Bug 1489199 - Docker selinux problem; can't bind pty.sock
Summary: Docker selinux problem; can't bind pty.sock
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: container-selinux
Version: 26
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lokesh Mandvekar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-09-06 23:49 UTC by Robin Powell
Modified: 2017-10-03 00:05 UTC (History)
10 users (show)

Fixed In Version: container-selinux-2.24-1.fc27 container-selinux-2.24-1.fc25 container-selinux-2.24-1.fc26
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-10-01 18:17:46 UTC
Type: Bug


Attachments (Terms of Use)

Description Robin Powell 2017-09-06 23:49:11 UTC
I'm running docker packages from docker itself; everything else is standard F26 except that unconfined is disabled:

rlpowell@jukni> dnf list installed '*docker*' '*selinux*'
Installed Packages
container-selinux.noarch                                                              2:2.21-1.fc26                                                            @updates
docker-ce.x86_64                                                                      17.07.0.ce-1.fc26                                                        @docker-ce-edge
libselinux.x86_64                                                                     2.6-7.fc26                                                               @updates
libselinux-devel.x86_64                                                               2.6-7.fc26                                                               @updates
libselinux-python.x86_64                                                              2.6-7.fc26                                                               @updates
libselinux-python3.x86_64                                                             2.6-7.fc26                                                               @updates
libselinux-ruby.x86_64                                                                2.6-7.fc26                                                               @updates
libselinux-utils.x86_64                                                               2.6-7.fc26                                                               @updates
rpm-plugin-selinux.x86_64                                                             4.13.0.1-5.fc26                                                          @updates
selinux-policy.noarch                                                                 3.13.1-260.4.fc26                                                        @updates
selinux-policy-devel.noarch                                                           3.13.1-260.4.fc26                                                        @updates
selinux-policy-doc.noarch                                                             3.13.1-260.4.fc26                                                        @updates
selinux-policy-targeted.noarch                                                        3.13.1-260.4.fc26                                                        @updates

rlpowell@jukni> sudo semanage module  -l | grep -i disabled
unconfined                100       pp    Disabled

"docker run -it" leads reliably to:

/usr/bin/docker: Error response from daemon: shim error: listen unix /tmp/pty016104378/pty.sock: bind: permission denied.

which seems pretty bad.

The following are all the AVCs from running:

sudo docker run --name lojban_mediawiki -p $port:80 -p 11443:443 -p 11900:9000 -v /srv/lojban/mediawiki-docker/data/LocalSettings.php:/var/www/mediawiki/LocalSettings.php -it lojban/mediawiki:$MW_VERSION-$ITERATION /bin/bash

against a mediawiki container.

type=AVC msg=audit(1504712369.319:25882497): avc:  denied  { create } for  pid=18814 comm="docker-containe" name="pty.sock" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:container_runtime_tmp_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1504712369.326:25882499): avc:  denied  { write } for  pid=18821 comm="docker-runc" name="pty.sock" dev="vdb" ino=34209103 scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:container_runtime_tmp_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1504712369.424:25882505): avc:  denied  { unlink } for  pid=18814 comm="docker-containe" name="pty.sock" dev="vdb" ino=34209103 scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:container_runtime_tmp_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1504712370.619:25882517): avc:  denied  { write } for  pid=18885 comm="supervisord" name="fd" dev="proc" ino=91560442 scontext=system_u:system_r:container_
runtime_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1504712370.619:25882517): avc:  denied  { add_name } for  pid=18885 comm="supervisord" name="1" scontext=system_u:system_r:container_runtime_t:s0 tcontext=
system_u:system_r:container_runtime_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1504712370.619:25882517): avc:  denied  { create } for  pid=18885 comm="supervisord" name="1" scontext=system_u:system_r:container_runtime_t:s0 tcontext=sy
stem_u:object_r:container_runtime_t:s0 tclass=file permissive=1
type=AVC msg=audit(1504712370.619:25882517): avc:  denied  { associate } for  pid=18885 comm="supervisord" name="1" scontext=system_u:object_r:container_runtime_t:s0 tcontext
=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(1504712370.858:25882528): avc:  denied  { create } for  pid=18891 comm="php-fpm" name="mediawiki.socket" scontext=system_u:system_r:container_runtime_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1504712370.858:25882529): avc:  denied  { setattr } for  pid=18891 comm="php-fpm" name="mediawiki.socket" dev="dm-1" ino=4352316 scontext=system_u:system_r
:container_runtime_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1504712394.103:25882690): avc:  denied  { unlink } for  pid=18891 comm="php-fpm" name="mediawiki.socket" dev="dm-1" ino=4352316 scontext=system_u:system_r:
container_runtime_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1504712394.283:25882727): avc:  denied  { write } for  pid=25810 comm="dockerd" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:system_
r:container_runtime_t:s0 tclass=netlink_netfilter_socket permissive=1
type=AVC msg=audit(1504712394.284:25882728): avc:  denied  { getattr } for  pid=25810 comm="dockerd" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:syste
m_r:container_runtime_t:s0 tclass=netlink_netfilter_socket permissive=1
type=AVC msg=audit(1504712394.284:25882729): avc:  denied  { read } for  pid=25810 comm="dockerd" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:system_r
:container_runtime_t:s0 tclass=netlink_netfilter_socket permissive=1



The one there that stands out as being obviously bad is the container_runtime_tmp_t:sock_file one.

