1281271 – docker-1.8.2-7.gitcb216be.fc22.x86_64 cannot exec into a container because of SELinux

Bug 1281271 - docker-1.8.2-7.gitcb216be.fc22.x86_64 cannot exec into a container because of SELinux

Summary: docker-1.8.2-7.gitcb216be.fc22.x86_64 cannot exec into a container because of...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	docker
Sub Component:
Version:	22
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lokesh Mandvekar
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-11-12 08:27 UTC by Petr Pisar
Modified:	2015-11-13 06:14 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-11-12 14:01:13 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Petr Pisar 2015-11-12 08:27:48 UTC

Running docker "exec -ti THE_ID /bin/bash" returns immediately back to calling shell because SELinux policy violation:

Nov 12 09:18:02 dhcp-0-146 setroubleshoot: SELinux is preventing /usr/bin/bash from 'read, write' accesses on the chr_file /dev/pts/11. For complete SELinux messages. run sealert -l 1a3a4130-348a-4d1c-9f50-605b2b649f66
Nov 12 09:18:02 dhcp-0-146 python: SELinux is preventing /usr/bin/bash from 'read, write' accesses on the chr_file /dev/pts/11.#012#012*****  Plugin leaks (86.2 confidence) suggests   *****************************#012#012If you want to ignore bash trying to read write access the 11 chr_file, because you believe it should not need this access.#012Then you should report this as a bug.  #012You can generate a local policy module to dontaudit this access.#012Do#012# grep /usr/bin/bash /var/log/audit/audit.log | audit2allow -D -M mypol#012# semodule -i mypol.pp#012#012*****  Plugin catchall (14.7 confidence) suggests   **************************#012#012If you believe that bash should be allowed read write access on the 11 chr_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep bash /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012
Nov 12 09:18:02 dhcp-0-146 setroubleshoot: SELinux is preventing /usr/bin/bash from 'read, write' accesses on the chr_file /dev/pts/11. For complete SELinux messages. run sealert -l 1a3a4130-348a-4d1c-9f50-605b2b649f66
Nov 12 09:18:02 dhcp-0-146 python: SELinux is preventing /usr/bin/bash from 'read, write' accesses on the chr_file /dev/pts/11.#012#012*****  Plugin leaks (86.2 confidence) suggests   *****************************#012#012If you want to ignore bash trying to read write access the 11 chr_file, because you believe it should not need this access.#012Then you should report this as a bug.  #012You can generate a local policy module to dontaudit this access.#012Do#012# grep /usr/bin/bash /var/log/audit/audit.log | audit2allow -D -M mypol#012# semodule -i mypol.pp#012#012*****  Plugin catchall (14.7 confidence) suggests   **************************#012#012If you believe that bash should be allowed read write access on the 11 chr_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep bash /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012
Nov 12 09:18:02 dhcp-0-146 setroubleshoot: SELinux is preventing /usr/bin/bash from 'read, write' accesses on the chr_file /dev/pts/11. For complete SELinux messages. run sealert -l 1a3a4130-348a-4d1c-9f50-605b2b649f66
Nov 12 09:18:02 dhcp-0-146 python: SELinux is preventing /usr/bin/bash from 'read, write' accesses on the chr_file /dev/pts/11.#012#012*****  Plugin leaks (86.2 confidence) suggests   *****************************#012#012If you want to ignore bash trying to read write access the 11 chr_file, because you believe it should not need this access.#012Then you should report this as a bug.  #012You can generate a local policy module to dontaudit this access.#012Do#012# grep /usr/bin/bash /var/log/audit/audit.log | audit2allow -D -M mypol#012# semodule -i mypol.pp#012#012*****  Plugin catchall (14.7 confidence) suggests   **************************#012#012If you believe that bash should be allowed read write access on the 11 chr_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep bash /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012
Nov 12 09:18:02 dhcp-0-146 setroubleshoot: SELinux is preventing /usr/bin/bash from 'read, write' accesses on the chr_file /dev/pts/11. For complete SELinux messages. run sealert -l 1a3a4130-348a-4d1c-9f50-605b2b649f66
Nov 12 09:18:02 dhcp-0-146 python: SELinux is preventing /usr/bin/bash from 'read, write' accesses on the chr_file /dev/pts/11.#012#012*****  Plugin leaks (86.2 confidence) suggests   *****************************#012#012If you want to ignore bash trying to read write access the 11 chr_file, because you believe it should not need this access.#012Then you should report this as a bug.  #012You can generate a local policy module to dontaudit this access.#012Do#012# grep /usr/bin/bash /var/log/audit/audit.log | audit2allow -D -M mypol#012# semodule -i mypol.pp#012#012*****  Plugin catchall (14.7 confidence) suggests   **************************#012#012If you believe that bash should be allowed read write access on the 11 chr_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep bash /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012
Nov 12 09:21:40 dhcp-0-146 docker: time="2015-11-12T09:21:40.019022166+01:00" level=info msg="POST /v1.20/containers/f0401a4ef8d7/exec"
Nov 12 09:21:40 dhcp-0-146 dbus[929]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Nov 12 09:21:40 dhcp-0-146 audit: <audit-1400> avc:  denied  { read write } for  pid=12976 comm="bash" path="/dev/pts/12" dev="devpts" ino=15 scontext=system_u:system_r:svirt_lxc_net_t:s0:c369,c530 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0
Nov 12 09:21:40 dhcp-0-146 audit: <audit-1400> avc:  denied  { read write } for  pid=12976 comm="bash" path="/dev/pts/12" dev="devpts" ino=15 scontext=system_u:system_r:svirt_lxc_net_t:s0:c369,c530 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0
Nov 12 09:21:40 dhcp-0-146 audit: <audit-1400> avc:  denied  { read write } for  pid=12976 comm="bash" path="/dev/pts/12" dev="devpts" ino=15 scontext=system_u:system_r:svirt_lxc_net_t:s0:c369,c530 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0
Nov 12 09:21:40 dhcp-0-146 audit: <audit-1400> avc:  denied  { read write } for  pid=12976 comm="bash" path="/dev/pts/12" dev="devpts" ino=15 scontext=system_u:system_r:svirt_lxc_net_t:s0:c369,c530 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0
Nov 12 09:21:40 dhcp-0-146 audit: <audit-1300> arch=c000003e syscall=59 success=yes exit=0 a0=c820151440 a1=c820151450 a2=c820015ec0 a3=0 items=0 ppid=12437 pid=12976 auid=4294967295 uid=1001 gid=0 euid=1001 suid=1001 fsuid=1001 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="bash" exe="/usr/bin/bash" subj=system_u:system_r:svirt_lxc_net_t:s0:c369,c530 key=(null)
[...]

I have docker-1.8.2-7.gitcb216be.fc22.x86_64. This looks like bug #1243172.

Comment 1 Daniel Walsh 2015-11-12 14:01:13 UTC

yum reinstall docker-selinux

Comment 2 Petr Pisar 2015-11-13 06:14:39 UTC

That helped. Thank you.

Note You need to log in before you can comment on or make changes to this bug.