Description of problem: SELinux is preventing docker from 'unlink' accesses on the file state.json. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that docker should be allowed unlink access on the state.json file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep docker /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:docker_t:s0 Target Context system_u:object_r:var_run_t:s0 Target Objects state.json [ file ] Source docker Source Path docker Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-126.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.0.2-300.fc22.x86_64 #1 SMP Thu May 7 16:05:02 UTC 2015 x86_64 x86_64 Alert Count 3 First Seen 2015-05-13 14:34:31 PDT Last Seen 2015-05-13 14:34:54 PDT Local ID fec28122-8821-47b3-be53-6d638d35d295 Raw Audit Messages type=AVC msg=audit(1431552894.530:2107): avc: denied { unlink } for pid=5916 comm="docker" name="state.json" dev="tmpfs" ino=131777 scontext=system_u:system_r:docker_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 Hash: docker,docker_t,var_run_t,file,unlink Version-Release number of selected component: selinux-policy-3.13.1-126.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.2-300.fc22.x86_64 type: libreport
*** Bug 1221460 has been marked as a duplicate of this bug. ***
*** Bug 1222316 has been marked as a duplicate of this bug. ***
*** Bug 1222467 has been marked as a duplicate of this bug. ***
Description of problem: docker-compose up Version-Release number of selected component: selinux-policy-3.13.1-105.13.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.19.7-200.fc21.x86_64 type: libreport
*** Bug 1224040 has been marked as a duplicate of this bug. ***
*** Bug 1215128 has been marked as a duplicate of this bug. ***
*** Bug 1222669 has been marked as a duplicate of this bug. ***
*** Bug 1221966 has been marked as a duplicate of this bug. ***
Lokesh we need updated docker-1.6.2 packages with latest docker-selinux.pp files in F22 and F21.
*** Bug 1218138 has been marked as a duplicate of this bug. ***
*** Bug 1216265 has been marked as a duplicate of this bug. ***
*** Bug 1215686 has been marked as a duplicate of this bug. ***
*** Bug 1207537 has been marked as a duplicate of this bug. ***
*** Bug 1227906 has been marked as a duplicate of this bug. ***
*** Bug 1229207 has been marked as a duplicate of this bug. ***
*** Bug 1229273 has been marked as a duplicate of this bug. ***
Just upgraded to fedora-atomic 22.11 (testing). selinux-policy is the latest one: -bash-4.3# rpm -q selinux-policy selinux-policy-3.13.1-128.1.fc22.noarch However, again I can not execute commands inside the docker containers while SELinux is in Enforcing mode. -bash-4.3# getenforce Enforcing -bash-4.3# docker exec -ti registry bash -bash-4.3# -bash-4.3# setenforce 0 -bash-4.3# getenforce Permissive -bash-4.3# docker exec -ti registry bash Check the description of Bug 1229207 for details.
-bash-4.3# setenforce 0 -bash-4.3# getenforce Permissive -bash-4.3# docker exec -ti registry bash nobody@registry:/go/src/github.com/docker/distribution$
This is an docker issue. You need at least docker-1.6.2
Is there a schedule for the publication of that version docker-1.6.2 (modified by Redhat)? Please push updates soon, because Docker has been unusable (in some use cases) on RHEL/CentOS and Fedora for one month.
