Description of problem: When /usr/sbin/init is run in container, AVC denial type=AVC msg=audit(1473229406.405:378): avc: denied { write } for pid=3454 comm="systemd" name="max_dgram_qlen" dev="proc" ino=33223 scontext=system_u:system_r:svirt_lxc_net_t:s0:c184,c241 tcontext=system_u:object_r:sysctl_net_unix_t:s0 tclass=file permissive=1 is produced. Version-Release number of selected component (if applicable): On the host: kernel-4.7.2-201.fc24.x86_64 systemd-229-13.fc24.x86_64 selinux-policy-3.13.1-191.14.fc24.noarch docker-1.10.3-26.git1ecb834.fc24.x86_64 In the container docker.io/fedora 24 11a5107645d4 3 weeks ago 204.4 MB systemd-229-8.fc24.x86_64 How reproducible: Deterministic. Steps to Reproduce: 1. docker run --rm -ti -e container=docker -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /run --tmpfs /tmp fedora:24 /usr/sbin/init Actual results: systemd 229 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN) Detected virtualization docker. Detected architecture x86-64. Running with unpopulated /etc. Welcome to Fedora 24 (Twenty Four)! Set hostname to <791ed8c1887f>. Initializing machine ID from random generator. Failed to populate /etc with preset unit settings, ignoring: No such file or directory [ OK ] Listening on Journal Socket (/dev/log). [ OK ] Reached target Local File Systems. [ OK ] Reached target Encrypted Volumes. [ OK ] Listening on /dev/initctl Compatibility Named Pipe. [ OK ] Reached target Swap. [ OK ] Listening on Journal Socket. [ OK ] Started Dispatch Password Requests to Console Directory Watch. [ OK ] Listening on Process Core Dump Socket. [ OK ] Reached target Remote File Systems. [ OK ] Created slice System Slice. Starting First Boot Wizard... Starting Rebuild Dynamic Linker Cache... [ OK ] Reached target Slices. Starting Load/Save Random Seed... Starting Rebuild Journal Catalog... [ OK ] Started Forward Password Requests to Wall Directory Watch. [ OK ] Reached target Paths. Starting Journal Service... [ OK ] Started Load/Save Random Seed. [ OK ] Started First Boot Wizard. Starting Create System Users... [ OK ] Started Rebuild Journal Catalog. [ OK ] Started Create System Users. [ OK ] Started Journal Service. Starting Flush Journal to Persistent Storage... [ OK ] Started Flush Journal to Persistent Storage. Starting Create Volatile Files and Directories... [ OK ] Started Create Volatile Files and Directories. Starting Update UTMP about System Boot/Shutdown... [ OK ] Started Update UTMP about System Boot/Shutdown. [ OK ] Started Rebuild Dynamic Linker Cache. Starting Update is Completed... [ OK ] Started Update is Completed. [ OK ] Reached target System Initialization. [ OK ] Listening on D-Bus System Message Bus Socket. [ OK ] Reached target Sockets. [ OK ] Started Daily Cleanup of Temporary Directories. [ OK ] Started dnf makecache timer. [ OK ] Reached target Timers. [ OK ] Reached target Basic System. [ OK ] Started D-Bus System Message Bus. Starting Permit User Sessions... [ OK ] Started Permit User Sessions. [ OK ] Reached target Multi-User System. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. and in the audit.log on the host type=AVC msg=audit(1473229406.405:378): avc: denied { write } for pid=3454 comm="systemd" name="max_dgram_qlen" dev="proc" ino=33223 scontext=system_u:system_r:svirt_lxc_net_t:s0:c184,c241 tcontext=system_u:object_r:sysctl_net_unix_t:s0 tclass=file permissive=1 Expected results: No AVC denial. Additional info: The file is /proc/sys/net/unix/max_dgram_qlen in the container. I see the same AVC denial when running with fedora:rawhide. I don't see the AVC denial when running with rhel7. Filing against docker as an initial estimate -- it is possible that the problem is in kernel, SELinux policy, systemd in the container, or the base image which enables something in the container which makes systemd do that write.
I don't see this AVC denial on Fedora 24 host running fedora:23.
I don't see this AVC denial on Fedora 23 host running fedora:23. OTOH, Fedora 23 host with kernel-4.7.2-101.fc23.x86_64 systemd-222-16.fc23.x86_64 selinux-policy-3.13.1-158.21.fc23.noarch docker-1.10.3-24.gitf476348.fc23.x86_64 produces this AVC denial when running fedora:24, and also type=AVC msg=audit(1473231033.637:755): avc: denied { write } for pid=29422 comm="systemd" name="core_pattern" dev="proc" ino=152754 scontext=system_u:system_r:svirt_lxc_net_t:s0:c90,c199 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=1 before it.
This is fixed in Rawhide, Lukas could you backport the fixes for virt.te into F23, F24 and RHEL7?
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
Is this fixed in Fedora 25?
Probbaly, it happened long agon.
This message is a reminder that Fedora 24 is nearing its end of life. Approximately 2 (two) weeks from now Fedora will stop maintaining and issuing updates for Fedora 24. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '24'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 24 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 24 changed to end-of-life (EOL) status on 2017-08-08. Fedora 24 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.