Bug 1281271 - docker-1.8.2-7.gitcb216be.fc22.x86_64 cannot exec into a container because of SELinux
docker-1.8.2-7.gitcb216be.fc22.x86_64 cannot exec into a container because of...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: docker (Show other bugs)
22
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Lokesh Mandvekar
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-12 03:27 EST by Petr Pisar
Modified: 2015-11-13 01:14 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-12 09:01:13 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Petr Pisar 2015-11-12 03:27:48 EST
Running docker "exec -ti THE_ID /bin/bash" returns immediately back to calling shell because SELinux policy violation:

Nov 12 09:18:02 dhcp-0-146 setroubleshoot: SELinux is preventing /usr/bin/bash from 'read, write' accesses on the chr_file /dev/pts/11. For complete SELinux messages. run sealert -l 1a3a4130-348a-4d1c-9f50-605b2b649f66
Nov 12 09:18:02 dhcp-0-146 python: SELinux is preventing /usr/bin/bash from 'read, write' accesses on the chr_file /dev/pts/11.#012#012*****  Plugin leaks (86.2 confidence) suggests   *****************************#012#012If you want to ignore bash trying to read write access the 11 chr_file, because you believe it should not need this access.#012Then you should report this as a bug.  #012You can generate a local policy module to dontaudit this access.#012Do#012# grep /usr/bin/bash /var/log/audit/audit.log | audit2allow -D -M mypol#012# semodule -i mypol.pp#012#012*****  Plugin catchall (14.7 confidence) suggests   **************************#012#012If you believe that bash should be allowed read write access on the 11 chr_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep bash /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012
Nov 12 09:18:02 dhcp-0-146 setroubleshoot: SELinux is preventing /usr/bin/bash from 'read, write' accesses on the chr_file /dev/pts/11. For complete SELinux messages. run sealert -l 1a3a4130-348a-4d1c-9f50-605b2b649f66
Nov 12 09:18:02 dhcp-0-146 python: SELinux is preventing /usr/bin/bash from 'read, write' accesses on the chr_file /dev/pts/11.#012#012*****  Plugin leaks (86.2 confidence) suggests   *****************************#012#012If you want to ignore bash trying to read write access the 11 chr_file, because you believe it should not need this access.#012Then you should report this as a bug.  #012You can generate a local policy module to dontaudit this access.#012Do#012# grep /usr/bin/bash /var/log/audit/audit.log | audit2allow -D -M mypol#012# semodule -i mypol.pp#012#012*****  Plugin catchall (14.7 confidence) suggests   **************************#012#012If you believe that bash should be allowed read write access on the 11 chr_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep bash /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012
Nov 12 09:18:02 dhcp-0-146 setroubleshoot: SELinux is preventing /usr/bin/bash from 'read, write' accesses on the chr_file /dev/pts/11. For complete SELinux messages. run sealert -l 1a3a4130-348a-4d1c-9f50-605b2b649f66
Nov 12 09:18:02 dhcp-0-146 python: SELinux is preventing /usr/bin/bash from 'read, write' accesses on the chr_file /dev/pts/11.#012#012*****  Plugin leaks (86.2 confidence) suggests   *****************************#012#012If you want to ignore bash trying to read write access the 11 chr_file, because you believe it should not need this access.#012Then you should report this as a bug.  #012You can generate a local policy module to dontaudit this access.#012Do#012# grep /usr/bin/bash /var/log/audit/audit.log | audit2allow -D -M mypol#012# semodule -i mypol.pp#012#012*****  Plugin catchall (14.7 confidence) suggests   **************************#012#012If you believe that bash should be allowed read write access on the 11 chr_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep bash /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012
Nov 12 09:18:02 dhcp-0-146 setroubleshoot: SELinux is preventing /usr/bin/bash from 'read, write' accesses on the chr_file /dev/pts/11. For complete SELinux messages. run sealert -l 1a3a4130-348a-4d1c-9f50-605b2b649f66
Nov 12 09:18:02 dhcp-0-146 python: SELinux is preventing /usr/bin/bash from 'read, write' accesses on the chr_file /dev/pts/11.#012#012*****  Plugin leaks (86.2 confidence) suggests   *****************************#012#012If you want to ignore bash trying to read write access the 11 chr_file, because you believe it should not need this access.#012Then you should report this as a bug.  #012You can generate a local policy module to dontaudit this access.#012Do#012# grep /usr/bin/bash /var/log/audit/audit.log | audit2allow -D -M mypol#012# semodule -i mypol.pp#012#012*****  Plugin catchall (14.7 confidence) suggests   **************************#012#012If you believe that bash should be allowed read write access on the 11 chr_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep bash /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012
Nov 12 09:21:40 dhcp-0-146 docker: time="2015-11-12T09:21:40.019022166+01:00" level=info msg="POST /v1.20/containers/f0401a4ef8d7/exec"
Nov 12 09:21:40 dhcp-0-146 dbus[929]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Nov 12 09:21:40 dhcp-0-146 audit: <audit-1400> avc:  denied  { read write } for  pid=12976 comm="bash" path="/dev/pts/12" dev="devpts" ino=15 scontext=system_u:system_r:svirt_lxc_net_t:s0:c369,c530 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0
Nov 12 09:21:40 dhcp-0-146 audit: <audit-1400> avc:  denied  { read write } for  pid=12976 comm="bash" path="/dev/pts/12" dev="devpts" ino=15 scontext=system_u:system_r:svirt_lxc_net_t:s0:c369,c530 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0
Nov 12 09:21:40 dhcp-0-146 audit: <audit-1400> avc:  denied  { read write } for  pid=12976 comm="bash" path="/dev/pts/12" dev="devpts" ino=15 scontext=system_u:system_r:svirt_lxc_net_t:s0:c369,c530 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0
Nov 12 09:21:40 dhcp-0-146 audit: <audit-1400> avc:  denied  { read write } for  pid=12976 comm="bash" path="/dev/pts/12" dev="devpts" ino=15 scontext=system_u:system_r:svirt_lxc_net_t:s0:c369,c530 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0
Nov 12 09:21:40 dhcp-0-146 audit: <audit-1300> arch=c000003e syscall=59 success=yes exit=0 a0=c820151440 a1=c820151450 a2=c820015ec0 a3=0 items=0 ppid=12437 pid=12976 auid=4294967295 uid=1001 gid=0 euid=1001 suid=1001 fsuid=1001 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="bash" exe="/usr/bin/bash" subj=system_u:system_r:svirt_lxc_net_t:s0:c369,c530 key=(null)
[...]

I have docker-1.8.2-7.gitcb216be.fc22.x86_64. This looks like bug #1243172.
Comment 1 Daniel Walsh 2015-11-12 09:01:13 EST
yum reinstall docker-selinux
Comment 2 Petr Pisar 2015-11-13 01:14:39 EST
That helped. Thank you.

Note You need to log in before you can comment on or make changes to this bug.