Hide Forgot
Description of problem: I was practicing some docker's IPC (Inter Process Communication)... SELinux is preventing ipc from 'write' accesses on the directory /. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that ipc should be allowed write access on the directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c ipc --raw | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_lxc_net_t:s0:c89,c231 Target Context system_u:object_r:docker_tmpfs_t:s0 Target Objects / [ dir ] Source ipc Source Path ipc Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages filesystem-3.2-35.fc23.x86_64 Policy RPM selinux-policy-3.13.1-158.12.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.4.6-301.fc23.x86_64+debug #1 SMP Wed Mar 30 16:31:03 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-04-17 18:59:54 IDT Last Seen 2016-04-17 18:59:54 IDT Local ID 0071ce2e-6f3c-454b-876e-9299bed70ea8 Raw Audit Messages type=AVC msg=audit(1460908794.22:776): avc: denied { write } for pid=15976 comm="ipc" name="/" dev="mqueue" ino=3956189 scontext=system_u:system_r:svirt_lxc_net_t:s0:c89,c231 tcontext=system_u:object_r:docker_tmpfs_t:s0 tclass=dir permissive=0 Hash: ipc,svirt_lxc_net_t,docker_tmpfs_t,dir,write Version-Release number of selected component: selinux-policy-3.13.1-158.12.fc23.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.4.6-301.fc23.x86_64+debug type: libreport
What version of docker? I believe this is fixed in the latest versions of docker. /dev/mqueue is labeled correctly.
*** Bug 1327898 has been marked as a duplicate of this bug. ***
Hi Daniel sorry it took me so long to get back at you, I don't know which version of the docker engine I was using at the time, maybe 1.02 but currently I use Docker version 1.10.3, build 1ecb834/1.10.3 and I believe that the problem has indeed solved itself in this version to the best of my knowledge, but I haven't been practicing much in docker lately, and most of my recent attempts to do things in Docker engine were carried out on a virtual machine of openSUSE (because I had very small /usr and /var partitions until I enlarged them to about 16 GBs each from unused space from my /home partition using LVM resizing. It is so much less scary to do it on a personal bare metal machine, than doing it on a live production server which I had to reduce its size on live VM which had thick provisioning (one of my many rookie mistakes))... GL HF :) DaVe