Description of problem: Running docker run commands as a confined selinux root user. SELinux is preventing /usr/bin/docker from 'write' accesses on the sock_file docker.sock. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that docker should be allowed write access on the docker.sock sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep docker /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 Target Context system_u:object_r:docker_var_run_t:s0 Target Objects docker.sock [ sock_file ] Source docker Source Path /usr/bin/docker Port <Unknown> Host (removed) Source RPM Packages docker-1.7.1-8.gitb6416b7.fc22.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-128.8.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.2.0-0.rc2.git0.1.local.fc23.x86_64 #1 SMP Sat Jul 18 23:10:42 ACST 2015 x86_64 x86_64 Alert Count 10 First Seen 2015-08-14 15:49:23 ACST Last Seen 2015-08-14 16:48:10 ACST Local ID 8c598d76-f4e8-42f9-a808-3a40894513a7 Raw Audit Messages type=AVC msg=audit(1439536690.215:565): avc: denied { write } for pid=27409 comm="docker" name="docker.sock" dev="tmpfs" ino=52076 scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:docker_var_run_t:s0 tclass=sock_file permissive=1 type=AVC msg=audit(1439536690.215:565): avc: denied { connectto } for pid=27409 comm="docker" path="/run/docker.sock" scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:docker_t:s0 tclass=unix_stream_socket permissive=1 type=SYSCALL msg=audit(1439536690.215:565): arch=x86_64 syscall=connect success=yes exit=0 a0=6 a1=c20802e490 a2=17 a3=0 items=0 ppid=27391 pid=27409 auid=1343600009 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm=docker exe=/usr/bin/docker subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null) Hash: docker,sysadm_t,docker_var_run_t,sock_file,write Version-Release number of selected component: selinux-policy-3.13.1-128.8.fc22.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.2.0-0.rc2.git0.1.local.fc23.x86_64 type: libreport
We should add this, but with current docker, talking to the docker daemon gives you full root access. At least on targeted policy systems.
When you say full root, do you mean "privileges beyond the confines of sysadm_t"?
docker run -ti --privilged -v /:/host fedora chroot /host WIll give you a process running as root with spc_t label, which is an unconfined label. So yes more powerful then sysadm_t, (But only slightly)
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.
Created pull request https://github.com/fedora-selinux/selinux-policy/pull/137
merged.
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle. Changing version to '25'.
selinux-policy-3.13.1-208.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-662487f8f1
selinux-policy-3.13.1-208.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-662487f8f1
selinux-policy-3.13.1-208.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.