Description of problem: Start Oracle XE in docker container: $ docker run -d alexeiled/docker-oracle-xe-11g:latest && sleep 180 SELinux is preventing /usr/bin/docker from 'write' accesses on the sock_file docker.sock. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that docker should be allowed write access on the docker.sock sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep docker /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:abrt_t:s0-s0:c0.c1023 Target Context system_u:object_r:docker_var_run_t:s0 Target Objects docker.sock [ sock_file ] Source docker Source Path /usr/bin/docker Port <Unknown> Host (removed) Source RPM Packages docker-1.8.2-1.gitf1db8f2.fc22.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-128.16.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.1.10-200.fc22.x86_64 #1 SMP Mon Oct 5 14:22:49 UTC 2015 x86_64 x86_64 Alert Count 3 First Seen 2015-10-02 11:22:29 CDT Last Seen 2015-10-19 10:40:01 CDT Local ID c5bb6279-dd01-447a-9d38-89fa59033353 Raw Audit Messages type=AVC msg=audit(1445269201.387:2769): avc: denied { write } for pid=13273 comm="docker" name="docker.sock" dev="tmpfs" ino=22487 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:docker_var_run_t:s0 tclass=sock_file permissive=0 type=SYSCALL msg=audit(1445269201.387:2769): arch=x86_64 syscall=connect success=no exit=EACCES a0=6 a1=c20805b090 a2=17 a3=0 items=0 ppid=13272 pid=13273 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=docker exe=/usr/bin/docker subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null) Hash: docker,abrt_t,docker_var_run_t,sock_file,write Version-Release number of selected component: selinux-policy-3.13.1-128.16.fc22.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.1.10-200.fc22.x86_64 type: libreport
How did you get he docker command to run as abrt_t? ps -eZ | grep docker It should be running as docker_t? systemctl restart docker Should launch it with the right context. Also make sure docker-selinux is installed properly dnf -y reinstall docker-selinux
That is what is very strange. It is not running as abrt_t... not sure why the alert is reporting that. system_u:system_r:docker_t:s0 1819 ? 00:00:28 docker The abrt_t context continues to be reported even across machine restarts. I reinstalled the docker-selinux package for good measure and received the same error: Source Context system_u:system_r:abrt_t:s0-s0:c0.c1023 Target Context system_u:object_r:docker_var_run_t:s0 Target Objects docker.sock [ sock_file ] Source docker Source Path /usr/bin/docker Port <Unknown> Host (removed) Source RPM Packages docker-1.8.2-1.gitf1db8f2.fc22.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-128.16.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.1.10-200.fc22.x86_64 #1 SMP Mon Oct 5 14:22:49 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-10-20 14:22:09 CDT Last Seen 2015-10-20 14:22:09 CDT Local ID 873359c9-9b40-4589-a393-43abcf8ba8a8 Raw Audit Messages type=AVC msg=audit(1445368929.930:8995): avc: denied { write } for pid=2132 comm="docker" name="docker.sock" dev="tmpfs" ino=1363161 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:docker_var_run_t:s0 tclass=sock_file permissive=0 type=SYSCALL msg=audit(1445368929.930:8995): arch=x86_64 syscall=connect success=no exit=EACCES a0=6 a1=c20808f090 a2=17 a3=0 items=0 ppid=2131 pid=2132 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=docker exe=/usr/bin/docker subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null) Hash: docker,abrt_t,docker_var_run_t,sock_file,write
Daniel, I just noticed that this error is actually number 4 of 4 when starting the container. The previous 3 are as follows: SELinux is preventing /u01/app/oracle/product/11.2.0/xe/bin/oracle from execute access on the file /SYSV00000000 (deleted). ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /SYSV00000000 (deleted) default label should be etc_runtime_t. Then you can run restorecon. Do # /sbin/restorecon -v /SYSV00000000 (deleted) ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that oracle should be allowed execute access on the SYSV00000000 (deleted) file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep oracle /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_lxc_net_t:s0:c786,c811 Target Context system_u:object_r:tmpfs_t:s0 Target Objects /SYSV00000000 (deleted) [ file ] Source oracle Source Path /u01/app/oracle/product/11.2.0/xe/bin/oracle Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-128.16.