Bug 1461817 - Starting docker daemon produces AVC denial about iptables_t and container_runtime_t
Starting docker daemon produces AVC denial about iptables_t and container_run...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
26
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-15 07:46 EDT by Jan Pazdziora
Modified: 2017-07-17 00:51 EDT (History)
20 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-260.1.fc26
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-07-17 00:51:59 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Pazdziora 2017-06-15 07:46:46 EDT
Description of problem:

Starting docker daemon produces AVC denials like

type=AVC msg=audit(1497521828.624:143): avc:  denied  { read } for  pid=2472 comm="iptables" path="net:[4026531961]" dev="nsfs" ino=4026531961 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=file permissive=0

Version-Release number of selected component (if applicable):

docker-1.13.1-13.git51eb16e.fc26
container-selinux-2.18-1.fc26

How reproducible:

Deterministic.

Steps to Reproduce:
1. dnf install -y docker
2. systemctl start docker
3. Check audit.log.

Actual results:

time->Thu Jun 15 06:17:08 2017
type=AVC msg=audit(1497521828.605:139): avc:  denied  { read } for  pid=2464 comm="iptables" path="net:[4026531961]" dev="nsfs" ino=4026531961 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=file permissive=0
----
time->Thu Jun 15 06:17:08 2017
type=AVC msg=audit(1497521828.608:140): avc:  denied  { read } for  pid=2466 comm="iptables" path="net:[4026531961]" dev="nsfs" ino=4026531961 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=file permissive=0
----
time->Thu Jun 15 06:17:08 2017
type=AVC msg=audit(1497521828.623:142): avc:  denied  { read } for  pid=2471 comm="iptables" path="net:[4026531961]" dev="nsfs" ino=4026531961 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=file permissive=0
----
time->Thu Jun 15 06:17:08 2017
type=AVC msg=audit(1497521828.624:143): avc:  denied  { read } for  pid=2472 comm="iptables" path="net:[4026531961]" dev="nsfs" ino=4026531961 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=file permissive=0
----
time->Thu Jun 15 06:17:08 2017
type=AVC msg=audit(1497521828.625:145): avc:  denied  { read } for  pid=2473 comm="iptables" path="net:[4026531961]" dev="nsfs" ino=4026531961 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=file permissive=0
----
time->Thu Jun 15 06:17:08 2017
type=AVC msg=audit(1497521828.626:146): avc:  denied  { read } for  pid=2474 comm="iptables" path="net:[4026531961]" dev="nsfs" ino=4026531961 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=file permissive=0

Expected results:

No AVC denial.

Additional info:
Comment 2 Daniel Walsh 2017-06-15 08:23:56 EDT
Need to add

container_read_state(iptables_t)

This pull request adds this interface

b22d1515cb3e164c0ac3cdc2020c2e8c4d7a55fd
Comment 3 Jan Pazdziora 2017-07-04 04:39:14 EDT
Which repo is this pull request against? Any chance of getting this merged and updated policy shipped to Fedora 26?
Comment 5 Thomas Mueller 2017-07-05 06:56:52 EDT
Jan, the PR is here: https://github.com/fedora-selinux/selinux-policy/pull/197
Comment 6 Jan Pazdziora 2017-07-10 03:04:12 EDT
Awesome.

Lukáš, can we get the PR merged and new policy built?
Comment 7 Lukas Vrabec 2017-07-10 03:42:28 EDT
Jan, 

Yes, sure. 

Build is in progress:
https://koji.fedoraproject.org/koji/taskinfo?taskID=20437433
Comment 8 Fedora Update System 2017-07-11 13:07:08 EDT
selinux-policy-3.13.1-260.1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c2721b7375
Comment 9 Fedora Update System 2017-07-12 04:38:21 EDT
selinux-policy-3.13.1-260.1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c2721b7375
Comment 12 Fedora Update System 2017-07-17 00:51:59 EDT
selinux-policy-3.13.1-260.1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.