1219082 – Docker can't talk to firewalld via D-Bus

Bug 1219082 - Docker can't talk to firewalld via D-Bus

Summary: Docker can't talk to firewalld via D-Bus

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	23
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-05-06 14:23 UTC by Jakub Čajka
Modified:	2015-09-25 07:58 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-09-25 07:58:07 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jakub Čajka 2015-05-06 14:23:13 UTC

Description of problem:
docker service fails to start

Version-Release number of selected component (if applicable):
1.7.0-5.git56481a3

How reproducible:
Always

Steps to Reproduce:
1.(build docker,) install docker
2.systemctl start docker


Actual results:
docker fails to start
log snip:
May 06 11:32:52 localhost.localdomain systemd[1]: Starting Docker Application Container Engine...
May 06 11:32:52 localhost.localdomain docker[26903]: time="2015-05-06T11:32:52.879011973+02:00" level=info msg="Listening for HTTP on unix (/var/run/docker.sock)"
May 06 11:32:52 localhost.localdomain docker[26903]: time="2015-05-06T11:32:52.951306791+02:00" level=error msg="WARNING: No --storage-opt dm.thinpooldev specified, using loopback; this configuration is strongly discouraged for production use"
May 06 11:32:53 localhost.localdomain docker[26903]: time="2015-05-06T11:32:53.011267656+02:00" level=info msg="[graphdriver] using prior storage driver \"devicemapper\""
May 06 11:32:53 localhost.localdomain audit[519]: <audit-1107> pid=519 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.fedoraproject.FirewallD1 member=getDefaultZone dest=org.fedoraproject.FirewallD1 spid=26903 tpid=516 scontext=system_u:system_r:docker_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=dbus
                                                   exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
May 06 11:32:53 localhost.localdomain audit[519]: <audit-1107> pid=519 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.43 spid=516 tpid=26903 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=dbus
                                                   exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
May 06 11:32:53 localhost.localdomain audit[519]: <audit-1107> pid=519 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error error_name=org.freedesktop.DBus.Error.ServiceUnknown dest=:1.43 spid=516 tpid=26903 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=dbus
                                                   exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
May 06 11:34:22 localhost.localdomain systemd[1]: docker.service start operation timed out. Terminating.
May 06 11:34:23 localhost.localdomain docker[26903]: time="2015-05-06T11:34:22.918018067+02:00" level=info msg="Received signal 'terminated', starting shutdown of docker..."
May 06 11:34:23 localhost.localdomain systemd[1]: Failed to start Docker Application Container Engine.
May 06 11:34:23 localhost.localdomain systemd[1]: Unit docker.service entered failed state.
May 06 11:34:23 localhost.localdomain systemd[1]: docker.service failed.

audit2allow -a output:

#============= docker_t ==============
allow docker_t firewalld_t:dbus send_msg;

#============= firewalld_t ==============
allow firewalld_t docker_t:dbus send_msg;
allow firewalld_t firewalld_etc_rw_t:file relabelto;

Expected results:
docker starts

Additional info:
after adding selinux module created using audit2allow -a -M docker starts(and seems to work fine), but there are some errors in log:

