Description of problem: Upgraded my system including firewalld SELinux is preventing iptables from 'read' accesses on the file file. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that iptables should be allowed read access on the file file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'iptables' --raw | audit2allow -M my-iptables # semodule -X 300 -i my-iptables.pp Additional Information: Source Context system_u:system_r:iptables_t:s0 Target Context system_u:system_r:container_runtime_t:s0 Target Objects file [ file ] Source iptables Source Path iptables Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-257.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.11.4-300.fc26.x86_64 #1 SMP Wed Jun 7 18:07:41 UTC 2017 x86_64 x86_64 Alert Count 43 First Seen 2017-06-14 14:04:09 CEST Last Seen 2017-06-14 14:04:09 CEST Local ID 74383695-243b-46fe-814d-861c133e6b4b Raw Audit Messages type=AVC msg=audit(1497441849.565:703): avc: denied { read } for pid=451 comm="iptables" path="net:[4026531967]" dev="nsfs" ino=4026531967 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=file permissive=0 Hash: iptables,iptables_t,container_runtime_t,file,read Version-Release number of selected component: selinux-policy-3.13.1-257.fc26.noarch Additional info: component: selinux-policy reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.11.4-300.fc26.x86_64 type: libreport
Description of problem: Everytime I create new container on docker under Fedora 26 Beta. I use a custom network in my docker-compose v2 file. Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.11.7-300.fc26.x86_64 type: libreport
Only one time, the selinux alert program gave me the absolute path to the file: /var/run/docker/netns/<hash-with-letters> The docker-compose file I use, which creates an internal network by default for its containers: version: '2' services: db: image: docker.io/library/postgres:9.4 environment: - POSTGRES_USER=odoo - POSTGRES_PASSWORD=odoo volumes: - postgres_data:/var/lib/postgresql odoo: build: . image: centione/ravin:10.0 environment: - POSTGRES_USER=odoo - POSTGRES_PASSWORD=odoo volumes: - odoo_data:/var/lib/odoo - ./:/mnt/extra-addons:ro,Z ports: - "8001:8069" tty: true volumes: postgres_data: odoo_data:
Sent patch upstream https://github.com/fedora-selinux/selinux-policy/pull/197
Description of problem: I've started a docker image with docker-compose. Some useful info: [vilmosnagy@vnagy-dell docker]$ ls -la total 40 drwxrwxr-x. 5 vilmosnagy vilmosnagy 4096 Jul 12 16:50 . drwxrwxr-x. 24 vilmosnagy vilmosnagy 4096 Jul 12 16:48 .. drwxrwxr-x. 2 vilmosnagy vilmosnagy 4096 Jun 28 18:27 authentication -rw-rw-r--. 1 vilmosnagy vilmosnagy 325 Jul 12 16:50 docker-compose.override.yml -rw-rw-r--. 1 vilmosnagy vilmosnagy 1609 Jun 28 18:27 docker-compose.yml -rw-rw-r--. 1 vilmosnagy vilmosnagy 1372 Jun 28 18:27 Dockerfile drwxrwxr-x. 2 vilmosnagy vilmosnagy 4096 Jun 28 18:27 kfonix-server drwxrwxr-x. 2 vilmosnagy vilmosnagy 4096 Jun 28 18:27 log -rw-rw-r--. 1 vilmosnagy vilmosnagy 164 Jun 28 18:27 sample-docker-compose.override.yml -rwxrwxr-x. 1 vilmosnagy vilmosnagy 349 Jun 28 18:27 start.sh [vilmosnagy@vnagy-dell docker]$ cat docker-compose.yml version: "2" services: master: image: some_meaningful_url networks: kfonixnet: ipv4_address: 172.30.255.17 ports: - 9080:9080 - 8080:8080 - 9990:9990 - 8787:8787 - 8788:8788 - 10080:10080 # Ezeknek egy része leírva a wikiben itt: Wildfly run and deploy environment: - DB_USERNAME= - DB_PASSWORD= - KFONIX_ENV=wv - KFONIX_STANDALONE=true - LIQUIBASE_RUN_MANGLD=Mxiqz1xzE9 - FunctionExpressionResolver=43ereDS+!