Bug 1373430 - SELinux prevents docker from starting any container
Summary: SELinux prevents docker from starting any container
Keywords:
Status: CLOSED DUPLICATE of bug 1358819
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.3
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-06 09:20 UTC by Stef Walter
Modified: 2016-11-25 09:03 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-09-07 12:47:01 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Stef Walter 2016-09-06 09:20:00 UTC 
Description of problem:

Sep 05 03:13:52 localhost.localdomain kernel: type=1400 audit(1473059632.888:21): avc:  denied  { search } for  pid=1499 comm="systemd-machine" name="2725" dev="proc" ino=39033 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir
Sep 05 03:13:52 localhost.localdomain oci-register-machine[2729]: 2016/09/05 03:13:52 Register machine failed: Failed to determine unit of process 2725 : Permission denied

Version-Release number of selected component (if applicable):

 oci-register-machine   x86_64 1:0-1.7.git31bbcd2.el7
                                                rhel-7-server-extras-rpms 929 k
 oci-systemd-hook       x86_64 1:0.1.4-4.git41491a3.el7
                                                rhel-7-server-extras-rpms  27 k
 docker-selinux         x86_64 1.10.3-46.el7.10 rhel-7-server-extras-rpms  78 k

  selinux-policy-targeted.noarch 0:3.13.1-93.el7                                

How reproducible:

Happens in Cockpit integration tests: https://fedorapeople.org/groups/cockpit/logs/pull-4928-65231a35-verify-rhel-7/TestKubernetes-testDashboard-10.111.118.238-FAIL.log
Comment 2 Stef Walter 2016-09-07 10:21:19 UTC 
This affects all use of Docker or Kubernetes on RHEL.

Can reproduce this on RHEL 7.3 Beta
Comment 3 Stef Walter 2016-09-07 10:29:15 UTC 
Same failure on 7.3 Beta:

docker-1.10.3-46.el7.10.x86_64
docker-selinux-1.10.3-46.el7.10.x86_64
oci-register-machine-0-1.7.git31bbcd2.el7.x86_64
oci-systemd-hook-0.1.4-4.git41491a3.el7.x86_64
selinux-policy-targeted-3.13.1-93.el7.noarch

[root@localhost ~]# docker run -ti busybox /bin/sh
[   59.032970] type=1400 audit(1473243975.900:4): avc:  denied  { search } for  pid=1146 comm="systemd-machine" name="1138" dev="proc" ino=23553 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir
docker: Error response from daemon: Cannot start container 3be591f72ec5c85630406bd20e3cc10e1573ce6ee0c33b6054083620d7b3062b: [9] System error: exit status 1.
Comment 4 Stef Walter 2016-09-07 10:30:41 UTC 
When I try a workaround suggested by Antonio:

rm -rf /usr/libexec/oci/hooks.d/oci-register-machine

I get another AVC:

[  268.266642] type=1400 audit(1473244185.134:5): avc:  denied  { transition } for  pid=1262 comm="exe" path="/bin/sh" dev="dm-1" ino=4194433 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c35,c359 tclass=process
Comment 5 Stef Walter 2016-09-07 10:35:55 UTC 
This bug was found by the Cockpit integration tests. 

Upstream known issue tracking failures in tests: https://github.com/cockpit-project/cockpit/issues/4978
Comment 8 Milos Malik 2016-09-07 11:59:15 UTC 
The problem is that there should be 2 docker policy modules in the output, each of them having a different priority.
Comment 9 Daniel Walsh 2016-09-07 12:47:01 UTC 

*** This bug has been marked as a duplicate of bug 1358819 ***
Note You need to log in before you can comment on or make changes to this bug.