May 06 11:56:05 localhost.localdomain systemd[1]: Starting Docker Application Container Engine...
May 06 11:56:05 localhost.localdomain docker[27037]: time="2015-05-06T11:56:05.494231412+02:00" level=info msg="Listening for HTTP on unix (/var/run/docker.sock)"
May 06 11:56:05 localhost.localdomain docker[27037]: time="2015-05-06T11:56:05.498346671+02:00" level=error msg="WARNING: No --storage-opt dm.thinpooldev specified, using loopback; this configuration is strongly discouraged for production use"
May 06 11:56:05 localhost.localdomain docker[27037]: time="2015-05-06T11:56:05.572948587+02:00" level=info msg="[graphdriver] using prior storage driver \"devicemapper\""
May 06 11:56:05 localhost.localdomain docker[27037]: time="2015-05-06T11:56:05.593752391+02:00" level=info msg="Firewalld running: true"
May 06 11:56:05 localhost.localdomain dbus[519]: [system] Rejected send message, 7 matched rules; type="error", sender=":1.2" (uid=0 pid=516 comm="/usr/bin/python3 -Es /usr/sbin/firewalld --nofork ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.45" (uid=0 pid=27037 comm="/usr/bin/docker -d --selinux-enabled ")
May 06 11:56:05 localhost.localdomain audit: <audit-1325> table=nat family=2 entries=57
May 06 11:56:05 localhost.localdomain dbus[519]: [system] Rejected send message, 7 matched rules; type="error", sender=":1.2" (uid=0 pid=516 comm="/usr/bin/python3 -Es /usr/sbin/firewalld --nofork ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.45" (uid=0 pid=27037 comm="/usr/bin/docker -d --selinux-enabled ")
May 06 11:56:05 localhost.localdomain /firewalld[516]: 2015-05-06 11:56:05 ERROR: COMMAND_FAILED: '/sbin/iptables -w -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
May 06 11:56:05 localhost.localdomain dbus[519]: [system] Rejected send message, 7 matched rules; type="error", sender=":1.2" (uid=0 pid=516 comm="/usr/bin/python3 -Es /usr/sbin/firewalld --nofork ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.45" (uid=0 pid=27037 comm="/usr/bin/docker -d --selinux-enabled ")
May 06 11:56:05 localhost.localdomain dbus[519]: [system] Rejected send message, 7 matched rules; type="error", sender=":1.2" (uid=0 pid=516 comm="/usr/bin/python3 -Es /usr/sbin/firewalld --nofork ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.45" (uid=0 pid=27037 comm="/usr/bin/docker -d --selinux-enabled ")
May 06 11:56:05 localhost.localdomain dbus[519]: [system] Rejected send message, 7 matched rules; type="error", sender=":1.2" (uid=0 pid=516 comm="/usr/bin/python3 -Es /usr/sbin/firewalld --nofork ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.45" (uid=0 pid=27037 comm="/usr/bin/docker -d --selinux-enabled ")
May 06 11:56:05 localhost.localdomain dbus[519]: [system] Rejected send message, 7 matched rules; type="error", sender=":1.2" (uid=0 pid=516 comm="/usr/bin/python3 -Es /usr/sbin/firewalld --nofork ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.45" (uid=0 pid=27037 comm="/usr/bin/docker -d --selinux-enabled ")
May 06 11:56:05 localhost.localdomain audit: <audit-1325> table=nat family=2 entries=57
May 06 11:56:05 localhost.localdomain dbus[519]: [system] Rejected send message, 7 matched rules; type="error", sender=":1.2" (uid=0 pid=516 comm="/usr/bin/python3 -Es /usr/sbin/firewalld --nofork ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.45" (uid=0 pid=27037 comm="/usr/bin/docker -d --selinux-enabled ")
May 06 11:56:05 localhost.localdomain audit: <audit-1325> table=nat family=2 entries=56
May 06 11:56:05 localhost.localdomain dbus[519]: [system] Rejected send message, 7 matched rules; type="error", sender=":1.2" (uid=0 pid=516 comm="/usr/bin/python3 -Es /usr/sbin/firewalld --nofork ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.45" (uid=0 pid=27037 comm="/usr/bin/docker -d --selinux-enabled ")
May 06 11:56:05 localhost.localdomain /firewalld[516]: 2015-05-06 11:56:05 ERROR: COMMAND_FAILED: '/sbin/iptables -w -t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables: No chain/target/match by that name.
May 06 11:56:05 localhost.localdomain dbus[519]: [system] Rejected send message, 7 matched rules; type="error", sender=":1.2" (uid=0 pid=516 comm="/usr/bin/python3 -Es /usr/sbin/firewalld --nofork ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.45" (uid=0 pid=27037 comm="/usr/bin/docker -d --selinux-enabled ")
May 06 11:56:05 localhost.localdomain /firewalld[516]: 2015-05-06 11:56:05 ERROR: COMMAND_FAILED: '/sbin/iptables -w -t nat -D PREROUTING -j DOCKER' failed: iptables: No chain/target/match by that name.
May 06 11:56:05 localhost.localdomain dbus[519]: [system] Rejected send message, 7 matched rules; type="error", sender=":1.2" (uid=0 pid=516 comm="/usr/bin/python3 -Es /usr/sbin/firewalld --nofork ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.45" (uid=0 pid=27037 comm="/usr/bin/docker -d --selinux-enabled ")
May 06 11:56:05 localhost.localdomain /firewalld[516]: 2015-05-06 11:56:05 ERROR: COMMAND_FAILED: '/sbin/iptables -w -t nat -D OUTPUT -j DOCKER' failed: iptables: No chain/target/match by that name.
May 06 11:56:05 localhost.localdomain dbus[519]: [system] Rejected send message, 7 matched rules; type="error", sender=":1.2" (uid=0 pid=516 comm="/usr/bin/python3 -Es /usr/sbin/firewalld --nofork ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.45" (uid=0 pid=27037 comm="/usr/bin/docker -d --selinux-enabled ")