+SD+ - JVM_XMS=2g # -Xms az egyes node-kon - JVM_XMX=4g # -Xmx az egyes node-kon - DB_POOL_MIN_SIZE=10 # minimális DB connection pool size - DB_POOL_MAX_SIZE=15 # maximális DB connection pool size volumes: - /tmp:/tmp networks: kfonixnet: driver: bridge ipam: config: - subnet: 172.30.255.0/24 [vilmosnagy@vnagy-dell docker]$ cat docker-compose.override.yml version: "2" services: master: environment: - DB_USERNAME=ulykonyv_nv_empty - DB_PASSWORD=pwd123 - KFONIX_ENV=wv - KFONIX_STANDALONE=true - DB_POOL_MIN_SIZE=3 # minimális DB connection pool size - DB_POOL_MAX_SIZE=3 # maximális DB connection pool size [vilmosnagy@vnagy-dell docker]$ cat Dockerfile FROM openjdk:8 EXPOSE 8080 9990 8787 ENV HOME /root COPY kfonix-server/ $HOME/kfonix-server RUN cd /opt \ && curl -O http://192.168.62.234:8080/nexus/service/local/repositories/thirdparty/content/hu/kfonix/wildfly/5.0.6/wildfly-5.0.6.tar.gz \ && tar xvfz wildfly-5.0.6.tar.gz \ && rm -rf wildfly-5.0.6.tar.gz COPY start.sh $KFONIX_HOME/ COPY authentication/ $KFONIX_HOME/domain/configuration/ COPY authentication/ $KFONIX_HOME/standalone/configuration/ COPY log/logback.xml $KFONIX_HOME/configuration/logback.xml CMD sed -i "s/\${db_username}/$DB_USERNAME/g" /root/kfonix-server/server-wv.properties \ && sed -i "s/\${db_password}/$DB_PASSWORD/g" /root/kfonix-server/server-wv.properties \ && sed -i "s/\${jvm_xms}/$JVM_XMS/g" /root/kfonix-server/server-wv.properties \ && sed -i "s/\${jvm_xmx}/$JVM_XMX/g" /root/kfonix-server/server-wv.properties \ && sed -i "s/\${db_pool_min_size}/$DB_POOL_MIN_SIZE/g" /root/kfonix-server/server-wv.properties \ && sed -i "s/\${db_pool_max_size}/$DB_POOL_MAX_SIZE/g" /root/kfonix-server/server-wv.properties \ && sed -i "s/\${env}/$KFONIX_ENV/g" /root/kfonix-server/server-local.properties \ && cd $KFONIX_HOME \ && ./start.sh [vilmosnagy@vnagy-dell docker]$ docker version Client: Version: 17.06.0-ce API version: 1.30 Go version: go1.8.3 Git commit: 02c1d87 Built: Fri Jun 23 21:22:33 2017 OS/Arch: linux/amd64 Server: Version: 17.06.0-ce API version: 1.30 (minimum version 1.12) Go version: go1.8.3 Git commit: 02c1d87 Built: Fri Jun 23 21:23:51 2017 OS/Arch: linux/amd64 Experimental: false [vilmosnagy@vnagy-dell docker]$ docker-compose version docker-compose version 1.13.0, build 1719ceb docker-py version: 2.2.1 CPython version: 2.7.13 OpenSSL version: OpenSSL 1.1.0f-fips 25 May 2017 [vilmosnagy@vnagy-dell docker]$ Version-Release number of selected component: selinux-policy-3.13.1-259.fc26.noarch Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.11.8-300.fc26.x86_64 type: libreport
Description of problem: Happens when I'm trying to use docker-compose. The instlalled docker package is from official repository. Version-Release number of selected component: selinux-policy-3.13.1-259.fc26.noarch Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.11.9-300.fc26.x86_64 type: libreport
Description of problem: I use docker-compose to start a cluster definition on localhost. Everytime the container come up,this alert pops up. Version-Release number of selected component: selinux-policy-3.13.1-259.fc26.noarch Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.11.9-300.fc26.x86_64 type: libreport
I think this is a duplicate of Bug 1461817 which was fixed by this update: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c2721b7375 You may close it as a duplicate and confirm it's resolved with the patch of the original bug.