The mediawiki.socket thing appears to be this, inside the container:

root@0ef9679e98f0:/var/www/mediawiki# ls -lZ /run/php7-fpm/mediawiki.socket
srw-rw----. 1 www-data www-data system_u:object_r:unlabeled_t:s0 0 Sep  6 15:47 /run/php7-fpm/mediawiki.socket

I was confused for a while as to why it was getting labeled at all, since, you know, inside a docker, but because of how docker is laying out its files, this file is actually /var/lib/docker/devicemapper/mnt/ae23c8e9a605cf56de62f77c26e02fc8e4c6a41937ab0b6ff94e2e87b1f4816b/rootfs/run/php7-fpm/mediawiki.socket

I could certainly add an fcontext matching /var/lib/docker/devicemapper/mnt/[^/]*/rootfs/run/php7-fpm/ and make it container_var_run_t , but that seems icky; I'd love other suggestions.

Comment 1 Robin Powell 2017-09-07 00:48:55 UTC
Hmm, no, that doesn't actually work:

rlpowell@jukni> sudo find /var/lib/docker -name mediawiki.socket
/var/lib/docker/devicemapper/mnt/29231b66bbea72ef8973fb6865688e7ee9f15970bb7f38cd0b81bb1d517e5296/rootfs/run/php7-fpm/mediawiki.socket
rlpowell@jukni> sudo ls -lZ /var/lib/docker/devicemapper/mnt/29231b66bbea72ef8973fb6865688e7ee9f15970bb7f38cd0b81bb1d517e5296/rootfs/run/php7-fpm/mediawiki.socket
srw-rw----. 1 sampre_mw sampre_mw system_u:object_r:unlabeled_t:s0 0 Sep  6 17:47 /var/lib/docker/devicemapper/mnt/29231b66bbea72ef8973fb6865688e7ee9f15970bb7f38cd0b81bb1d517e5296/rootfs/run/php7-fpm/mediawiki.socket
rlpowell@jukni> sudo restorecon -v /var/lib/docker/devicemapper/mnt/29231b66bbea72ef8973fb6865688e7ee9f15970bb7f38cd0b81bb1d517e5296/rootfs/run/php7-fpm/mediawiki.socket
Relabeled /var/lib/docker/devicemapper/mnt/29231b66bbea72ef8973fb6865688e7ee9f15970bb7f38cd0b81bb1d517e5296/rootfs/run/php7-fpm/mediawiki.socket from system_u:object_r:unlabeled_t:s0 to system_u:object_r:container_var_run_t:s0


So no idea what to do about the mediawiki.socket bit.  The rest of it seems fairly straightforward, I think?

Comment 2 Daniel Walsh 2017-09-07 08:36:28 UTC
We need to allow container_runtime_t to create these socket files.

Comment 3 Daniel Walsh 2017-09-07 08:39:22 UTC
Fixed in container-selinux-2.23-1.fc26

Comment 4 Daniel Walsh 2017-09-07 08:40:30 UTC
81ff96c3e100ec23f7934000e96adab56762fd96 fixes this in github.

Comment 5 Fedora Update System 2017-09-22 12:48:50 UTC
container-selinux-2.24-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-85a3632156

Comment 6 Fedora Update System 2017-09-22 12:49:17 UTC
container-selinux-2.24-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-90d5ed7a4c

Comment 7 Fedora Update System 2017-09-22 12:49:38 UTC
container-selinux-2.24-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c280874eff

Comment 8 Fedora Update System 2017-09-22 17:55:33 UTC
container-selinux-2.24-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-90d5ed7a4c

Comment 9 Fedora Update System 2017-09-23 00:28:57 UTC
container-selinux-2.24-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-85a3632156

Comment 10 Fedora Update System 2017-09-23 02:25:48 UTC
container-selinux-2.24-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c280874eff

Comment 11 Fedora Update System 2017-10-01 18:17:46 UTC
container-selinux-2.24-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2017-10-01 23:20:38 UTC
container-selinux-2.24-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2017-10-02 02:50:10 UTC
container-selinux-2.24-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Robin Powell 2017-10-03 00:05:48 UTC
This looks much better, thank you!  Unfortunately I've had to add https://bugzilla.redhat.com/show_bug.cgi?id=1497867 as a followup.


Note You need to log in before you can comment on or make changes to this bug.