Bug 1273455 – Docker cannot start containers due to the SELinux policies

Bug 1273455 - Docker cannot start containers due to the SELinux policies

Summary:	Docker cannot start containers due to the SELinux policies

Status:	CLOSED NOTABUG

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	selinux-policy (Show other bugs)
Sub Component:
Version:	23
Hardware:	Unspecified Unspecified

Priority	high Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2015-10-20 09:16 EDT by Josef Stribny
Modified:	2016-01-04 00:54 EST (History)
CC List:	8 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-10-26 03:57:51 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Josef Stribny 2015-10-20 09:16:52 EDT

Description of problem:

Docker cannot start a container, here is an example with docker build, but any docker run would fail (using Dockerfiles from https://github.com/fedora-cloud/Fedora-Dockerfiles.git):

    $ sudo docker build --tag=fedora-django Fedora-Dockerfiles/Django
    Sending build context to Docker daemon 22.02 kB
    Step 0 : FROM fedora
     ---> 85f4e2af80d3
    Step 1 : MAINTAINER http://fedoraproject.org/wiki/Cloud
     ---> Using cache
     ---> d3c1da7dec81
    Step 2 : RUN dnf -y update && dnf clean all
     ---> Running in 961b29510a35
    [8] System error: permission denied
     
     
Here is a policy that can fix it:

    $ cat local.te
     
    module R 1.0;
     
    require {
            type unconfined_service_t;
            type svirt_lxc_net_t;
            class process transition;
    }
     
    #============= unconfined_service_t ==============
     
    #!!!! The file '/usr/bin/bash' is mislabeled on your system.  
    #!!!! Fix with $ restorecon -R -v /usr/bin/bash
    allow unconfined_service_t svirt_lxc_net_t:process transition;
    

This is the log:
     
    $ sudo cat /var/log/audit/audit.log | grep bash
    type=AVC msg=audit(1445344855.353:762): avc:  denied  { transition } for  pid=3099 comm="exe" path="/usr/bin/bash" dev="dm-1" ino=1835366 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c396,c617 tclass=process permissive=0
    type=AVC msg=audit(1445344887.183:778): avc:  denied  { transition } for  pid=3176 comm="exe" path="/usr/bin/bash" dev="dm-1" ino=1835366 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c689,c723 tclass=process permissive=0
    type=AVC msg=audit(1445346035.993:847): avc:  denied  { transition } for  pid=3330 comm="exe" path="/usr/bin/bash" dev="dm-1" ino=1835366 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c156,c913 tclass=process permissive=0


Actual results:
`docker run` command fails.

Expected results:
Docker works as expected with SELinux enabled and without created custom policy modules.


Additional info:
I did find this in official Vagrant Fedora 23 box.

Comment 1 Daniel Walsh 2015-10-20 10:18:22 EDT

Something went wrong with your docker-selinux install

# yum reinstall docker-selinux
# systemctl restart docker
# ps -eZ | grep docker

Make sure docker is running as docker_t

Comment 2 Josef Stribny 2015-10-21 06:23:35 EDT

> Make sure docker is running as docker_t


Yes, this is an issue:

$ ps -eZ | grep docker
system_u:system_r:unconfined_service_t:s0 2010 ? 00:00:00 docker


Reinstalling docker-selinux does not help:

$ sudo dnf reinstall docker-selinux
Last metadata expiration check performed 0:05:17 ago on Wed Oct 21 10:17:20 2015.
Dependencies resolved.
========================================================================================================
 Package                Arch           Version                            Repository               Size
========================================================================================================
Reinstalling:
 docker-selinux         x86_64         1:1.8.2-7.gitcb216be.fc23          updates-testing          55 k

Transaction Summary
========================================================================================================

Total download size: 55 k
Is this ok [y/N]: y
Downloading Packages:
docker-selinux-1.8.2-7.gitcb216be.fc23.x86_64.rpm                       243 kB/s |  55 kB     00:00    
--------------------------------------------------------------------------------------------------------
Total                                                                    34 kB/s |  55 kB     00:01     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Reinstalling: docker-selinux-1:1.8.2-7.gitcb216be.fc23.x86_64                                     1/2 
Failed to resolve allow statement at 757 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
Failed to resolve ast
/usr/sbin/semodule:  Failed!
  Erasing     : docker-selinux-1:1.8.2-7.gitcb216be.fc23.x86_64                                     2/2 
  Verifying   : docker-selinux-1:1.8.2-7.gitcb216be.fc23.x86_64                                     1/2 
  Verifying   : docker-selinux-1:1.8.2-7.gitcb216be.fc23.x86_64                                     2/2 

Reinstalled:
  docker-selinux.x86_64 1:1.8.2-7.gitcb216be.fc23                                                       

Complete!


Note the line stating "Failed to resolve allow statement at 757 of /var/lib/selinux/targeted"...

Comment 3 Daniel Walsh 2015-10-21 12:40:42 EDT

Miroslav any ideas?

Comment 4 Miroslav Grepl 2015-10-23 04:29:49 EDT

There needs to be a bug in the docker policy.

Comment 5 Miroslav Grepl 2015-10-23 04:50:57 EDT

I don't see it on my F23 system.

But I checked docker.cil and it is caused by

(allow docker_t spc_t (netlink_iscsi_socket (relabelfrom relabelto)))

Josef,
could you make sure you are up-to-date. The latest kernel and SELinux packages.

Comment 6 Josef Stribny 2015-10-26 03:57:51 EDT

I ran 'dnf update' and it seems to be fixed. Thanks, closing.

Note You need to log in before you can comment on or make changes to this bug.