Description of problem: In program which is run as systemd service in container, we try to write to stdout. For some reasons, the bash script is actually doing equivalent of echo Test > /dev/stdout It fails. Version-Release number of selected component (if applicable): docker-1.13.1-44.git584d391.fc27.x86_64 selinux-policy-3.13.1-283.21.fc27.noarch container-selinux-2.42-1.fc27.noarch How reproducible: Deterministic. Steps to Reproduce: 1. Have Dockerfile: FROM fedora:27 ADD test-service /usr/bin/ ADD test-service.service /etc/systemd/system/ RUN systemctl enable test-service 2. Have test-service: #!/bin/bash echo This is test service. ls -la /dev/std* /dev/console ( echo This is test service with stdout. ) > /dev/stdout 3. Run # chmod a+x test-service 4. Have test-service.service: [Unit] Description=Test proc AVC denials [Service] Type=oneshot ExecStart=/usr/bin/test-service [Install] WantedBy=multi-user.target 5. Build container: docker build -t systemd . 6. Run the container: docker run --name systemd systemd /usr/sbin/init 7. Check audit.log. 8. From another terminal, run: docker exec systemd journalctl _COMM=test-service -l Actual results: type=AVC msg=audit(1517487204.639:23310): avc: denied { mounton } for pid=19121 comm="systemd" path="/proc" dev="proc" ino=1 scontext=system_u:system_r:container_t:s0:c562,c959 tcontext=system_u:object_r:proc_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1517487204.979:23324): avc: denied { write } for pid=19170 comm="test-service" name="fd" dev="proc" ino=1625213 scontext=system_u:system_r:container_t:s0:c562,c959 tcontext=system_u:system_r:container_t:s0:c562,c959 tclass=dir permissive=0 -- Logs begin at Thu 2018-02-01 12:13:24 UTC, end at Thu 2018-02-01 12:13:53 UTC. -- Feb 01 12:13:24 2769242e3664 test-service[23]: This is test service. Feb 01 12:13:24 2769242e3664 test-service[23]: ls: cannot access '/dev/console': No such file or directory Feb 01 12:13:24 2769242e3664 test-service[23]: lrwxrwxrwx. 1 root root 15 Feb 1 12:13 /dev/stderr -> /proc/self/fd/2 Feb 01 12:13:24 2769242e3664 test-service[23]: lrwxrwxrwx. 1 root root 15 Feb 1 12:13 /dev/stdin -> /proc/self/fd/0 Feb 01 12:13:24 2769242e3664 test-service[23]: lrwxrwxrwx. 1 root root 15 Feb 1 12:13 /dev/stdout -> /proc/self/fd/1 Feb 01 12:13:24 2769242e3664 test-service[23]: /usr/bin/test-service: line 4: /dev/stdout: No such device or address Expected results: No AVC denials. -- Logs begin at Thu 2018-02-01 12:13:24 UTC, end at Thu 2018-02-01 12:13:53 UTC. -- Feb 01 12:13:24 2769242e3664 test-service[23]: This is test service. Feb 01 12:13:24 2769242e3664 test-service[23]: ls: cannot access '/dev/console': No such file or directory Feb 01 12:13:24 2769242e3664 test-service[23]: lrwxrwxrwx. 1 root root 15 Feb 1 12:13 /dev/stderr -> /proc/self/fd/2 Feb 01 12:13:24 2769242e3664 test-service[23]: lrwxrwxrwx. 1 root root 15 Feb 1 12:13 /dev/stdin -> /proc/self/fd/0 Feb 01 12:13:24 2769242e3664 test-service[23]: lrwxrwxrwx. 1 root root 15 Feb 1 12:13 /dev/stdout -> /proc/self/fd/1 Feb 01 12:13:24 2769242e3664 test-service[23]: This is test service with stdout. Additional info:
On RHEL 7, things fail as well but the AVC denial is different and the error is about Permission denied, not No such device or address -- see bug 1540956.
This message is a reminder that Fedora 27 is nearing its end of life. On 2018-Nov-30 Fedora will stop maintaining and issuing updates for Fedora 27. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '27'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 27 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 27 changed to end-of-life (EOL) status on 2018-11-30. Fedora 27 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.
