Same situation as https://bugzilla.redhat.com/show_bug.cgi?id=1489199 , but this time I'm trying to run a mysql container, and I get: type=AVC msg=audit(1506988852.428:31849909): avc: denied { create } for pid=16349 comm="mysqld" name="mysqld.sock" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=sock_file permissive=1 type=AVC msg=audit(1506988861.637:31849933): avc: denied { setrlimit } for pid=16601 comm="sh" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=1 type=AVC msg=audit(1506988861.637:31849934): avc: denied { read write } for pid=16601 comm="lua" path="socket:[129399214]" dev="sockfs" ino=129399214 scontext=system_u:system_r:httpd_user_script_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=tcp_socket permissive=1 System is up to date: rlpowell@jukni> sudo dnf list installed container-selinux Installed Packages container-selinux.noarch 2:2.24-1.fc26 @updates-testing rlpowell@jukni> cat /etc/redhat-release Fedora release 26 (Twenty Six)
Oh, sorry, only the mysqld AVC seems to actually be relevant.
Hmm, turns out that's not everything; here's what I'm currently getting from running the mediawiki and mysql containers together: type=AVC msg=audit(1506991001.628:31857460): avc: denied { write } for pid=25810 comm="dockerd" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:system_ r:container_runtime_t:s0 tclass=netlink_netfilter_socket permissive=1 type=AVC msg=audit(1506991001.628:31857461): avc: denied { getattr } for pid=25810 comm="dockerd" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:syste m_r:container_runtime_t:s0 tclass=netlink_netfilter_socket permissive=1 type=AVC msg=audit(1506991001.628:31857462): avc: denied { read } for pid=25810 comm="dockerd" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:system_r :container_runtime_t:s0 tclass=netlink_netfilter_socket permissive=1 type=AVC msg=audit(1506991051.740:31857712): avc: denied { write } for pid=28373 comm="supervisord" name="fd" dev="proc" ino=129462681 scontext=system_u:system_r:container _runtime_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1506991051.740:31857712): avc: denied { add_name } for pid=28373 comm="supervisord" name="1" scontext=system_u:system_r:container_runtime_t:s0 tcontext= system_u:system_r:container_runtime_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1506991051.740:31857712): avc: denied { create } for pid=28373 comm="supervisord" name="1" scontext=system_u:system_r:container_runtime_t:s0 tcontext=sy stem_u:object_r:container_runtime_t:s0 tclass=file permissive=1 type=AVC msg=audit(1506991051.740:31857712): avc: denied { associate } for pid=28373 comm="supervisord" name="1" scontext=system_u:object_r:container_runtime_t:s0 tcontext =system_u:object_r:proc_t:s0 tclass=filesystem permissive=1 type=AVC msg=audit(1506991052.351:31857721): avc: denied { setattr } for pid=28378 comm="php-fpm" name="mediawiki.socket" dev="dm-2" ino=4352316 scontext=system_u:system_r :container_runtime_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=sock_file permissive=1 type=AVC msg=audit(1506991052.836:31857723): avc: denied { write } for pid=28381 comm="nginx" name="mediawiki.socket" dev="dm-2" ino=4352316 scontext=system_u:system_r:con tainer_runtime_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=sock_file permissive=1 type=AVC msg=audit(1506991086.617:31857759): avc: denied { write } for pid=28381 comm="nginx" name="mediawiki.socket" dev="dm-2" ino=4352316 scontext=system_u:system_r:con tainer_runtime_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=sock_file permissive=1
Robin, are you running with unconfined domain disabled?
It also looks like supervisord and media wiki did not transition to a different domain? What backend are you using and where is the storage? If you run restorecon -R -v /var/lib/docker, do things improve?