May 06 11:56:05 localhost.localdomain audit: <audit-1325> table=nat family=2 entries=55
May 06 11:56:05 localhost.localdomain dbus[519]: [system] Rejected send message, 7 matched rules; type="error", sender=":1.2" (uid=0 pid=516 comm="/usr/bin/python3 -Es /usr/sbin/firewalld --nofork ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.45" (uid=0 pid=27037 comm="/usr/bin/docker -d --selinux-enabled ")
May 06 11:56:05 localhost.localdomain audit: <audit-1325> table=nat family=2 entries=55
May 06 11:56:05 localhost.localdomain dbus[519]: [system] Rejected send message, 7 matched rules; type="error", sender=":1.2" (uid=0 pid=516 comm="/usr/bin/python3 -Es /usr/sbin/firewalld --nofork ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.45" (uid=0 pid=27037 comm="/usr/bin/docker -d --selinux-enabled ")
May 06 11:56:05 localhost.localdomain /firewalld[516]: 2015-05-06 11:56:05 ERROR: COMMAND_FAILED: '/sbin/iptables -w -t nat -n -L DOCKER' failed: iptables: No chain/target/match by that name.
May 06 11:56:05 localhost.localdomain dbus[519]: [system] Rejected send message, 7 matched rules; type="error", sender=":1.2" (uid=0 pid=516 comm="/usr/bin/python3 -Es /usr/sbin/firewalld --nofork ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.45" (uid=0 pid=27037 comm="/usr/bin/docker -d --selinux-enabled ")
May 06 11:56:05 localhost.localdomain audit: <audit-1325> table=nat family=2 entries=53
May 06 11:56:05 localhost.localdomain dbus[519]: [system] Rejected send message, 7 matched rules; type="error", sender=":1.2" (uid=0 pid=516 comm="/usr/bin/python3 -Es /usr/sbin/firewalld --nofork ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.45" (uid=0 pid=27037 comm="/usr/bin/docker -d --selinux-enabled ")
May 06 11:56:05 localhost.localdomain /firewalld[516]: 2015-05-06 11:56:05 ERROR: COMMAND_FAILED: '/sbin/iptables -w -t nat -C PREROUTING -m addrtype --dst-type LOCAL' failed: iptables: Bad rule (does a matching rule exist in that chain?).
May 06 11:56:05 localhost.localdomain dbus[519]: [system] Rejected send message, 7 matched rules; type="error", sender=":1.2" (uid=0 pid=516 comm="/usr/bin/python3 -Es /usr/sbin/firewalld --nofork ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.45" (uid=0 pid=27037 comm="/usr/bin/docker -d --selinux-enabled ")
May 06 11:56:05 localhost.localdomain audit: <audit-1325> table=nat family=2 entries=55
May 06 11:56:05 localhost.localdomain dbus[519]: [system] Rejected send message, 7 matched rules; type="error", sender=":1.2" (uid=0 pid=516 comm="/usr/bin/python3 -Es /usr/sbin/firewalld --nofork ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.45" (uid=0 pid=27037 comm="/usr/bin/docker -d --selinux-enabled ")
May 06 11:56:05 localhost.localdomain /firewalld[516]: 2015-05-06 11:56:05 ERROR: COMMAND_FAILED: '/sbin/iptables -w -t nat -C OUTPUT -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8' failed: iptables: Bad rule (does a matching rule exist in that chain?).
May 06 11:56:05 localhost.localdomain dbus[519]: [system] Rejected send message, 7 matched rules; type="error", sender=":1.2" (uid=0 pid=516 comm="/usr/bin/python3 -Es /usr/sbin/firewalld --nofork ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.45" (uid=0 pid=27037 comm="/usr/bin/docker -d --selinux-enabled ")
May 06 11:56:05 localhost.localdomain audit: <audit-1325> table=nat family=2 entries=56
May 06 11:56:05 localhost.localdomain dbus[519]: [system] Rejected send message, 7 matched rules; type="error", sender=":1.2" (uid=0 pid=516 comm="/usr/bin/python3 -Es /usr/sbin/firewalld --nofork ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.45" (uid=0 pid=27037 comm="/usr/bin/docker -d --selinux-enabled ")
May 06 11:56:05 localhost.localdomain dbus[519]: [system] Rejected send message, 7 matched rules; type="error", sender=":1.2" (uid=0 pid=516 comm="/usr/bin/python3 -Es /usr/sbin/firewalld --nofork ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.45" (uid=0 pid=27037 comm="/usr/bin/docker -d --selinux-enabled ")
May 06 11:56:05 localhost.localdomain dbus[519]: [system] Rejected send message, 7 matched rules; type="error", sender=":1.2" (uid=0 pid=516 comm="/usr/bin/python3 -Es /usr/sbin/firewalld --nofork ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.45" (uid=0 pid=27037 comm="/usr/bin/docker -d --selinux-enabled ")
May 06 11:56:06 localhost.localdomain systemd[1]: Scope libcontainer-27037-systemd-test-default-dependencies.scope has no PIDs. Refusing.
May 06 11:56:06 localhost.localdomain docker[27037]: time="2015-05-06T11:56:06.093964660+02:00" level=info msg="Loading containers: start."
May 06 11:56:06 localhost.localdomain docker[27037]: ....
May 06 11:56:06 localhost.localdomain docker[27037]: time="2015-05-06T11:56:06.108562743+02:00" level=info msg="Loading containers: done."
May 06 11:56:06 localhost.localdomain docker[27037]: time="2015-05-06T11:56:06.108979702+02:00" level=info msg="Daemon has completed initialization"
May 06 11:56:06 localhost.localdomain docker[27037]: time="2015-05-06T11:56:06.109369180+02:00" level=info msg="Docker daemon" commit=e27bf5b execdriver=native-0.2 graphdriver=devicemapper version=1.7.0-dev
May 06 11:56:06 localhost.localdomain systemd[1]: Started Docker Application Container Engine.