(In reply to Daniel Walsh from comment #19) > This is an docker issue. > > You need at least docker-1.6.2 Why do you believe it is an issue with docker? I mean, when I switch SELinux to Permissive and it works. However, when updated docker on my Fedora-atomic 22.30 to 1.6.2 I can still encounter the same issue. -bash-4.3# ostree admin status * fedora-atomic 7d87cf22aa0f98a8d0f17f79f670b5bb30373c8f5b75a2f2b508891ebffd69af.0 Version: 22.30 origin refspec: fedora-atomic:fedora-atomic/f22/x86_64/docker-host fedora-atomic 154fc5fb54496aad198591bbb1d24bee7466316696e9d50d151471f8e8f88aef.0 Version: 22.11 origin refspec: fedora-atomic:fedora-atomic/f22/x86_64/testing/docker-host -bash-4.3# docker version Client version: 1.6.2 Client API version: 1.18 Go version (client): go1.4.2 Git commit (client): 7c8fca2 OS/Arch (client): linux/amd64 Server version: 1.6.2 Server API version: 1.18 Go version (server): go1.4.2 Git commit (server): 7c8fca2 OS/Arch (server): linux/amd64 -bash-4.3# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES fc32a44d2583 registry:2.0 "registry cmd/regist 26 hours ago Up 5 minutes 172.16.3.171:5000->5000/tcp registry bd32ff68d319 cockpit/ws:latest "/container/atomic-r 2 days ago Up 5 minutes cockpit -bash-4.3# getenforce Enforcing -bash-4.3# docker exec -ti registry bash -bash-4.3# docker exec -ti registry bash -bash-4.3# docker exec -ti registry bash -bash-4.3# This is what audit logs when I try to execute the above: Jun 11 15:51:05 atomic-1 audit[1479]: <audit-1400> avc: denied { read write } for pid=1479 comm="bash" path="/dev/pts/2" dev="devpts" ino=5 scontext=system_u:system_r:svirt_lxc_net_t:s0:c838,c959 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0 Jun 11 15:51:05 atomic-1 audit[1479]: <audit-1400> avc: denied { read write } for pid=1479 comm="bash" path="/dev/pts/2" dev="devpts" ino=5 scontext=system_u:system_r:svirt_lxc_net_t:s0:c838,c959 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0 Jun 11 15:51:05 atomic-1 audit[1479]: <audit-1400> avc: denied { read write } for pid=1479 comm="bash" path="/dev/pts/2" dev="devpts" ino=5 scontext=system_u:system_r:svirt_lxc_net_t:s0:c838,c959 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0 Jun 11 15:51:05 atomic-1 audit[1479]: <audit-1400> avc: denied { read write } for pid=1479 comm="bash" path="/dev/pts/2" dev="devpts" ino=5 scontext=system_u:system_r:svirt_lxc_net_t:s0:c838,c959 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0
Docker ships with its own SELInux package now.
Could you try out https://admin.fedoraproject.org/updates/FEDORA-2015-9797/docker-1.7.0-4.git5b82e1d.fc22 yum -y update docker --enablerepo=updates-testing
Thank you Dan! This package is included in Fedora-atomic 22.12 (testing). So, I did an upgrade. The problem has been resolved. -bash-4.3# ostree admin status * fedora-atomic 9aec321c52c1aed0c8016cd79e7e777ab0cdcc022e425105ec12c8cf0601c820.0 Version: 22.12 origin refspec: fedora-atomic:fedora-atomic/f22/x86_64/testing/docker-host fedora-atomic 154fc5fb54496aad198591bbb1d24bee7466316696e9d50d151471f8e8f88aef.0 Version: 22.11 origin refspec: fedora-atomic:fedora-atomic/f22/x86_64/testing/docker-host -bash-4.3# docker exec -ti registry bash root@registry:/go/src/github.com/docker/distribution# exit -bash-4.3# As you already stated, there is a separate SELinux package for Docker: docker-selinux-1.7.0-4.git5b82e1d.fc22.x86_64 Thanks again for the assistance!
docker-selinux is not available in Fedora 22. This is still a bug: No package docker-selinux available. [stef@dragon kubernetes]$ rpm -q selinux-policy-targeted selinux-policy-targeted-3.13.1-128.1.fc22.noarch [stef@dragon kubernetes]$ rpm -q docker docker-1.6.0-3.git9d26a07.fc22.x86_64
I updated it from updates-testing to get it.
Yes it is in updates-testing.
dnf -y update docker --enablerepo=updates-testing