Bug 1331007 - SELinux regression in docker-selinux-1.9.1-37
Summary: SELinux regression in docker-selinux-1.9.1-37
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: docker
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lokesh Mandvekar
QA Contact: atomic-bugs@redhat.com
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-04-27 12:45 UTC by Ed Santiago
Modified: 2019-03-06 01:25 UTC (History)
2 users (show)

Fixed In Version: docker-1.9.1-38.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-05-12 15:18:31 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1034 0 normal SHIPPED_LIVE Moderate: docker security, bug fix, and enhancement update 2016-05-12 19:15:01 UTC

Description Ed Santiago 2016-04-27 12:45:28 UTC 
# /usr/bin/docker run registry.access.redhat.com/rhel7/rhel:latest echo hi
    permission denied
    Error response from daemon: Cannot start container 3c8ecd5b317fc80da74cbae3cf0fad7fba29322af0fc371cfc42b9caf433305a: [8] System error: permission denied

    # tail /var/log/audit/audit.log
    ...
    type=ANOM_PROMISCUOUS msg=audit(1461760944.457:56521): dev=veth8b3f496 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295
    type=SYSCALL msg=audit(1461760944.457:56521): arch=c000003e syscall=44 success=yes exit=40 a0=1b a1=c208d6b3e0 a2=28 a3=0 items=0 ppid=23060 pid=23063 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="docker-current" exe="/usr/bin/docker-current" subj=system_u:system_r:initrc_t:s0 key=(null)
    type=NETFILTER_CFG msg=audit(1461760944.882:56522): table=filter family=2 entries=0
    type=NETFILTER_CFG msg=audit(1461760944.882:56522): table=raw family=2 entries=0
    type=NETFILTER_CFG msg=audit(1461760944.882:56522): table=security family=2 entries=0
    type=NETFILTER_CFG msg=audit(1461760944.882:56522): table=mangle family=2 entries=0
    type=NETFILTER_CFG msg=audit(1461760944.882:56522): table=nat family=2 entries=0
    type=NETFILTER_CFG msg=audit(1461760944.882:56522): table=filter family=10 entries=0
    type=NETFILTER_CFG msg=audit(1461760944.882:56522): table=raw family=10 entries=0
    type=NETFILTER_CFG msg=audit(1461760944.882:56522): table=security family=10 entries=0
    type=NETFILTER_CFG msg=audit(1461760944.882:56522): table=mangle family=10 entries=0
    type=NETFILTER_CFG msg=audit(1461760944.882:56522): table=nat family=10 entries=0
    type=SYSCALL msg=audit(1461760944.882:56522): arch=c000003e syscall=56 success=yes exit=23566 a0=6c020011 a1=0 a2=0 a3=0 items=0 ppid=23060 pid=23063 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="docker-current" exe="/usr/bin/docker-current" subj=system_u:system_r:initrc_t:s0 key=(null)
    type=SERVICE_START msg=audit(1461760945.022:56523): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
    type=AVC msg=audit(1461760945.156:56524): avc:  denied  { transition } for  pid=23566 comm="exe" path="/usr/bin/echo" dev="dm-3" ino=100667430 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c202,c658 tclass=process
    type=SYSCALL msg=audit(1461760945.156:56524): arch=c000003e syscall=59 success=no exit=-13 a0=c2085352a0 a1=c208539180 a2=c20852fcb0 a3=0 items=0 ppid=23063 pid=23566 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="exe" exe="/usr/bin/docker-current" subj=system_u:system_r:initrc_t:s0 key=(null)
    type=ANOM_PROMISCUOUS msg=audit(1461760945.319:56525): dev=veth8b3f496 prom=0 old_prom=256 auid=4294967295 uid=0 gid=0 ses=4294967295
    type=SYSCALL msg=audit(1461760945.319:56525): arch=c000003e syscall=44 success=yes exit=32 a0=1d a1=c208e9ba60 a2=20 a3=0 items=0 ppid=23060 pid=23146 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="docker-current" exe="/usr/bin/docker-current" subj=system_u:system_r:initrc_t:s0 key=(null)
Comment 2 Daniel Walsh 2016-04-27 14:03:01 UTC 
restorecon -v /usr/bin/docker
systemctl restart docker

Try again.
Comment 3 Ed Santiago 2016-04-27 14:05:32 UTC 
No joy. I also tried restorecon -v /usr/bin/docker-current
Comment 4 Daniel Walsh 2016-04-27 14:17:13 UTC 
ls -lZ /usr/bin/docker*
Comment 5 Ed Santiago 2016-04-27 14:19:57 UTC 
   -rwxr-xr-x. root root system_u:object_r:docker_exec_t:s0 /usr/bin/docker
   -rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/docker-current
   -rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/docker-fetch
   -rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/docker-storage-setup
   -rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/dockertarsum
Comment 6 Ed Santiago 2016-04-27 14:47:53 UTC 
Followup:

    # chcon -t docker_exec_t /usr/bin/docker-current
    # systemctl restart docker

    # docker run registry.access.redhat.com/rhel7/rhel:latest echo hi
    hi

(as expected)
Comment 7 Daniel Walsh 2016-04-27 14:57:02 UTC 
Awesome, I asked Lokesh to rebuild docker and docker-selinux package, with corrected labeling.  Nice catch.
Comment 8 Lokesh Mandvekar 2016-04-27 15:29:32 UTC 
will be fixed in upcoming -38
Comment 10 Luwen Su 2016-04-28 08:55:54 UTC 
In docker-1.9.1-38.el7.x86_64

by default:

# ls -lZ /usr/bin/docker*
-rwxr-xr-x. root root system_u:object_r:docker_exec_t:s0 /usr/bin/docker
-rwxr-xr-x. root root system_u:object_r:docker_exec_t:s0 /usr/bin/docker-current
-rwxr-xr-x. root root system_u:object_r:docker_exec_t:s0 /usr/bin/docker-storage-setup

# /usr/bin/docker run registry.access.redhat.com/rhel7/rhel:latest echo hi
hi

Move to verified
Comment 12 errata-xmlrpc 2016-05-12 15:18:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-1034.html
Note You need to log in before you can comment on or make changes to this bug.