino=2100260 scontext=system_u:system_r:svirt_lxc_net_t:s0:c156,c1000 tcontext=system_u:object_r:docker_var_lib_t:s0 tclass=file permissive=0


Hash: bash,svirt_lxc_net_t,docker_var_lib_t,file,read

----end----

Comment 1 Lokesh Mandvekar 2015-03-28 04:54:31 UTC
Hi, could you please post what 'rpm -qi docker-io' says on your system?

Comment 2 robberphex 2015-03-28 05:16:18 UTC
(In reply to Lokesh Mandvekar from comment #1)
> Hi, could you please post what 'rpm -qi docker-io' says on your system?

I am sorry for leak information.

$ rpm -qa | grep docker-io
docker-io-1.5.0-1.fc21.x86_64

Comment 3 Lokesh Mandvekar 2015-03-29 07:46:26 UTC
Dan, guess you're the best person to comment on this.

Comment 4 Daniel Walsh 2015-03-30 12:52:30 UTC
overlayfs and SELinux under docker do not currently work together.  If you want to use overlafs, you should disable SELinux support in docker.  The kernel team is working on fixing this upstream.

Comment 5 Fedora Kernel Team 2015-04-28 18:29:16 UTC
*********** MASS BUG UPDATE **************

We apologize for the inconvenience.  There is a large number of bugs to go through and several of them have gone stale.  Due to this, we are doing a mass bug update across all of the Fedora 21 kernel bugs.

Fedora 21 has now been rebased to 3.19.5-200.fc21.  Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel.

If you have moved on to Fedora 22, and are still experiencing this issue, please change the version to Fedora 22.

If you experience different issues, please open a new bug report for those.

Comment 6 robberphex 2015-04-29 01:57:36 UTC
I hove moved to Fedora 22, And docker with overlay still cannot work.

Because the error message is "SELinux is preventing docker from relabelfrom access on the directory /."

I think I'd better open a new bug report.

Comment 7 Kayvan Sylvan 2015-05-03 21:30:25 UTC
I'm seeing this with Fedora 21 and docker-io 1.6.0

It's quite easy to reproduce:

[ksylvan@ksylvan-t420 src]$ docker run --rm -it -v $(pwd):/src busybox /bin/sh
/ # cd /src
/src # ls
ls: can't open '.': Permission denied
/src # exit

[ksylvan@ksylvan-t420 src]$ rpm -qi docker-io
Name        : docker-io
Version     : 1.6.0
Release     : 2.git3eac457.fc21
Architecture: x86_64
Install Date: Mon 27 Apr 2015 02:52:12 PM PDT

Comment 8 Daniel Walsh 2015-05-04 06:36:39 UTC
Could you try docker-io-1.6.0-0.2.rc7.fc21

Comment 9 Zvi "Viz" Effron 2015-06-01 19:26:09 UTC
I'm still seeing this with docker-1.6.0-3.git9d26a07.fc22 on Fedora 22. And turning off SELinux under Docker does fix.

Reproduction sample:

[root@sayuno ~]# docker run -ti --rm fedora:22 bash
[root@7da227018b66 /]# ls
ls: cannot open directory .: Permission denied

SELinux denial:

type=AVC msg=audit(1433186579.885:5411): avc:  denied  { read } for  pid=20790 comm="ls" name="root" dev="md127" ino=5767506 scontext=system_u:system_r:svirt_lxc_net_t:s0:c530,c542 tcontext=system_u:object_r:docker_var_lib_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1433186581.388:5412): avc:  denied  { write } for  pid=20730 comm="bash" name="root" dev="md127" ino=5767506 scontext=system_u:system_r:svirt_lxc_net_t:s0:c530,c542 tcontext=system_u:object_r:docker_var_lib_t:s0 tclass=dir permissive=0

Comment 10 Daniel Walsh 2015-06-01 20:17:28 UTC
 ps -auxww | grep docker
dwalsh   17416  0.0  0.0 114388  2372 pts/2    S+   16:17   0:00 grep --color=auto docker
root     18723  0.0  0.2 593128 23232 ?        Ssl  May29   0:20 /usr/bin/docker -d --selinux-enabled

Comment 11 klingt.net 2015-09-27 16:40:55 UTC
Same problem for me, using docker 1.8.2-fc22

Comment 12 Daniel Walsh 2015-09-28 11:09:58 UTC
Did you disable SELinux in docker?

