Description of problem: When doing lvm operations (I think it was lvremove) with an md raid array as the underlying physical storage. SELinux is preventing /usr/sbin/mdadm from 'getattr' accesses on the directory /dev/mqueue. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that mdadm should be allowed getattr access on the mqueue directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mdadm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:mdadm_t:s0-s0:c0.c1023 Target Context system_u:object_r:svirt_sandbox_file_t:s0:c72,c169 Target Objects /dev/mqueue [ dir ] Source mdadm Source Path /usr/sbin/mdadm Port <Unknown> Host (removed) Source RPM Packages mdadm-3.3.4-2.fc23.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-158.2.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.3.3-303.fc23.x86_64 #1 SMP Tue Jan 19 18:31:55 UTC 2016 x86_64 x86_64 Alert Count 10 First Seen 2016-01-25 12:14:41 EST Last Seen 2016-01-25 12:27:14 EST Local ID a47e9def-a19e-4090-9e45-7ae663a398c5 Raw Audit Messages type=AVC msg=audit(1453742834.509:8430): avc: denied { getattr } for pid=12316 comm="mdadm" path="/dev/mqueue" dev="mqueue" ino=10135 scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c72,c169 tclass=dir permissive=0 type=SYSCALL msg=audit(1453742834.509:8430): arch=x86_64 syscall=newfstatat success=no exit=EACCES a0=4 a1=207171b a2=7ffdfec21780 a3=100 items=0 ppid=12315 pid=12316 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=mdadm exe=/usr/sbin/mdadm subj=system_u:system_r:mdadm_t:s0-s0:c0.c1023 key=(null) Hash: mdadm,mdadm_t,svirt_sandbox_file_t,dir,getattr Version-Release number of selected component: selinux-policy-3.13.1-158.2.fc23.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.3.3-303.fc23.x86_64 type: libreport
Are you playing with containers?
This looks like you mounted /dev/mqueue into the container with the :Z option? restorecon -F /dev/mqueue Should fix the issue. Not a good idea to relabel devices inside of containers. What were you trying to do and why?
(In reply to Daniel Walsh from comment #2) > This looks like you mounted /dev/mqueue into the container with the :Z > option? No, I don't think so. See below. > restorecon -F /dev/mqueue > > Should fix the issue. Not a good idea to relabel devices inside of > containers. > What were you trying to do and why? I can reproduce this simply be restarting the docker daemon. I have a few third-party containers, but none are running. I don't think any of them are mounting /dev/mqueue, at least not according to their Dockerfiles. Though I haven't followed their dependency chains all the way down. In the host: # ls -ldZ /dev/mqueue drwxrwxrwt. 2 root root system_u:object_r:svirt_sandbox_file_t:s0:c529,c734 40 Jan 28 07:56 /dev/mqueue # restorecon -nvrF /dev/mqueue restorecon: Warning no default label for /dev/mqueue
Ok this looks like a bug. I see it on my system also. # chcon -t device_t -l s0 /dev/mqueue # ls -lZd /dev/mqueue drwxrwxrwt. 2 root root system_u:object_r:device_t:s0 40 Jan 28 13:43 /dev/mqueue # docker run -ti fedora echo hello hello # ls -lZd /dev/mqueue drwxrwxrwt. 2 root root system_u:object_r:svirt_sandbox_file_t:s0:c195,c1001 40 Jan 28 13:43 /dev/mqueue So this looks like docker is labeling /dev/mqueue on the host rather then in the container.
Turns out that /dev/mqueu inside of the container and on the host are the same. # touch /var/lib/docker/containers/db4497550cd75e3670762514f8b25658a9d2624ab9396957dad3cdcf5087092d/mqueue/dan # ls -lZ /var/lib/docker/containers/db4497550cd75e3670762514f8b25658a9d2624ab9396957dad3cdcf5087092d/mqueue /dev/mqueue/ /dev/mqueue/: total 0 -rw-r--r--. 1 root root unconfined_u:object_r:user_tmp_t:s0 80 Feb 1 04:57 dan /var/lib/docker/containers/db4497550cd75e3670762514f8b25658a9d2624ab9396957dad3cdcf5087092d/mqueue: total 0 -rw-r--r--. 1 root root unconfined_u:object_r:user_tmp_t:s0 80 Feb 1 04:57 dan
So the bug is that we are treating the mqueue the same was as we do with tmpfs. But mqueue is only one device per namespace. If I go and mount mqueu on /mnt # mount -t mqueue mqueu /mnt # ls -lZ /mnt/ total 0 -rw-r--r--. 1 root root unconfined_u:object_r:user_tmp_t:s0 80 Feb 1 04:57 dan We are always mount the same mqueu mount point into all containers and then changing the label for the latest container. This causes two problems, all containers could talk via /dev/mqueu, but SELinux will block access to all but the last container.
I think we should remove the sharing of /dev/mqueue between containers for now, until we figure out some other way to handle this.
Openen and issue upstream https://github.com/docker/docker/issues/19871
Dan, so can this be solved by a selinux labeling scheme that allows sharing the same mqueue between a group of containers?
I don't think so, This is not an SELinux issue. this is a mnt namespace issue. You get one mqueue per mount namespace. So to share this between containers you would need to mount the mqueue inside of containers1s namespace and then somehow bind mount from containers1s mount namespace into container2s mount namespace. If you wanted to really hack this out, you would need to make container2s a child of container1s so that it could see the mount point. The reason this worked before is that you were mounting mqueue and tmpfs on the parent to the containers namespaces.