Comment 1 Jakub Čajka 2015-05-11 08:52:47 UTC

Still occurring with latest build of docker
docker-1.7.0-6.git56481a3.fc23.x86_64
selinux-policy-3.13.1-127.fc23.noarch

Comment 2 Jiri Popelka 2015-05-11 12:27:36 UTC

Yes, docker needs to be allowed to talk to firewalld via D-Bus, see also
https://github.com/docker/docker/commit/8301dcc6d702a97feeb968ee79ae381fd8a4997a

Comment 3 Jan Kurik 2015-07-15 14:11:26 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle.
Changing version to '23'.

(As we did not run this process for some time, it could affect also pre-Fedora 23 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23

Comment 4 Daniel Walsh 2015-07-21 17:50:45 UTC

We have everything except relabelto.

 sesearch -A -s firewalld_t | grep relabel
   allow firewalld_t firewalld_etc_rw_t : file { ioctl read write create getattr setattr lock relabelfrom append unlink link rename open } ; 

Do we actually need this, I see no avc that meantions it.

Comment 5 Suren Karapetyan 2015-09-01 14:18:23 UTC

I'm hitting this on F22 with:

docker-io-1.7.1-3.git33de319.fc21.x86_64
selinux-policy-3.13.1-105.20.fc21.noarch

Comment 6 Daniel Walsh 2015-09-02 10:53:52 UTC

Should be fixed in docker-io-1.8.1-2.git32b8b25.fc21

Comment 7 Jakub Čajka 2015-09-02 12:16:59 UTC

Sorry for long notice..., feel free to close the bug.

Comment 8 Pavel Raiskup 2015-09-02 14:01:53 UTC

(In reply to Suren Karapetyan from comment #5)
> I'm hitting this on F22 with:
> 
> docker-io-1.7.1-3.git33de319.fc21.x86_64
> selinux-policy-3.13.1-105.20.fc21.noarch

I've been bitten by this on F21 too because I didn't have selinux-policy-io
installed.  Isn't this packaging issue?

Comment 9 Pavel Raiskup 2015-09-02 14:02:41 UTC

Sorry, s/selinux-policy-io/docker-io-selinux/.

Comment 10 Daniel Walsh 2015-09-02 15:24:03 UTC

I am not sure if we are shipping docker-selinux in fedora 21.  I know we are in F22 and F23.  F21 will soon be EOL.

Comment 11 Suren Karapetyan 2015-09-02 18:36:10 UTC

Just installed docker-io-selinux-1.7.1-3.git33de319.fc21.x86_64 (it's shipped with Fedora 21) and it fixed the issue. Thanks @pavel.

Comment 12 Fedora Update System 2015-09-14 10:38:00 UTC

selinux-policy-3.13.1-147.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-15804

Comment 13 Fedora Update System 2015-09-14 17:50:36 UTC

selinux-policy-3.13.1-147.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-15804

Comment 14 Fedora Update System 2015-09-25 07:57:59 UTC

selinux-policy-3.13.1-147.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.