Yes, unconfined is disabled. The restorecon resulted in MANY MANY lines like: Relabeled /var/lib/docker/devicemapper/mnt/8d558662e8cea2ce2540fa44ae194cf2f4159a38e3edc070320b4272143a424a/rootfs/var/www/mediawiki/vendor/zordius/lightncandy/tests/example_ helpers.php from system_u:object_r:unlabeled_t:s0 to system_u:object_r:container_var_lib_t:s0 which I suspect answers your questions about storage but, uh, whatever the default storage model is?, I forget what it's called. docker info says: Storage Driver: devicemapper Pool Name: docker-252:16-33561217-pool Pool Blocksize: 65.54kB Base Device Size: 10.74GB Backing Filesystem: xfs Data file: /dev/loop0 Metadata file: /dev/loop1 Data Space Used: 3.098GB Data Space Total: 107.4GB Data Space Available: 17.1GB Metadata Space Used: 8.765MB Metadata Space Total: 2.147GB Metadata Space Available: 2.139GB Thin Pool Minimum Free Space: 10.74GB Udev Sync Supported: true Deferred Removal Enabled: true Deferred Deletion Enabled: true Deferred Deleted Device Count: 0 Data loop file: /var/lib/docker/devicemapper/devicemapper/data Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata Library Version: 1.02.137 (2016-11-30) Logging Driver: json-file Cgroup Driver: cgroupfs Plugins: Volume: local Network: bridge host macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog Swarm: inactive Runtimes: runc Default Runtime: runc Init Binary: docker-init containerd version: 3addd840653146c90a254301d6c3a663c7fd6429 runc version: 2d41c047c83e09a6d61d464906feb2a2f3c52aa4 init version: 949e6fa Security Options: seccomp Profile: default Kernel Version: 4.10.11-100.fc24.x86_64 Operating System: Fedora 26 (Twenty Six) OSType: linux Architecture: x86_64 CPUs: 4 Total Memory: 5.553GiB Name: jukni.digitalkingdom.org ID: RAW2:6CCO:JYE3:WTXJ:AZMP:LJ5D:72IG:4ZIH:PMTG:HAVW:KDYZ:WDXU Docker Root Dir: /var/lib/docker Debug Mode (client): false Debug Mode (server): false Registry: https://index.docker.io/v1/ Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false
After the restorecon we have: type=AVC msg=audit(1507045317.745:31937444): avc: denied { write } for pid=25810 comm="dockerd" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=netlink_netfilter_socket permissive=1 type=AVC msg=audit(1507045317.745:31937445): avc: denied { getattr } for pid=25810 comm="dockerd" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=netlink_netfilter_socket permissive=1 type=AVC msg=audit(1507045317.745:31937446): avc: denied { read } for pid=25810 comm="dockerd" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=netlink_netfilter_socket permissive=1 type=AVC msg=audit(1507045319.879:31937560): avc: denied { write } for pid=25810 comm="dockerd" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=netlink_netfilter_socket permissive=1 type=AVC msg=audit(1507045319.879:31937561): avc: denied { getattr } for pid=25810 comm="dockerd" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=netlink_netfilter_socket permissive=1 type=AVC msg=audit(1507045319.880:31937562): avc: denied { read } for pid=25810 comm="dockerd" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=netlink_netfilter_socket permissive=1 type=AVC msg=audit(1507045321.269:31937628): avc: denied { create } for pid=4382 comm="mysqld" name="mysqld.sock" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=sock_file permissive=1 type=AVC msg=audit(1507045367.916:31937761): avc: denied { write } for pid=4815 comm="supervisord" name="fd" dev="proc" ino=130120192 scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1507045367.916:31937761): avc: denied { add_name } for pid=4815 comm="supervisord" name="1" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1507045367.916:31937761): avc: denied { create } for pid=4815 comm="supervisord" name="1" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:container_runtime_t:s0 tclass=file permissive=1 type=AVC msg=audit(1507045367.916:31937761): avc: denied { associate } for pid=4815 comm="supervisord" name="1" scontext=system_u:object_r:container_runtime_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1 type=AVC msg=audit(1507045368.055:31937773): avc: denied { create } for pid=4861 comm="php-fpm" name="mediawiki.socket" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=sock_file permissive=1 type=AVC msg=audit(1507045368.055:31937774): avc: denied { setattr } for pid=4861 comm="php-fpm" name="mediawiki.socket" dev="dm-2" ino=4352316 scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=sock_file permissive=1 type=AVC msg=audit(1507045370.842:31937787): avc: denied { write } for pid=4864 comm="nginx" name="mediawiki.socket" dev="dm-2" ino=4352316 scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=sock_file permissive=1 type=AVC msg=audit(1507045392.358:31937842): avc: denied { write } for pid=4864 comm="nginx" name="mediawiki.socket" dev="dm-2" ino=4352316 scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=sock_file permissive=1 but it's worth noting that my scripts completely destroy and rebuild the docker instances on each run. If you want to see other operations, like I dunno just a kill and start of a container or something?, let me know.
So this looks like your containers are continuing to run as container_runtime_t rather then transitioning to spc_t or to a container context. Is this the docker daemon built by Fedora or a home built one? Is the docker daemon running with selinux-enabled? The only reason I can think of containers not changing SELinux labels is that the docker daemon is running with SELinux disabled, and that the labels of hte applications that is do not have labels. The docker info looks like you are running on devmapper on loopback devices.
I'm sorry, I really should have said where the docker came from to start. It's currently from [docker-ce-edge] name=Docker CE Edge - $basearch baseurl=https://download.docker.com/linux/fedora/$releasever/$basearch/edge enabled=1 gpgcheck=1 gpgkey=https://download.docker.com/linux/fedora/gpg because at the time there were no F26 entries in the official docker stable, but I'm going to upgrade to a stable version shortly. The F26 docker is just too far behind for my taste. I'm certainly not disabling selinux in docker on purpose! Ah. It appears to be off by default. Well, crap. Let me update and fix that and get back to you. Sorry for the confusion.
If you are not using docker from the distribution you should be reporting issues to upstream docker. We don't know how this package was built.