Bug 1273455 - Docker cannot start containers due to the SELinux policies
Summary: Docker cannot start containers due to the SELinux policies
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 23
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-10-20 13:16 UTC by Josef Stribny
Modified: 2016-01-04 05:54 UTC (History)
8 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2015-10-26 07:57:51 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Josef Stribny 2015-10-20 13:16:52 UTC
Description of problem:

Docker cannot start a container, here is an example with docker build, but any docker run would fail (using Dockerfiles from https://github.com/fedora-cloud/Fedora-Dockerfiles.git):

    $ sudo docker build --tag=fedora-django Fedora-Dockerfiles/Django
    Sending build context to Docker daemon 22.02 kB
    Step 0 : FROM fedora
     ---> 85f4e2af80d3
    Step 1 : MAINTAINER http://fedoraproject.org/wiki/Cloud
     ---> Using cache
     ---> d3c1da7dec81
    Step 2 : RUN dnf -y update && dnf clean all
     ---> Running in 961b29510a35
    [8] System error: permission denied
     
     
Here is a policy that can fix it:

    $ cat local.te
     
    module R 1.0;
     
    require {
            type unconfined_service_t;
            type svirt_lxc_net_t;
            class process transition;
    }
     
    #============= unconfined_service_t ==============
     
    #!!!! The file '/usr/bin/bash' is mislabeled on your system.  
    #!!!! Fix with $ restorecon -R -v /usr/bin/bash
    allow unconfined_service_t svirt_lxc_net_t:process transition;
    

This is the log:
     
    $ sudo cat /var/log/audit/audit.log | grep bash
    type=AVC msg=audit(1445344855.353:762): avc:  denied  { transition } for  pid=3099 comm="exe" path="/usr/bin/bash" dev="dm-1" ino=1835366 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c396,c617 tclass=process permissive=0
    type=AVC msg=audit(1445344887.183:778): avc:  denied  { transition } for  pid=3176 comm="exe" path="/usr/bin/bash" dev="dm-1" ino=1835366 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c689,c723 tclass=process permissive=0
    type=AVC msg=audit(1445346035.993:847): avc:  denied  { transition } for  pid=3330 comm="exe" path="/usr/bin/bash" dev="dm-1" ino=1835366 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c156,c913 tclass=process permissive=0


Actual results:
`docker run` command fails.

Expected results:
Docker works as expected with SELinux enabled and without created custom policy modules.


Additional info:
I did find this in official Vagrant Fedora 23 box.

Comment 1 Daniel Walsh 2015-10-20 14:18:22 UTC
Something went wrong with your docker-selinux install

# yum reinstall docker-selinux
# systemctl restart docker
# ps -eZ | grep docker

Make sure docker is running as docker_t

Comment 2 Josef Stribny 2015-10-21 10:23:35 UTC
> Make sure docker is running as docker_t


Yes, this is an issue:

$ ps -eZ | grep docker
system_u:system_r:unconfined_service_t:s0 2010 ? 00:00:00 docker


Reinstalling docker-selinux does not help:

$ sudo dnf reinstall docker-selinux
Last metadata expiration check performed 0:05:17 ago on Wed Oct 21 10:17:20 2015.
Dependencies resolved.
========================================================================================================
 Package                Arch           Version                            Repository               Size
========================================================================================================
Reinstalling:
 docker-selinux         x86_64         1:1.8.2-7.gitcb216be.fc23          updates-testing          55 k

Transaction Summary
========================================================================================================

Total download size: 55 k
Is this ok [y/N]: y
Downloading Packages:
docker-selinux-1.8.2-7.gitcb216be.fc23.x86_64.rpm                       243 kB/s |  55 kB     00:00    
--------------------------------------------------------------------------------------------------------
Total                                                                    34 kB/s |  55 kB     00:01     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Reinstalling: docker-selinux-1:1.8.2-7.gitcb216be.fc23.x86_64                                     1/2 
Failed to resolve allow statement at 757 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
Failed to resolve ast
/usr/sbin/semodule:  Failed!
  Erasing     : docker-selinux-1:1.8.2-7.gitcb216be.fc23.x86_64                                     2/2 
  Verifying   : docker-selinux-1:1.8.2-7.gitcb216be.fc23.x86_64                                     1/2 
  Verifying   : docker-selinux-1:1.8.2-7.gitcb216be.fc23.x86_64                                     2/2 

Reinstalled:
  docker-selinux.x86_64 1:1.8.2-7.gitcb216be.fc23                                                       

Complete!


Note the line stating "Failed to resolve allow statement at 757 of /var/lib/selinux/targeted"...

Comment 3 Daniel Walsh 2015-10-21 16:40:42 UTC
Miroslav any ideas?

Comment 4 Miroslav Grepl 2015-10-23 08:29:49 UTC
There needs to be a bug in the docker policy.

Comment 5 Miroslav Grepl 2015-10-23 08:50:57 UTC
I don't see it on my F23 system.

But I checked docker.cil and it is caused by

(allow docker_t spc_t (netlink_iscsi_socket (relabelfrom relabelto)))

Josef,
could you make sure you are up-to-date. The latest kernel and SELinux packages.

Comment 6 Josef Stribny 2015-10-26 07:57:51 UTC
I ran 'dnf update' and it seems to be fixed. Thanks, closing.


Note You need to log in before you can comment on or make changes to this bug.