Description of problem: The system doesn't have any selinux policy for Docker which leads to denials: ``` [root@cloudhost ~]# systemctl start docker Failed to start docker.service: Access denied ``` ``` Oct 10 13:57:58 cloudhost.localdomain audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=1000 uid=0 gid=0 path="/usr/lib/systemd/system/docker.service" cmdline="systemctl start docker" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service ``` Version-Release number of selected component (if applicable): Done from beta cloud image: http://mirror.sfo12.us.leaseweb.net/fedora/linux/releases/test/23_Beta/Cloud/x86_64/Images/Fedora-Cloud-Base-23_Beta-20150915.x86_64.qcow2 selinux-policy-targeted-3.13.1-144.fc23.noarch docker-selinux-1.8.2-5.gitcb216be.fc23.x86_64 How reproducible: Always Steps to Reproduce: Note the steps were done on the serial console of the machine so the "SELinux" lines were spit out to the console. ``` # Start from beta cloud image. [root@cloudhost ~]# rpm -q selinux-policy-targeted selinux-policy-targeted-3.13.1-144.fc23.noarch [root@cloudhost ~]# semodule -l | grep docker [root@cloudhost ~]# dnf install -y docker &> /dev/null [ 281.815761] SELinux: Class netlink_iscsi_socket not defined in policy. [ 281.816617] SELinux: Class netlink_fib_lookup_socket not defined in policy. [ 281.817397] SELinux: Class netlink_connector_socket not defined in policy. [ 281.818213] SELinux: Class netlink_netfilter_socket not defined in policy. [ 281.819036] SELinux: Class netlink_generic_socket not defined in policy. [ 281.819869] SELinux: Class netlink_scsitransport_socket not defined in policy. [ 281.820784] SELinux: Class netlink_rdma_socket not defined in policy. [ 281.821610] SELinux: Class netlink_crypto_socket not defined in policy. [ 281.822297] SELinux: Permission audit_read in class capability2 not defined in policy. [ 281.823111] SELinux: Class binder not defined in policy. [ 281.823662] SELinux: the above unknown classes and permissions will be allowed [root@cloudhost ~]# rpm -q docker-selinux docker-selinux-1.8.2-5.gitcb216be.fc23.x86_64 [root@cloudhost ~]# semodule -l | grep docker [root@cloudhost ~]# ls -lZ /usr/bin/docker -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 20707376 Sep 21 20:21 /usr/bin/docker [root@cloudhost ~]# dnf update selinux-policy-targeted -y &> /dev/null [root@cloudhost ~]# rpm -q selinux-policy-targeted selinux-policy-targeted-3.13.1-147.fc23.noarch [root@cloudhost ~]# semodule -l | grep docker [root@cloudhost ~]# ls -lZ /usr/bin/docker -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 20707376 Sep 21 20:21 /usr/bin/docker [root@cloudhost ~]# ``` Actual results: docker.pp is not installed Expected results: docker.pp should be installed and the docker binary should have the correct context.
Does this fix the problem? dnf -y reinstall docker-selinux
(In reply to Daniel Walsh from comment #1) > Does this fix the problem? > > dnf -y reinstall docker-selinux Seems to work: ``` [root@cloudhost ~]# dnf -y reinstall docker-selinux ... ... Reinstalled: docker-selinux.x86_64 1:1.8.2-5.gitcb216be.fc23 Complete! [root@cloudhost ~]# semodule -l | grep docker docker [root@cloudhost ~]# ls -lZ /usr/bin/docker -rwxr-xr-x. 1 root root system_u:object_r:docker_exec_t:s0 20707376 Sep 21 20:21 /usr/bin/docker ``` But I still get a weird error when trying to start docker: ``` [root@cloudhost ~]# systemctl start docker Failed to start docker.service: Access denied [root@cloudhost ~]# journalctl | tail -n 2 Oct 11 14:42:38 cloudhost.localdomain audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=1000 uid=0 gid=0 path="/usr/lib/systemd/system/docker.service" cmdline="systemctl start docker" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:docker_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ``` If I do a systemctl daemon-reexec then I am able to start docker just fine, which might be expected.
Yes this is a known issue. My concern is how you got docker-selinux installed without a docker.pp being installed. Can someone recreate this situation. Did this happen on an initial install or an upgrade?
(In reply to Daniel Walsh from comment #3) > Yes this is a known issue. My concern is how you got docker-selinux > installed without a docker.pp being installed. > > Can someone recreate this situation. Did this happen on an initial install > or an upgrade? This happened starting from the F23 beta cloud image. The steps to reproduce are in the original description. The pertinent information is in the "Version-Release number of selected component (if applicable):" and "Steps to Reproduce:" sections. mgrepl: I don't understand why this got closed as NOTABUG with no explanation. If it is a known issue then please explain more and point a git commit or something that describes the resolution.
