1298516 – Docker containers won't run on latest SElinux policies

Bug 1298516 - Docker containers won't run on latest SElinux policies

Summary: Docker containers won't run on latest SElinux policies

Keywords:
Status:	CLOSED CANTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	22
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-01-14 10:14 UTC by Pawel Veselov
Modified:	2016-02-25 15:12 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-01-14 13:52:57 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Pawel Veselov 2016-01-14 10:14:00 UTC

Description of problem:
Starting previously running docker containers with latest update fails with a number of SELinux failures. Other docker operations fail as well.

Version-Release number of selected component (if applicable):
docker-1.8.2-7.gitcb216be.fc22.x86_64
docker-selinux-1.8.2-7.gitcb216be.fc22.x86_64
selinux-policy-targeted-3.13.1-128.21.fc22.noarch
selinux-policy-3.13.1-128.21.fc22.noarch


How reproducible:
Updated selinux policy from selinux-policy.noarch 3.13.1-128.18.fc22 (large numbers of packages were updated)

Steps to Reproduce:
1. have docker daemon running (--selinux-enabled option is present for daemon)
2. docker create --name=test ubuntu /sbin/init
3. docker start test
4. docker exec -i -t test /bin/bash

Actual results:
`docker start` generates a bunch of SELinux failures, but starts. `docker exec` doesn't start, also due to SELinux.

Expected results:
No SELinux audit failures.

Additional info:

SELinux errors from the point of starting a container, and trying exec:
type=ANOM_PROMISCUOUS msg=audit(1452766375.462:1426): dev=veth64a9a72 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295
type=NETFILTER_CFG msg=audit(1452766375.467:1427): table=filter family=2 entries=0
type=NETFILTER_CFG msg=audit(1452766375.467:1428): table=raw family=2 entries=0
type=NETFILTER_CFG msg=audit(1452766375.467:1429): table=security family=2 entries=0
type=NETFILTER_CFG msg=audit(1452766375.467:1430): table=mangle family=2 entries=0
type=NETFILTER_CFG msg=audit(1452766375.467:1431): table=nat family=2 entries=0
type=NETFILTER_CFG msg=audit(1452766375.467:1432): table=filter family=10 entries=0
type=NETFILTER_CFG msg=audit(1452766375.467:1433): table=raw family=10 entries=0
type=NETFILTER_CFG msg=audit(1452766375.467:1434): table=security family=10 entries=0
type=NETFILTER_CFG msg=audit(1452766375.467:1435): table=mangle family=10 entries=0
type=NETFILTER_CFG msg=audit(1452766375.467:1436): table=nat family=10 entries=0
type=AVC msg=audit(1452766375.547:1437): avc:  denied  { mounton } for  pid=28343 comm="init" path="/proc" dev="proc" ino=1 scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:proc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1452766375.547:1438): avc:  denied  { mounton } for  pid=28343 comm="init" path="/sys" dev="sysfs" ino=1 scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1452766375.603:1439): avc:  denied  { remount } for  pid=28409 comm="mount" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem permissive=0
type=AVC msg=audit(1452766375.928:1440): avc:  denied  { create } for  pid=29167 comm="mknod" name="ram0-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0
type=AVC msg=audit(1452766375.931:1441): avc:  denied  { create } for  pid=29170 comm="mknod" name="ram1-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0
type=AVC msg=audit(1452766375.932:1442): avc:  denied  { create } for  pid=29173 comm="mknod" name="ram2-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0
type=AVC msg=audit(1452766375.934:1443): avc:  denied  { create } for  pid=29176 comm="mknod" name="ram3-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0
type=AVC msg=audit(1452766375.935:1444): avc:  denied  { create } for  pid=29179 comm="mknod" name="ram4-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0
type=AVC msg=audit(1452766375.937:1445): avc:  denied  { create } for  pid=29182 comm="mknod" name="ram5-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0
type=AVC msg=audit(1452766375.939:1446): avc:  denied  { create } for  pid=29185 comm="mknod" name="ram6-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0
type=AVC msg=audit(1452766375.940:1447): avc:  denied  { create } for  pid=29188 comm="mknod" name="ram7-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0
type=AVC msg=audit(1452766375.942:1448): avc:  denied  { create } for  pid=29191 comm="mknod" name="ram8-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0
type=AVC msg=audit(1452766375.944:1449): avc:  denied  { create } for  pid=29195 comm="mknod" name="ram9-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0
type=AVC msg=audit(1452766375.946:1450): avc:  denied  { create } for  pid=29198 comm="mknod" name="ram10-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0
type=AVC msg=audit(1452766375.947:1451): avc:  denied  { create } for  pid=29201 comm="mknod" name="ram11-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0
type=AVC msg=audit(1452766375.949:1452): avc:  denied  { create } for  pid=29204 comm="mknod" name="ram12-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0
type=AVC msg=audit(1452766375.950:1453): avc:  denied  { create } for  pid=29207 comm="mknod" name="ram13-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0
type=AVC msg=audit(1452766375.952:1454): avc:  denied  { create } for  pid=29210 comm="mknod" name="ram14-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0
type=AVC msg=audit(1452766375.954:1455): avc:  denied  { create } for  pid=29213 comm="mknod" name="ram15-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0
type=AVC msg=audit(1452766375.955:1456): avc:  denied  { create } for  pid=29216 comm="mknod" name="ram16-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0
type=AVC msg=audit(1452766376.065:1457): avc:  denied  { create } for  pid=29577 comm="mknod" name="loop0-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0
type=AVC msg=audit(1452766376.067:1458): avc:  denied  { create } for  pid=29580 comm="mknod" name="loop1-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0
type=AVC msg=audit(1452766376.071:1459): avc:  denied  { create } for  pid=29584 comm="mknod" name="loop2-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0
type=AVC msg=audit(1452766376.072:1460): avc:  denied  { create } for  pid=29587 comm="mknod" name="loop3-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0
type=AVC msg=audit(1452766376.074:1461): avc:  denied  { create } for  pid=29590 comm="mknod" name="loop4-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0
type=AVC msg=audit(1452766376.076:1462): avc:  denied  { create } for  pid=29593 comm="mknod" name="loop5-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0
type=AVC msg=audit(1452766376.077:1463): avc:  denied  { create } for  pid=29596 comm="mknod" name="loop6-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0
type=AVC msg=audit(1452766376.079:1464): avc:  denied  { create } for  pid=29599 comm="mknod" name="loop7-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0
type=AVC msg=audit(1452766383.838:1465): avc:  denied  { read write } for  pid=31493 comm="bash" path="/dev/pts/6" dev="devpts" ino=9 scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1452766383.838:1466): avc:  denied  { read write } for  pid=31493 comm="bash" path="/dev/pts/6" dev="devpts" ino=9 scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1452766383.838:1467): avc:  denied  { read write } for  pid=31493 comm="bash" path="/dev/pts/6" dev="devpts" ino=9 scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1452766383.839:1468): avc:  denied  { read write } for  pid=31493 comm="bash" path="/dev/pts/6" dev="devpts" ino=9 scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0

Comment 1 Daniel Walsh 2016-01-14 13:52:57 UTC

This looks like you are running systemd or an init system inside of a container.  In order to do this you need to run --privileged.

All of the activity that SELinux is blocking is ligit.  You don't want device nodes being created and mount commands executing within a container.

You also need to resinstall docker-selinux

yum reinstall docker-selinux

This is a known bug.

Note You need to log in before you can comment on or make changes to this bug.