Comment 13 klingt.net 2015-09-28 11:18:24 UTC
/etc/sysconfig/docker

```
# /etc/sysconfig/docker

# Modify these options if you want to change the way the docker daemon runs
OPTIONS='--selinux-enabled=false'
DOCKER_CERT_PATH=/etc/docker

# Enable insecure registry communication by appending the registry URL
# to the INSECURE_REGISTRY variable below and uncommenting it
# INSECURE_REGISTRY='--insecure-registry '

# On SELinux System, if you remove the --selinux-enabled option, you
# also need to turn on the docker_transition_unconfined boolean.
setsebool -P docker_transition_unconfined

# Location used for temporary files, such as those created by
# docker load and build operations. Default is /var/lib/docker/tmp
# Can be overriden by setting the following environment variable.
# DOCKER_TMPDIR=/var/tmp

# Controls the /etc/cron.daily/docker-logrotate cron job status.
# To disable, uncomment the line below.
# LOGROTATE=false
```

Disabling SELinux in docker was not enough, I also had to set SELinux from `enforcing` to `permissive` mode.

Comment 14 Daniel Walsh 2015-09-28 11:21:34 UTC
What AVC messages are you seeing

ausearch -m avc,user_avc -ts recent

Comment 15 klingt.net 2015-09-28 11:35:36 UTC
ausearch -m avc,user_avc -ts yesterday

```
...
time->Sun Sep 27 17:03:08 2015
type=AVC msg=audit(1443373388.517:411): avc:  denied  { read } for  pid=1328 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
----
time->Sun Sep 27 17:03:08 2015
type=AVC msg=audit(1443373388.518:412): avc:  denied  { entrypoint } for  pid=1308 comm="exe" path="/bin/dash" dev="vda1" ino=1164530 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:object_r:docker_var_lib_t:s0 tclass=file permissive=0
----
time->Sun Sep 27 17:03:08 2015
type=AVC msg=audit(1443373388.546:415): avc:  denied  { read } for  pid=1332 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
----
time->Sun Sep 27 17:03:08 2015
type=AVC msg=audit(1443373388.576:417): avc:  denied  { read } for  pid=1336 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
----
time->Sun Sep 27 17:03:08 2015
type=AVC msg=audit(1443373388.584:419): avc:  denied  { read } for  pid=1337 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
----
time->Sun Sep 27 17:03:08 2015
type=AVC msg=audit(1443373388.593:421): avc:  denied  { read } for  pid=1340 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
----
time->Sun Sep 27 17:03:08 2015
type=AVC msg=audit(1443373388.601:423): avc:  denied  { read } for  pid=1341 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
----
time->Sun Sep 27 17:03:08 2015
type=AVC msg=audit(1443373388.611:425): avc:  denied  { read } for  pid=1342 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
----
```

Set SELinux to permissive mode:

```
time->Sun Sep 27 17:05:34 2015
type=AVC msg=audit(1443373534.163:88): avc:  denied  { read } for  pid=719 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
----
time->Sun Sep 27 17:05:35 2015
type=AVC msg=audit(1443373535.199:124): avc:  denied  { entrypoint } for  pid=858 comm="exe" path="/bin/dash" dev="vda1" ino=1164530 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:object_r:docker_var_lib_t:s0 tclass=file permissive=1
----
time->Sun Sep 27 17:08:32 2015
type=AVC msg=audit(1443373712.152:175): avc:  denied  { read } for  pid=1129 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
----
time->Sun Sep 27 17:08:32 2015
type=AVC msg=audit(1443373712.310:181): avc:  denied  { entrypoint } for  pid=1147 comm="exe" path="/bin/busybox" dev="vda1" ino=260590 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:object_r:docker_var_lib_t:s0 tclass=file permissive=1
----
time->Sun Sep 27 17:09:10 2015
type=AVC msg=audit(1443373750.571:185): avc:  denied  { entrypoint } for  pid=1242 comm="exe" path="/bin/dash" dev="vda1" ino=1164530 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:object_r:docker_var_lib_t:s0 tclass=file permissive=1
```

Comment 16 Daniel Walsh 2015-09-28 12:54:19 UTC
I think this is fixed in the latest docker-selinux package

yum -y update --enablerepo=updates-testing docker-selinux

Comment 17 klingt.net 2015-09-28 16:03:31 UTC
There is no update?

```
dnf update --enablerepo=updates-testing docker-selinux
Fedora 22 - x86_64 - Test Updates                12 MB/s | 6.2 MB     00:00    
Last metadata expiration check performed 0:00:04 ago on Mon Sep 28 16:02:10 2015.
Dependencies resolved.
Nothing to do.
Complete!
```

Comment 18 Adam Miller 2015-09-28 16:27:25 UTC
slap a --refresh on there or try with yum-deprecated ... dnf is bad

Comment 19 klingt.net 2015-09-28 16:32:38 UTC
I had no luck using `dnf update --refresh --enablerepo=updates-testing docker-selinux` or `yum-deprecated update --enablerepo=updates-testing docker-selinux`. Both showed that there are no packages to update.