I apologize. The wrong bug number. Should be moved on docker-selinux.
Miroslav, I am not sure this is a docker-selinux bug. Since dnf -y reinstall docker-selinux fixus the problem. It seems to be an interaction between docker-selinux and the selinux-policy-targeted package that is causing the problem Dusty do you have the anaconda.log in /root? I wonder if docker-selinux is being installed before selinux-policy-targeted?
(In reply to Daniel Walsh from comment #6) > Miroslav, I am not sure this is a docker-selinux bug. Since dnf -y > reinstall docker-selinux fixus the problem. > > It seems to be an interaction between docker-selinux and the > selinux-policy-targeted package that is causing the problem > > Dusty do you have the anaconda.log in /root? I wonder if docker-selinux is > being installed before selinux-policy-targeted? Since docker (including docker-selinux) gets installed by me after system bringup then the order is selinux-policy-targeted and then docker-selinux. If either of you would like to recreate the exact steps are in the description. You can download the cloud image and then simply run the exact steps that I have pasted and observe the behavior. The only risk of something changing is if the version of docker gets newer before you try it. I just ran through the steps again and noticed something new which is probably a pretty big clue: During the install: ``` Installing : docker-selinux-1:1.8.2-7.gitcb216be.fc23.x86_64 7/18 [ 209.073879] SELinux: Class netlink_iscsi_socket not defined in policy. [ 209.074587] SELinux: Class netlink_fib_lookup_socket not defined in policy. [ 209.075268] SELinux: Class netlink_connector_socket not defined in policy. [ 209.075931] SELinux: Class netlink_netfilter_socket not defined in policy. [ 209.076617] SELinux: Class netlink_generic_socket not defined in policy. [ 209.077271] SELinux: Class netlink_scsitransport_socket not defined in policy. [ 209.077970] SELinux: Class netlink_rdma_socket not defined in policy. [ 209.078607] SELinux: Class netlink_crypto_socket not defined in policy. [ 209.079269] SELinux: Permission audit_read in class capability2 not defined in policy. [ 209.080037] SELinux: Class binder not defined in policy. [ 209.080559] SELinux: the above unknown classes and permissions will be allowed Failed to resolve allow statement at 757 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil Failed to resolve ast /usr/sbin/semodule: Failed! restorecon: lstat(/var/lib/docker) failed: No such file or directory warning: %post(docker-selinux-1:1.8.2-7.gitcb216be.fc23.x86_64) scriptlet failed, exit status 255 Non-fatal POSTIN scriptlet failure in rpm package docker-selinux Non-fatal POSTIN scriptlet failure in rpm package docker-selinux ```
I have a fix I just sent to Lokesh for the restorecon: lstat(/var/lib/docker) failed: No such file or directory Issue, we need to add package selinux Require(Post) docker To make sure docker is installed before the post install section of docker-selinux.
Created attachment 1082459 [details] Patch to fix spec file for docker-selinux.
Miroslav any idea why semodule is failing? docker.spec currently requires selinux-policy-base to be installed?
Ok it looks there is a bug in the docker policy if we see Failed to resolve allow statement at 757 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil Failed to resolve ast /usr/sbin/semodule: Failed!
I don't see any issues on F24. Lukas, could you please check F23 if you are able to reproduce it?
Hi, [fedora@fedora ~]$ rpm -q selinux-policy selinux-policy-3.13.1-151.fc23.noarch [fedora@fedora ~]$ rpm -q --all | grep docker [fedora@fedora ~]$ sudo semodule -l | grep docker [fedora@fedora ~]$ sudo dnf install docker ... ... ... Installed: device-mapper-event.x86_64 1.02.107-1.fc23 device-mapper-event-libs.x86_64 1.02.107-1.fc23 device-mapper-persistent-data.x86_64 0.5.5-1.fc23 docker.x86_64 1:1.8.2-7.gitcb216be.fc23 docker-selinux.x86_64 1:1.8.2-7.gitcb216be.fc23 libaio.x86_64 0.3.110-5.fc23 lvm2.x86_64 2.02.130-1.fc23 lvm2-libs.x86_64 2.02.130-1.fc23 policycoreutils-python-utils.x86_64 2.4-14.fc23 xfsprogs.x86_64 3.2.4-1.fc23 [fedora@fedora ~]$ rpm -q --all | grep docker-selinux docker-selinux-1.8.2-7.gitcb216be.fc23.x86_64 [fedora@fedora ~]$ sudo semodule -l | grep docker docker [fedora@fedora ~]$ ps -efZ | grep docker system_u:system_r:docker_t:s0 root 12498 1 0 09:56 ? 00:00:00 /usr/bin/docker daemon --selinux-enabled unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 fedora 12618 943 0 09:57 pts/0 00:00:00 grep --color=auto docker [fedora@fedora ~]$ sudo ausearch -m AVC | grep docker I just see this during installation docker: restorecon: lstat(/var/lib/docker) failed: No such file or directory warning: %post(docker-selinux-1:1.8.2-7.gitcb216be.fc23.x86_64) scriptlet failed, exit status 255 Non-fatal POSTIN scriptlet failure in rpm package docker-selinux Non-fatal POSTIN scriptlet failure in rpm package docker-selinux
But, I believe this problem is connected with refreshing cache in systemd (In f22 we using #systemctl daemon-reexec to fix it). Could you guys update libselinux packages and try to restart docker? Thank you!
