Bug 1495053 - SELinux is preventing traefik from 'connectto' accesses on the unix_stream_socket /run/docker.sock.
Summary: SELinux is preventing traefik from 'connectto' accesses on the unix_stream_so...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: container-selinux
Version: 26
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lokesh Mandvekar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:f4454ca29cb6ed76b5032e59af7...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-09-25 04:19 UTC by Igor Tonkopryadchenko
Modified: 2017-09-25 12:11 UTC (History)
10 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2017-09-25 12:11:36 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
File: docker-compose.yaml (392 bytes, text/plain)
2017-09-25 04:19 UTC, Igor Tonkopryadchenko 		no flags Details
View All

Description Igor Tonkopryadchenko 2017-09-25 04:19:23 UTC 
Description of problem:
Trying to use traefik(reverse proxy) with bindings of /var/run/docker.sock in guest container, so it coud use docker API to discover other containers
SELinux is preventing traefik from 'connectto' accesses on the unix_stream_socket /run/docker.sock.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that traefik should be allowed connectto access on the docker.sock unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traefik' --raw | audit2allow -M my-traefik
# semodule -X 300 -i my-traefik.pp

Additional Information:
Source Context                system_u:system_r:container_t:s0:c45,c163
Target Context                system_u:system_r:container_runtime_t:s0
Target Objects                /run/docker.sock [ unix_stream_socket ]
Source                        traefik
Source Path                   traefik
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-260.9.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.12.13-300.fc26.x86_64 #1 SMP Thu
                              Sep 14 16:00:38 UTC 2017 x86_64 x86_64
Alert Count                   58
First Seen                    2017-09-24 20:32:45 PDT
Last Seen                     2017-09-24 21:15:53 PDT
Local ID                      97b032a9-9321-4897-91e2-307a0eaaf0be

Raw Audit Messages
type=AVC msg=audit(1506312953.780:420): avc:  denied  { connectto } for  pid=4226 comm="traefik" path="/run/docker.sock" scontext=system_u:system_r:container_t:s0:c45,c163 tcontext=system_u:system_r:container_runtime_t:s0 tclass=unix_stream_socket permissive=0


Hash: traefik,container_t,container_runtime_t,unix_stream_socket,connectto

Version-Release number of selected component:
selinux-policy-3.13.1-260.9.fc26.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.1
hashmarkername: setroubleshoot
kernel:         4.12.13-300.fc26.x86_64
type:           libreport
Comment 1 Igor Tonkopryadchenko 2017-09-25 04:19:29 UTC 
Created attachment 1330358 [details]
File: docker-compose.yaml
Comment 2 Daniel Walsh 2017-09-25 12:11:36 UTC 
You are trying to connect a confined domain to the docker socket.  There is no sense in doing this, since the ability to talk to the docker socket allows you full control over the host.  Either this is a very serious breakout of your container, or you should be running a privileged container.  SELinux is doing exactly what it should do in blocking access to the docker socket.

https://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/
Note You need to log in before you can comment on or make changes to this bug.