Description of problem: add a P-ATA disk via converter (PATA to USB) onto a USB 3 Serial Bus Version-Release number of selected component: selinux-policy-3.13.1-158.2.fc23.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.2.8-300.fc23.x86_64 type: libreport
Fixed in docker-1.10.1-8
Docker-1.9 was recently pushed to CentOS 7, and now I have the same issue. cgal ~ $ ls -lZd /dev/mqueue drwxrwxrwt. root root system_u:object_r:svirt_sandbox_file_t:s0:c526,c725 /dev/mqueue Here are the packages versions I run: kernel-3.10.0-327.10.1.el7.x86_64 selinux-policy-3.13.1-60.el7_2.3.noarch selinux-policy-targeted-3.13.1-60.el7_2.3.noarch docker-1.9.1-25.el7.centos.x86_64 And here is the SEtroubleshot mail I received: =============================================================== SELinux is preventing /usr/sbin/mdadm from getattr access on the directory /dev/mqueue. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that mdadm should be allowed getattr access on the mqueue directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mdadm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:mdadm_t:s0-s0:c0.c1023 Target Context system_u:object_r:svirt_sandbox_file_t:s0:c526,c72 5 Target Objects /dev/mqueue [ dir ] Source mdadm Source Path /usr/sbin/mdadm Port <Unknown> Host cgal.geometryfactory.com Source RPM Packages mdadm-3.3.2-7.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.3.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name cgal.geometryfactory.com Platform Linux cgal.geometryfactory.com 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16 17:03:50 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-04-07 08:38:01 CEST Last Seen 2016-04-07 08:38:01 CEST Local ID 328d1d0f-403c-4d50-a550-4c701bf3c643 Raw Audit Messages type=AVC msg=audit(1460011081.574:1960863): avc: denied { getattr } for pid=7230 comm="mdadm" path="/dev/mqueue" dev="mqueue" ino=7307 scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c526,c725 tclass=dir type=SYSCALL msg=audit(1460011081.574:1960863): arch=x86_64 syscall=newfstatat success=no exit=EACCES a0=4 a1=1aa13ab a2=7ffccb6e53a0 a3=100 items=0 ppid=7182 pid=7230 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=47177 comm=mdadm exe=/usr/sbin/mdadm subj=system_u:system_r:mdadm_t:s0-s0:c0.c1023 key=(null) Hash: mdadm,mdadm_t,svirt_sandbox_file_t,dir,getattr =============================================================== Is there a workaround, instead of waiting that Docker-1.10 is pushed to CentOS?
You could have run restorecon -F /dev/mdadm on the device in mdadm init script. Antonio we should look to see if there is an easy fix for this in docker-1.9.
(In reply to Daniel Walsh from comment #14) > You could have run restorecon -F /dev/mdadm on the device in mdadm init > script. That is not the file `/dev/mdadm`: cgal ~ $ sudo restorecon -n -F /dev/mdadm [sudo] password for lrineau on cgal: restorecon: lstat(/dev/mdadm) failed: No such file or directory And the directory `/dev/mqueue` does not have a default label: cgal ~ $ sudo restorecon -n -F /dev/mqueue restorecon: Warning no default label for /dev/mqueue
Sorry about the typo Wonderful. I guess it should be tmpfs_t. chcon -t tmpfs_t -l s0 /dev/mqueu Will fix it. Or just ignore the AVC, until this is fix, or add a dontaudit rule. I don't think mdadm actually uses the /dev/mqueue. It is just listing the files/directories on /dev.
I did changed the context, with `chcon -t tmpfs_t -l s0 /dev/mqueue`, and it did change the context. But it was changed back the next time I started a container: cgal ~ $ stat /dev/mqueue File: ‘/dev/mqueue’ Size: 40 Blocks: 0 IO Block: 4096 directory Device: eh/14d Inode: 7307 Links: 2 Access: (1777/drwxrwxrwt) Uid: ( 0/ root) Gid: ( 0/ root) Context: system_u:object_r:svirt_sandbox_file_t:s0:c9,c496 Access: 2016-04-08 10:41:15.000000000 +0200 Modify: 2016-03-21 17:33:22.584997262 +0100 Change: 2016-04-08 10:46:45.000000000 +0200 Birth: - cgal ~ $ date -d $(docker inspect --format='{{.State.StartedAt}}' 1f96d575232b) Fri Apr 8 10:46:45 CEST 2016 I have used: cgal ~ $ sudo ausearch -m AVC -ts today | audit2allow -D -M local cgal ~ $ cat local.te module local 1.0; require { type svirt_sandbox_file_t; type mdadm_t; type svirt_lxc_net_t; type proc_t; class dir { getattr mounton }; } #============= mdadm_t ============== dontaudit mdadm_t svirt_sandbox_file_t:dir getattr; #============= svirt_lxc_net_t ============== dontaudit svirt_lxc_net_t proc_t:dir mounton; cgal ~ $ sudo semodule -i local.pp The `dontaudit` rule about mounton is another bug: bug #1322845.
This message is a reminder that Fedora 23 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 23. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '23'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 23 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 23 changed to end-of-life (EOL) status on 2016-12-20. Fedora 23 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.