The restorecon error is caused by docker-selinux not requiring docker for its post install. This has been fixed in latest docker, but not sure if this has made its way into fedora 23 yet. Lokesh?
Lukas, according to the last comment this is fixed in docker-selinux so I am clearing needinfo flag. All, There is no new version of docker (with fix) in F23 yet. This doesn't qualify as a blocker but would be nice to have in so that if people install docker on release day they don't get a failure.
Fixed in docker-1.9
A couple of questions/comments - is this going to get fixed for 1.8? - is 1.9 going to overtake 1.8 for f23? i.e will 1.8 never get released? - for latest f23 images (since they disabled the updates-testing repo by default) I get docker 1.7, which means I no longer see an issue as long as I don't go grab 1.8 from updates-testing. This is fine as long as 1.8 never gets released to stable repos.
It should be fixed in docker-1.8.2 build, but I am not sure. I am sure it is fixed in docker-1.9. I believe docker-1.8.2 will get released pretty soon after f23 finally gets released. I think it is being held up by the release.
(In reply to Daniel Walsh from comment #19) > It should be fixed in docker-1.8.2 build, but I am not sure. I am sure it > is fixed in docker-1.9. I believe docker-1.8.2 will get released pretty > soon after f23 finally gets released. I think it is being held up by the > release. Ok I think the selinux issue is fixed but I still see this with docker-selinux-1:1.8.2-9.gitbdb52b6.fc23.x86_64: ``` Installing : docker-selinux-1:1.8.2-9.gitbdb52b6.fc23.x86_64 9/10 restorecon: lstat(/var/lib/docker) failed: No such file or directory warning: %post(docker-selinux-1:1.8.2-9.gitbdb52b6.fc23.x86_64) scriptlet failed, exit status 255 Non-fatal POSTIN scriptlet failure in rpm package docker-selinux Non-fatal POSTIN scriptlet failure in rpm package docker-selinux ``` Was your fix you proposed in comment#8 applied?
Ok just confirmed on an F23 system. Now that 1.8.2-7.gitcb216be.fc23 has made it into the updates repo we get the POSTIN failure on docker install. This is what users will experience when installing docker for the first time on Fedora 23.
(In reply to Daniel Walsh from comment #15) > The restorecon error is caused by docker-selinux not requiring docker for > its post install. > > This has been fixed in latest docker, but not sure if this has made its way > into fedora 23 yet. Lokesh? This has been included in 1.8.2-9 git show f3edcb48486ccece8b544bab072ba04e5d8dfec7 commit f3edcb48486ccece8b544bab072ba04e5d8dfec7 Author: Dan Walsh <dwalsh> Date: Tue Oct 13 13:49:54 2015 docker-selinux post requires docker to be installed <correct typo> Signed-off-by: Lokesh Mandvekar <lsm5> diff --git a/docker.spec b/docker.spec index aed5096..49becf9 100644 --- a/docker.spec +++ b/docker.spec @@ -308,10 +308,10 @@ Summary: SELinux policies for Docker BuildRequires: selinux-policy BuildRequires: selinux-policy-devel Requires(post): selinux-policy-base >= %{selinux_policyver} -Requires(post): selinux-policy-targeted >= %{selinux_policyver} Requires(post): policycoreutils Requires(post): policycoreutils-python-utils Requires(post): libselinux-utils +Requires(post): docker Provides: %{repo}-io-selinux %description selinux
Dan/Lukas, could you take another look at the docker-selinux scriptlet https://pkgs.fedoraproject.org/cgit/docker.git/tree/docker.spec?h=f23#n528
docker-1.8.2-10.git28c300f.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-7e1a61e141
docker-1.8.2-10.git28c300f.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update docker' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-7e1a61e141
docker-1.8.2-10.git28c300f.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.