Comment 20 Daniel Walsh 2015-09-28 16:35:38 UTC
koji is telling me

docker-1.8.2-4.gitcb216be.fc22            f22-updates-candidate  lsm5

Is available.

Comment 21 klingt.net 2015-09-28 16:45:19 UTC
There are updates found when I use the `--enablerepo=updates-testing" switch, but there is no `docker-selinux`:

```
Dependencies Resolved

=============================================================================================================================================================================================================================================
 Package                                                          Arch                                            Version                                                     Repository                                                Size
=============================================================================================================================================================================================================================================
Installing:
 golang-bin                                                       x86_64                                          1.5.1-0.fc22                                                updates-testing                                           40 M
     replacing  golang-pkg-bin-linux-amd64.x86_64 1.4.2-3.fc22
     replacing  golang-pkg-linux-amd64.noarch 1.4.2-3.fc22
 kernel-core                                                      x86_64                                          4.1.8-200.fc22                                              updates-testing                                           19 M
 kernel-headers                                                   x86_64                                          4.1.8-200.fc22                                              updates-testing                                          1.0 M
     replacing  kernel-headers.x86_64 4.1.7-200.fc22
Updating:
 freetype                                                         x86_64                                          2.5.5-2.fc22                                                updates-testing                                          406 k
 glib2                                                            x86_64                                          2.44.1-2.fc22                                               updates-testing                                          2.2 M
 golang                                                           x86_64                                          1.5.1-0.fc22                                                updates-testing                                          1.1 M
 golang-src                                                       noarch                                          1.5.1-0.fc22                                                updates-testing                                          3.6 M
 iproute                                                          x86_64                                          3.16.0-4.fc22                                               updates-testing                                          538 k
 koji                                                             noarch                                          1.10.0-2.fc22                                               updates-testing                                          223 k
 krb5-devel                                                       x86_64                                          1.13.2-7.fc22                                               updates-testing                                          648 k
 krb5-libs                                                        x86_64                                          1.13.2-7.fc22                                               updates-testing                                          837 k
 man-db                                                           x86_64                                          2.7.1-9.fc22                                                updates-testing                                          823 k
 perl                                                             x86_64                                          4:5.20.3-328.fc22                                           updates-testing                                          8.0 M
 perl-Pod-Escapes                                                 noarch                                          1:1.06-328.fc22                                             updates-testing                                           62 k
 perl-libs                                                        x86_64                                          4:5.20.3-328.fc22                                           updates-testing                                          748 k
 perl-macros                                                      x86_64                                          4:5.20.3-328.fc22                                           updates-testing                                           54 k
 python                                                           x86_64                                          2.7.10-8.fc22                                               updates-testing                                           93 k
 python-libs                                                      x86_64                                          2.7.10-8.fc22                                               updates-testing                                          5.8 M
 python-pycurl                                                    x86_64                                          7.19.5.1-2.fc22                                             updates-testing                                          177 k
 selinux-policy                                                   noarch                                          3.13.1-128.16.fc22                                          updates-testing                                          423 k
 selinux-policy-targeted                                          noarch                                          3.13.1-128.16.fc22                                          updates-testing                                          4.1 M
 yum                                                              noarch                                          3.4.3-508.fc22                                              updates-testing                                          1.2 M
Installing for dependencies:
 go-srpm-macros                                                   noarch                                          1-2.fc22                                                    updates-testing                                          7.9 k

Transaction Summary
=============================================================================================================================================================================================================================================
Install   3 Packages (+1 Dependent package)
Upgrade  19 Packages
```

Comment 22 klingt.net 2015-09-28 16:46:27 UTC
To my previous post: I've run `dnf update --refresh --enablerepo=updates-testing` without `docker-selinux` argument to see if it's doing anything at all.

Comment 23 Seb L. 2015-11-06 08:03:38 UTC
Hi,

Regarding most of the AVCs reported in comment 15:

  type=AVC msg=audit(1443373388.517:411): avc:  denied  { read }
  for pid=1328 comm="iptables" path="net:[4026531957]"
  dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0
  tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0

=> missing context for the nsfs device

Same cause (for those AVCs and only those) as bug https://bugzilla.redhat.com/show_bug.cgi?id=1234757#c7 , same resolution (see nsfs_fix.patch to be applied to the selinux-policy repo: https://bugzilla.redhat.com/attachment.cgi?id=1090403 ).

Best regards,
Sébastien


Note You need to log in before you can comment on or make changes to this bug.