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.1.10-200.fc22.x86_64 #1 SMP Mon Oct 5 14:22:49 UTC 2015 x86_64 x86_64 Alert Count 3 First Seen 2015-10-20 14:22:09 CDT Last Seen 2015-10-20 14:22:09 CDT Local ID 4e4261d0-ab5f-4981-a0c1-995881b0bc35 Raw Audit Messages type=AVC msg=audit(1445368929.193:8990): avc: denied { execute } for pid=2075 comm="oracle" path=2F535953563030303030303030202864656C6574656429 dev="tmpfs" ino=196608 scontext=system_u:system_r:svirt_lxc_net_t:s0:c786,c811 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1445368929.193:8990): arch=x86_64 syscall=shmat per=400000 success=no exit=EACCES a0=30000 a1=60000000 a2=0 a3=0 items=0 ppid=2074 pid=2075 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm=oracle exe=/u01/app/oracle/product/11.2.0/xe/bin/oracle subj=system_u:system_r:svirt_lxc_net_t:s0:c786,c811 key=(null) Hash: oracle,svirt_lxc_net_t,tmpfs_t,file,execute SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the sigchld access on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that abrt-hook-ccpp should be allowed sigchld access on processes labeled kernel_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep abrt-hook-ccpp /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_lxc_net_t:s0:c786,c811 Target Context system_u:system_r:kernel_t:s0 Target Objects Unknown [ process ] Source abrt-hook-ccpp Source Path /usr/libexec/abrt-hook-ccpp Port <Unknown> Host (removed) Source RPM Packages abrt-addon-coredump-helper-2.6.1-5.fc22.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-128.16.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.1.10-200.fc22.x86_64 #1 SMP Mon Oct 5 14:22:49 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-10-20 14:22:09 CDT Last Seen 2015-10-20 14:22:09 CDT Local ID da032ac9-b348-4ee7-8def-c3924571c0a1 Raw Audit Messages type=AVC msg=audit(1445368929.884:8992): avc: denied { sigchld } for pid=2086 comm="abrt-hook-ccpp" scontext=system_u:system_r:svirt_lxc_net_t:s0:c786,c811 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=0 type=SYSCALL msg=audit(1445368929.884:8992): arch=x86_64 syscall=wait4 success=no exit=EACCES a0=825 a1=7fff5806a7cc a2=0 a3=0 items=0 ppid=31384 pid=2086 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=abrt-hook-ccpp exe=/usr/libexec/abrt-hook-ccpp subj=system_u:system_r:kernel_t:s0 key=(null) Hash: abrt-hook-ccpp,svirt_lxc_net_t,kernel_t,process,sigchld SELinux is preventing /usr/bin/docker from search access on the directory net. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that docker should be allowed search access on the net directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep docker /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:abrt_t:s0-s0:c0.c1023 Target Context system_u:object_r:sysctl_net_t:s0 Target Objects net [ dir ] Source docker Source Path /usr/bin/docker Port <Unknown> Host (removed) Source RPM Packages docker-1.8.2-1.gitf1db8f2.fc22.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-128.16.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.1.10-200.fc22.x86_64 #1 SMP Mon Oct 5 14:22:49 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-10-20 14:22:09 CDT Last Seen 2015-10-20 14:22:09 CDT Local ID b11c0df0-b169-42d6-81ac-94676b12aebc Raw Audit Messages type=AVC msg=audit(1445368929.922:8993): avc: denied { search } for pid=2132 comm="docker" name="net" dev="proc" ino=1193 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1445368929.922:8993): arch=x86_64 syscall=open success=no exit=EACCES a0=c20802c000 a1=80000 a2=0 a3=0 items=0 ppid=2131 pid=2132 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=docker exe=/usr/bin/docker subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null) Hash: docker,abrt_t,sysctl_net_t,dir,search
This looks like you are running a non privileged container with oracle inside of it? Could you just remove abrt_t. It seems to be taking over the container for some reason. Do the abrt guys know what is going on here?
(In reply to Daniel Walsh from comment #4) > This looks like you are running a non privileged container with oracle > inside of it? Correct. Host user belongs to group docker. Process in the container is running as user oracle. > Could you just remove abrt_t. It seems to be taking over the container for > some reason. What do you mean, remove it?
(In reply to Daniel Walsh from comment #4) > Do the abrt guys know what is going on here? It looks like a process within the container crashed and abrtd tried to run `docker inspect $conatiner_id`. See bug #1194280 for more details. (In reply to Larry O'Leary from comment #4) > SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the sigchld access on a process.(In reply to Larry O'Leary from comment #3) abrt-hook-ccpp tried to get backtrace from the crashed process while it was dumping the process' core file. See bug #1245477 for more details. > SELinux is preventing /u01/app/oracle/product/11.2.0/xe/bin/oracle from execute access on the file /SYSV00000000 (deleted). If you do not want SELinux guys to fix this one. We can close this bug report as duplicate of bug #1194280.
*** This bug has been marked as a duplicate of bug 1194280 ***