Hide Forgot
+++ This bug was initially created as a clone of Bug #1388621 +++ Description of problem: I'm seeing the following AVC's while trying to create a router: Version-Release number of selected component (if applicable): docker-selinux-1.10.3-46.el7.14.x86_64 docker-1.10.3-46.el7.14.x86_64 selinux-policy-3.13.1-102.el7.noarch atomic-openshift-3.4.0.15-1.git.0.9c963ec.el7.x86_64 # cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.3 (Maipo) # uname -r 3.10.0-514.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1. # oadm router storage-project-router --replicas=1 2. 3. Actual results: Router creation is NOT successful and AVC's are seen Expected results: Router creation should be successful and NO AVC's should be seen Additional info: ############ type=AVC msg=audit(1477421059.638:30124): avc: denied { transition } for pid=3075 comm="exe" path="/usr/bin/pod" dev="dm-8" ino=27266165 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c2,c3 tclass=process type=AVC msg=audit(1477421062.021:30126): avc: denied { transition } for pid=3095 comm="exe" path="/usr/bin/pod" dev="dm-9" ino=27266165 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c4,c9 tclass=process type=AVC msg=audit(1477421069.356:30130): avc: denied { transition } for pid=3169 comm="exe" path="/usr/bin/pod" dev="dm-8" ino=27266165 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c2,c3 tclass=process ---- type=SYSCALL msg=audit(Wednesday 26 October 2016 A.863:30816) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0xc8205af290 a1=0xc8205af2a0 a2=0xc8200878c0 a3=0x0 items=0 ppid=3803 pid=11016 auid=unset uid=unknown(1001) gid=root euid=unknown(1001) suid=unknown(1001) fsuid=unknown(1001) egid=root sgid=root fsgid=root tty=(none) ses=unset comm=exe exe=/usr/bin/docker-current subj=system_u:system_r:unconfined_service_t:s0 key=(null) type=AVC msg=audit(Wednesday 26 October 2016 A.863:30816) : avc: denied { transition } for pid=11016 comm=exe path=/usr/bin/pod dev="dm-6" ino=27266165 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c4,c9 tclass=process allow svirt_lxc_net_t unconfined_service_t:process sigchld; allow unconfined_service_t svirt_lxc_net_t:process transition; ################# --- Additional comment from Red Hat Bugzilla Rules Engine on 2016-10-25 14:59:01 EDT --- This bug is automatically being proposed for the current release of Red Hat Gluster Storage 3 under active development, by setting the release flag 'rhgs‑3.2.0' to '?'. If this bug should be proposed for a different release, please manually change the proposed release flag.
We seem to have a bad version of docker and docker-selinux in the release?
I've re-tested this using the latest RHEL-7.3 GA bits and looks like the router creation works well with SELinux in Enforcing mode. ####### selinux-policy-3.13.1-102.el7_3.4.noarch docker-selinux-1.10.3-57.el7.x86_64 NAME REVISION DESIRED CURRENT TRIGGERED BY dc/storage-project-router 1 1 1 config NAME DESIRED CURRENT READY AGE rc/storage-project-router-1 1 1 1 4m NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE svc/storage-project-router 172.30.131.240 <none> 80/TCP,443/TCP,1936/TCP 4m NAME READY STATUS RESTARTS AGE po/storage-project-router-1-uuomp 1/1 Running 0 4m # oc get pods NAME READY STATUS RESTARTS AGE storage-project-router-1-uuomp 1/1 Running 0 1m #######