Description of problem: When /usr/sbin/init is run in container based on fedora:rawhide, AVC denial type=AVC msg=audit(1473230214.607:567): avc: denied { create } for pid=4774 comm="systemd" name="blk" scontext=system_u:system_r:svirt_lxc_net_t:s0:c163,c244 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c163,c244 tclass=blk_file permissive=1 is produced, in addition to the on tracked in bug 1373746. Version-Release number of selected component (if applicable): On the host: kernel-4.7.2-201.fc24.x86_64 systemd-229-13.fc24.x86_64 selinux-policy-3.13.1-191.14.fc24.noarch docker-1.10.3-26.git1ecb834.fc24.x86_64 In the container: docker.io/fedora rawhide 3bcdeb6ee43b 3 weeks ago 174 MB systemd-231-3.fc26.x86_64 How reproducible: Deterministic. Steps to Reproduce: 1. docker run --rm -ti -e container=docker -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /run --tmpfs /tmp fedora:rawhide /usr/sbin/init Actual results: On the host in audit.log, AVC denial type=AVC msg=audit(1473230214.607:567): avc: denied { create } for pid=4774 comm="systemd" name="blk" scontext=system_u:system_r:svirt_lxc_net_t:s0:c163,c244 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c163,c244 tclass=blk_file permissive=1 Expected results: No AVC denial. Additional info: This is a regression against fedora:24: docker.io/fedora 24 11a5107645d4 3 weeks ago 204.4 MB Filing against docker as an initial estimate -- it is possible that the problem is in kernel, SELinux policy, systemd in the container, or the base image which enables something in the container which makes systemd do that write.
Also note 1373780. There is not progress/status shown with fedora:rawhide image so it's hard to say what the container actually does.
I also see this on Fedora 23 host with selinux-policy-3.13.1-158.21.fc23.noarch docker-1.10.3-24.gitf476348.fc23.x86_64 kernel-4.7.2-101.fc23.x86_64 systemd-222-16.fc23.x86_64 running fedora:rawhide.
I think systemd is creating blk and chr files during boot up. If you take away the mknod capability does this problem go away? --cap-drop=mknod
(In reply to Daniel Walsh from comment #3) > I think systemd is creating blk and chr files during boot up. > If you take away the mknod capability does this problem go away? > > --cap-drop=mknod Yes, it does, thank you. Does it mean that going forward this will be a mandatory option for unprivileged containers with systemd? Should systemd be able to detect if it is able to run the operation? Also, the bug 1373780 is still present though -- no status. Is that related?
No I was just wondering if systemd would realize it does not have mknod so that it can work properly. This is a fundamental difference between docker and me. I don't believe we should allow containers to have mknod capabilities. Docker believes that trusting the devices cgroup to control which devices are able to be created in a container. If you have control of your dockerfile, you should remove the capability. The question I have to figure out is whether I want to allow or dontaudit this access.
The issue is also present on Fedora 25, with docker-1.12.4-6.git1b5971a.fc25.x86_64 and container-selinux-1.12.4-6.git1b5971a.fc25.x86_64.
(In reply to Daniel Walsh from comment #5) > The question I have to figure out is whether I want to allow or dontaudit > this access. Dan, could we make the decision one way or another? Now that Fedora 25 is released and is our main version we test on, the AVC denial adds unnecessary noise to test results.
Jan can you make your container drop the mknod capability by default.
You mean in our tests? I don't see a way to specify that in the Dockerfile to make sure it is dropped by every user of the container image.
I have allowed the access in the last push to container-selinux. 513572d0fff7899196d57721ed81577ee3dc8414 Lokesh can you put out a new build of docker to include this fix?
(In reply to Daniel Walsh from comment #10) > I have allowed the access in the last push to container-selinux. > > 513572d0fff7899196d57721ed81577ee3dc8414 > > Lokesh can you put out a new build of docker to include this fix? Talked to Lokesh, since I'm already updating docker in Fedora I'll take care of this soon(ish). Dan, this bugzilla is against F24 which still has docker-1.10.3. Should we update it in F24 then? Or, should we just update container-selinux for docker-1.12.x in F25 and Rawhide?
Lets just do it for F25 for now. I am not sure container-selinux wold work with docker-1.10.
docker-1.12.5-4.git03508cc.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-e856fcc7db
docker-1.12.5-4.git03508cc.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.