Bug 1461817 - Starting docker daemon produces AVC denial about iptables_t and container_runtime_t
Summary: Starting docker daemon produces AVC denial about iptables_t and container_run...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 26
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-06-15 11:46 UTC by Jan Pazdziora (Red Hat)
Modified: 2017-07-17 04:51 UTC (History)
20 users (show)

Fixed In Version: selinux-policy-3.13.1-260.1.fc26
Clone Of:
Environment:
Last Closed: 2017-07-17 04:51:59 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Jan Pazdziora (Red Hat) 2017-06-15 11:46:46 UTC 
Description of problem:

Starting docker daemon produces AVC denials like

type=AVC msg=audit(1497521828.624:143): avc:  denied  { read } for  pid=2472 comm="iptables" path="net:[4026531961]" dev="nsfs" ino=4026531961 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=file permissive=0

Version-Release number of selected component (if applicable):

docker-1.13.1-13.git51eb16e.fc26
container-selinux-2.18-1.fc26

How reproducible:

Deterministic.

Steps to Reproduce:
1. dnf install -y docker
2. systemctl start docker
3. Check audit.log.

Actual results:

time->Thu Jun 15 06:17:08 2017
type=AVC msg=audit(1497521828.605:139): avc:  denied  { read } for  pid=2464 comm="iptables" path="net:[4026531961]" dev="nsfs" ino=4026531961 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=file permissive=0
----
time->Thu Jun 15 06:17:08 2017
type=AVC msg=audit(1497521828.608:140): avc:  denied  { read } for  pid=2466 comm="iptables" path="net:[4026531961]" dev="nsfs" ino=4026531961 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=file permissive=0
----
time->Thu Jun 15 06:17:08 2017
type=AVC msg=audit(1497521828.623:142): avc:  denied  { read } for  pid=2471 comm="iptables" path="net:[4026531961]" dev="nsfs" ino=4026531961 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=file permissive=0
----
time->Thu Jun 15 06:17:08 2017
type=AVC msg=audit(1497521828.624:143): avc:  denied  { read } for  pid=2472 comm="iptables" path="net:[4026531961]" dev="nsfs" ino=4026531961 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=file permissive=0
----
time->Thu Jun 15 06:17:08 2017
type=AVC msg=audit(1497521828.625:145): avc:  denied  { read } for  pid=2473 comm="iptables" path="net:[4026531961]" dev="nsfs" ino=4026531961 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=file permissive=0
----
time->Thu Jun 15 06:17:08 2017
type=AVC msg=audit(1497521828.626:146): avc:  denied  { read } for  pid=2474 comm="iptables" path="net:[4026531961]" dev="nsfs" ino=4026531961 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=file permissive=0

Expected results:

No AVC denial.

Additional info:
Comment 2 Daniel Walsh 2017-06-15 12:23:56 UTC 
Need to add

container_read_state(iptables_t)

This pull request adds this interface

b22d1515cb3e164c0ac3cdc2020c2e8c4d7a55fd
Comment 3 Jan Pazdziora (Red Hat) 2017-07-04 08:39:14 UTC 
Which repo is this pull request against? Any chance of getting this merged and updated policy shipped to Fedora 26?
Comment 5 Thomas Mueller 2017-07-05 10:56:52 UTC 
Jan, the PR is here: https://github.com/fedora-selinux/selinux-policy/pull/197
Comment 6 Jan Pazdziora (Red Hat) 2017-07-10 07:04:12 UTC 
Awesome.

Lukáš, can we get the PR merged and new policy built?
Comment 7 Lukas Vrabec 2017-07-10 07:42:28 UTC 
Jan, 

Yes, sure. 

Build is in progress:
https://koji.fedoraproject.org/koji/taskinfo?taskID=20437433
Comment 8 Fedora Update System 2017-07-11 17:07:08 UTC 
selinux-policy-3.13.1-260.1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c2721b7375
Comment 9 Fedora Update System 2017-07-12 08:38:21 UTC 
selinux-policy-3.13.1-260.1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c2721b7375
Comment 12 Fedora Update System 2017-07-17 04:51:59 UTC 
selinux-policy-3.13.1-260.1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.