Bug 1412803 - SELinux AVC when starting OCP container
Summary: SELinux AVC when starting OCP container
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: docker
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact: atomic-bugs@redhat.com
URL:
Whiteboard:
Depends On:
Blocks: 1420851
TreeView+ depends on / blocked
 
Reported: 2017-01-12 20:28 UTC by Marko Myllynen
Modified: 2020-04-15 15:05 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-04-07 12:15:34 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Marko Myllynen 2017-01-12 20:28:18 UTC
Description of problem:
With latest RHEL 7.3 / OCP 3.3 as of 2017-01-12 OCP deployment fails, I'm seeing the following when e.g. docker-registry-1-deploy / router-1-deploy pods are in ContainerCreating state during OCP deployment:

[root@infra01 ~]# rpm -q selinux-policy docker docker-selinux container-selinux
selinux-policy-3.13.1-102.el7_3.7.noarch
docker-1.10.3-59.el7.x86_64
package docker-selinux is not installed
container-selinux-1.10.3-59.el7.x86_64
[root@infra01 ~]# grep denied /var/log/audit/audit.log | head -n 1
type=AVC msg=audit(1484251796.227:1917): avc:  denied  { transition } for  pid=15134 comm="exe" path="/usr/bin/pod" dev="dm-4" ino=2104360 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c0,c5 tclass=process
[root@infra01 ~]# grep -c denied /var/log/audit/audit.log 
93

If SELinux is in Permissive, things works as expected.

Thanks.

Comment 1 Daniel Walsh 2017-01-12 21:47:06 UTC
Our latest docker is docker-1.12.5-14.el7

Comment 2 Marko Myllynen 2017-01-13 10:00:29 UTC
(In reply to Daniel Walsh from comment #1)
> Our latest docker is docker-1.12.5-14.el7

On our public RHEL channels we have:

docker-1.10.3-59.el7.x86_64
docker-latest-1.12.3-10.el7.x86_64

The docker-latest package provides docker-latest service and configuration files but OCP packages have dependencies to the docker (not docker-latest) package and they use the docker service and configurations (not docker-latest). Thanks.

Comment 7 Marko Myllynen 2017-01-16 10:28:42 UTC
I'm happy to confirm docker 1.12.5-14 (to be officially released in few days) fixes this issue.

I filed two other BZs on remotely related lower impact issues:

https://bugzilla.redhat.com/show_bug.cgi?id=1413535
https://bugzilla.redhat.com/show_bug.cgi?id=1413536

Thanks.

Comment 8 Marko Myllynen 2017-04-07 12:15:34 UTC
This issue is fixed in current releases, closing. Thanks.

container-selinux-2.9-4.el7.noarch
docker-1.12.6-11.el7.x86_64
selinux-policy-3.13.1-102.el7_3.16.noarch


Note You need to log in before you can comment on or make changes to this bug.