On Fedora 28 with docker-1.13.1-61.git9cb56fd.fc28.x86_64, there is no AVC denial logged but the journalctl output looks the same: -- Logs begin at Thu 2018-12-13 11:35:04 UTC, end at Thu 2018-12-13 11:36:04 UTC. -- Dec 13 11:35:04 c1b013994f27 test-service[25]: This is test service. Dec 13 11:35:04 c1b013994f27 test-service[25]: ls: cannot access '/dev/console': No such file or directory Dec 13 11:35:04 c1b013994f27 test-service[25]: lrwxrwxrwx. 1 root root 15 Dec 13 11:35 /dev/stderr -> /proc/self/fd/2 Dec 13 11:35:04 c1b013994f27 test-service[25]: lrwxrwxrwx. 1 root root 15 Dec 13 11:35 /dev/stdin -> /proc/self/fd/0 Dec 13 11:35:04 c1b013994f27 test-service[25]: lrwxrwxrwx. 1 root root 15 Dec 13 11:35 /dev/stdout -> /proc/self/fd/1 Dec 13 11:35:04 c1b013994f27 test-service[25]: /usr/bin/test-service: line 4: /dev/stdout: No such device or address
This message is a reminder that Fedora 28 is nearing its end of life. On 2019-May-28 Fedora will stop maintaining and issuing updates for Fedora 28. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '28'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 28 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
On Fedora 29 with docker-1.13.1-67.git1185cfd.fc29.x86_64 container-selinux-2.100-1.git3b78187.fc29.noarch the AVC denial type=AVC msg=audit(1557430803.187:607): avc: denied { mounton } for pid=12919 comm="systemd" path="/proc" dev="proc" ino=1 scontext=system_u:system_r:container_t:s0:c436,c737 tcontext=system_u:object_r:proc_t:s0 tclass=dir permissive=0 is back and the journalctl output is the same: May 09 19:40:03 901b94ccc075 test-service[25]: This is test service. May 09 19:40:03 901b94ccc075 test-service[25]: ls: cannot access '/dev/console': No such file or directory May 09 19:40:03 901b94ccc075 test-service[25]: lrwxrwxrwx. 1 root root 15 May 9 19:40 /dev/stderr -> /proc/self/fd/2 May 09 19:40:03 901b94ccc075 test-service[25]: lrwxrwxrwx. 1 root root 15 May 9 19:40 /dev/stdin -> /proc/self/fd/0 May 09 19:40:03 901b94ccc075 test-service[25]: lrwxrwxrwx. 1 root root 15 May 9 19:40 /dev/stdout -> /proc/self/fd/1 May 09 19:40:03 901b94ccc075 test-service[25]: /usr/bin/test-service: line 4: /dev/stdout: No such device or address
This has never been allwed in policy, as far as I have seen, so I am thinking something changed in Systemd or in Docker, which has not been updated. The question is why is systemd attempting to mount something on /proc?
This message is a reminder that Fedora 29 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 29 on 2019-11-26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '29'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 29 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
On Fedora 31 with docker-1.13.1-68.git47e2230.fc30.x86_64 container-selinux-2.117.0-1.gitbfde70a.fc31.noarch on the host and container based on registry.fedoraproject.org/fedora:30 the AVC denials is gone and the journalctl output is the same: Nov 01 10:33:09 debc35e15224 test-service[27]: This is test service. Nov 01 10:33:09 debc35e15224 test-service[27]: ls: cannot access '/dev/console': No such file or directory Nov 01 10:33:09 debc35e15224 test-service[27]: lrwxrwxrwx. 1 root root 15 Nov 1 10:33 /dev/stderr -> /proc/self/fd/2 Nov 01 10:33:09 debc35e15224 test-service[27]: lrwxrwxrwx. 1 root root 15 Nov 1 10:33 /dev/stdin -> /proc/self/fd/0 Nov 01 10:33:09 debc35e15224 test-service[27]: lrwxrwxrwx. 1 root root 15 Nov 1 10:33 /dev/stdout -> /proc/self/fd/1 Nov 01 10:33:09 debc35e15224 test-service[27]: /usr/bin/test-service: line 4: /dev/stdout: No such device or address
Not likely to fix any issues with Docker. We are dropping support. Does this happen in Podman?
With podman-1.6.2-2.fc31.x86_64 container-selinux-2.123.0-2.fc31.noarch and container based on registry.fedoraproject.org/fedora:31, there is no AVC denials and the journactl output is the same: # podman exec systemd journalctl _COMM=test-service -l -- Logs begin at Tue 2019-12-17 13:13:24 UTC, end at Tue 2019-12-17 13:13:24 UTC. -- Dec 17 13:13:24 17b0f8dd6a9d test-service[22]: This is test service. Dec 17 13:13:24 17b0f8dd6a9d test-service[22]: ls: cannot access '/dev/console': No such file or directory Dec 17 13:13:24 17b0f8dd6a9d test-service[22]: lrwxrwxrwx. 1 root root 15 Dec 17 13:13 /dev/stderr -> /proc/self/fd/2 Dec 17 13:13:24 17b0f8dd6a9d test-service[22]: lrwxrwxrwx. 1 root root 15 Dec 17 13:13 /dev/stdin -> /proc/self/fd/0 Dec 17 13:13:24 17b0f8dd6a9d test-service[22]: lrwxrwxrwx. 1 root root 15 Dec 17 13:13 /dev/stdout -> /proc/self/fd/1 Dec 17 13:13:24 17b0f8dd6a9d test-service[22]: /usr/bin/test-service: line 4: /dev/stdout: No such device or address