Bug 1266325 - SELinux is preventing exe from 'entrypoint' accesses on the file /bin/dash.
SELinux is preventing exe from 'entrypoint' accesses on the file /bin/dash.
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
22
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:043a7719579978310ce7ec8e21c...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-25 00:01 EDT by Joshua Rich
Modified: 2015-10-28 12:26 EDT (History)
5 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-128.18.fc22
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-10-28 12:26:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Joshua Rich 2015-09-25 00:01:21 EDT
Description of problem:
Since the most recent docker and docker-selinux updates:

docker-1.8.2-1.gitf1db8f2.fc22.x86_64
docker-selinux-1.8.2-1.gitf1db8f2.fc22.x86_64

When I go to rebuild some of my docker containers, I get an error similar to this for what looks like any RUN line in my Dockerfile.  I'm running SELinux in enforcing mode and using the overlayfs storage driver for Docker.  Before the upgrades above, this setup was able to generate containers without issues.

If I disable SELinux, containers build fine.
Since the most recent docker and docker-selinux updates:

docker-1.8.2-1.gitf1db8f2.fc22.x86_64
docker-selinux-1.8.2-1.gitf1db8f2.fc22.x86_64

When I go to rebuild some of my docker containers, I get an error similar to this for what looks like any RUN line in my Dockerfile.  I'm running SELinux in enforcing mode and using the overlayfs storage driver for Docker.  Before the upgrades above, this setup was able to generate containers without issues.

If I disable SELinux, containers build fine.

SELinux is preventing exe from 'entrypoint' accesses on the file /bin/dash.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/bin/dash default label should be shell_exec_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /bin/dash

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that exe should be allowed entrypoint access on the dash file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep exe /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:spc_t:s0
Target Context                system_u:object_r:docker_var_lib_t:s0
Target Objects                /bin/dash [ file ]
Source                        exe
Source Path                   exe
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.13.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.1.7-200.fc22.x86_64 #1 SMP Mon
                              Sep 14 20:19:24 UTC 2015 x86_64 x86_64
Alert Count                   2
First Seen                    2015-09-25 12:32:29 AEST
Last Seen                     2015-09-25 13:57:00 AEST
Local ID                      0e25455e-2d8a-4519-85fe-b412c7a9bb82

Raw Audit Messages
type=AVC msg=audit(1443153420.130:1111): avc:  denied  { entrypoint } for  pid=11334 comm="exe" path="/bin/dash" dev="dm-1" ino=3935470 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:object_r:docker_var_lib_t:s0 tclass=file permissive=0


Hash: exe,spc_t,docker_var_lib_t,file,entrypoint

Version-Release number of selected component:
selinux-policy-3.13.1-128.13.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.7-200.fc22.x86_64
type:           libreport
Comment 1 Daniel Walsh 2015-09-25 09:45:53 EDT
Should be fixed in docker-1.8.2-4.gitcb216be.fc22

yum update docker --enable=updates-testing
Comment 2 Fedora Update System 2015-10-09 10:16:52 EDT
selinux-policy-3.13.1-128.18.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-946cd8d690
Comment 3 Fedora Update System 2015-10-09 19:22:31 EDT
selinux-policy-3.13.1-128.18.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update selinux-policy'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-946cd8d690
Comment 4 Fedora Update System 2015-10-28 12:26:06 EDT
selinux-policy-3.13.1-128.18.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.