Bug 1273455 - Docker cannot start containers due to the SELinux policies
Docker cannot start containers due to the SELinux policies
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
23
Unspecified Unspecified
high Severity medium
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-20 09:16 EDT by Josef Stribny
Modified: 2016-01-04 00:54 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-10-26 03:57:51 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Josef Stribny 2015-10-20 09:16:52 EDT
Description of problem:

Docker cannot start a container, here is an example with docker build, but any docker run would fail (using Dockerfiles from https://github.com/fedora-cloud/Fedora-Dockerfiles.git):

    $ sudo docker build --tag=fedora-django Fedora-Dockerfiles/Django
    Sending build context to Docker daemon 22.02 kB
    Step 0 : FROM fedora
     ---> 85f4e2af80d3
    Step 1 : MAINTAINER http://fedoraproject.org/wiki/Cloud
     ---> Using cache
     ---> d3c1da7dec81
    Step 2 : RUN dnf -y update && dnf clean all
     ---> Running in 961b29510a35
    [8] System error: permission denied
     
     
Here is a policy that can fix it:

    $ cat local.te
     
    module R 1.0;
     
    require {
            type unconfined_service_t;
            type svirt_lxc_net_t;
            class process transition;
    }
     
    #============= unconfined_service_t ==============
     
    #!!!! The file '/usr/bin/bash' is mislabeled on your system.  
    #!!!! Fix with $ restorecon -R -v /usr/bin/bash
    allow unconfined_service_t svirt_lxc_net_t:process transition;
    

This is the log:
     
    $ sudo cat /var/log/audit/audit.log | grep bash
    type=AVC msg=audit(1445344855.353:762): avc:  denied  { transition } for  pid=3099 comm="exe" path="/usr/bin/bash" dev="dm-1" ino=1835366 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c396,c617 tclass=process permissive=0
    type=AVC msg=audit(1445344887.183:778): avc:  denied  { transition } for  pid=3176 comm="exe" path="/usr/bin/bash" dev="dm-1" ino=1835366 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c689,c723 tclass=process permissive=0
    type=AVC msg=audit(1445346035.993:847): avc:  denied  { transition } for  pid=3330 comm="exe" path="/usr/bin/bash" dev="dm-1" ino=1835366 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c156,c913 tclass=process permissive=0


Actual results:
`docker run` command fails.

Expected results:
Docker works as expected with SELinux enabled and without created custom policy modules.


Additional info:
I did find this in official Vagrant Fedora 23 box.
Comment 1 Daniel Walsh 2015-10-20 10:18:22 EDT
Something went wrong with your docker-selinux install

# yum reinstall docker-selinux
# systemctl restart docker
# ps -eZ | grep docker

Make sure docker is running as docker_t
Comment 2 Josef Stribny 2015-10-21 06:23:35 EDT
> Make sure docker is running as docker_t


Yes, this is an issue:

$ ps -eZ | grep docker
system_u:system_r:unconfined_service_t:s0 2010 ? 00:00:00 docker


Reinstalling docker-selinux does not help:

$ sudo dnf reinstall docker-selinux
Last metadata expiration check performed 0:05:17 ago on Wed Oct 21 10:17:20 2015.
Dependencies resolved.
========================================================================================================
 Package                Arch           Version                            Repository               Size
========================================================================================================
Reinstalling:
 docker-selinux         x86_64         1:1.8.2-7.gitcb216be.fc23          updates-testing          55 k

Transaction Summary
========================================================================================================

Total download size: 55 k
Is this ok [y/N]: y
Downloading Packages:
docker-selinux-1.8.2-7.gitcb216be.fc23.x86_64.rpm                       243 kB/s |  55 kB     00:00    
--------------------------------------------------------------------------------------------------------
Total                                                                    34 kB/s |  55 kB     00:01     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Reinstalling: docker-selinux-1:1.8.2-7.gitcb216be.fc23.x86_64                                     1/2 
Failed to resolve allow statement at 757 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
Failed to resolve ast
/usr/sbin/semodule:  Failed!
  Erasing     : docker-selinux-1:1.8.2-7.gitcb216be.fc23.x86_64                                     2/2 
  Verifying   : docker-selinux-1:1.8.2-7.gitcb216be.fc23.x86_64                                     1/2 
  Verifying   : docker-selinux-1:1.8.2-7.gitcb216be.fc23.x86_64                                     2/2 

Reinstalled:
  docker-selinux.x86_64 1:1.8.2-7.gitcb216be.fc23                                                       

Complete!


Note the line stating "Failed to resolve allow statement at 757 of /var/lib/selinux/targeted"...
Comment 3 Daniel Walsh 2015-10-21 12:40:42 EDT
Miroslav any ideas?
Comment 4 Miroslav Grepl 2015-10-23 04:29:49 EDT
There needs to be a bug in the docker policy.
Comment 5 Miroslav Grepl 2015-10-23 04:50:57 EDT
I don't see it on my F23 system.

But I checked docker.cil and it is caused by

(allow docker_t spc_t (netlink_iscsi_socket (relabelfrom relabelto)))

Josef,
could you make sure you are up-to-date. The latest kernel and SELinux packages.
Comment 6 Josef Stribny 2015-10-26 03:57:51 EDT
I ran 'dnf update' and it seems to be fixed. Thanks, closing.

Note You need to log in before you can comment on or make changes to this bug.