Bug 1573002 - SELinux is preventing runc:[2:INIT] from 'entrypoint' accesses on the file /bin/echo.
Summary: SELinux is preventing runc:[2:INIT] from 'entrypoint' accesses on the file /b...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 28
Hardware: x86_64
OS: Unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
Whiteboard: abrt_hash:85bf48f176a859c46527bb57405...
Depends On:
TreeView+ depends on / blocked
Reported: 2018-04-29 16:16 UTC by Daniel Stiner
Modified: 2018-05-01 16:17 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-05-01 16:17:16 UTC
Type: ---

Attachments (Terms of Use)

Description Daniel Stiner 2018-04-29 16:16:28 UTC
Description of problem:
Run any command in a Debian based Docker container, such as:
docker run --rm debian:latest echo Hello World
SELinux is preventing runc:[2:INIT] from 'entrypoint' accesses on the file /bin/echo.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/bin/echo default label should be bin_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
# /sbin/restorecon -v /bin/echo

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that runc:[2:INIT] should be allowed entrypoint access on the echo file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# ausearch -c 'runc:[2:INIT]' --raw | audit2allow -M my-runc2INIT
# semodule -X 300 -i my-runc2INIT.pp

Additional Information:
Source Context                system_u:system_r:container_t:s0:c73,c380
Target Context                system_u:object_r:container_var_lib_t:s0
Target Objects                /bin/echo [ file ]
Source                        runc:[2:INIT]
Source Path                   runc:[2:INIT]
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           coreutils-8.29-6.fc28.x86_64
Policy RPM                    selinux-policy-3.14.1-21.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.16.4-300.fc28.x86_64 #1 SMP Tue
                              Apr 24 22:15:13 UTC 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2018-04-29 09:15:04 PDT
Last Seen                     2018-04-29 09:15:04 PDT
Local ID                      6dc5df0c-0884-407f-980d-4e2f8d181bf1

Raw Audit Messages
type=AVC msg=audit(1525018504.959:707): avc:  denied  { entrypoint } for  pid=32126 comm="runc:[2:INIT]" path="/bin/echo" dev="dm-1" ino=1341736 scontext=system_u:system_r:container_t:s0:c73,c380 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=0

Hash: runc:[2:INIT],container_t,container_var_lib_t,file,entrypoint

Version-Release number of selected component:

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.4
hashmarkername: setroubleshoot
kernel:         4.16.4-300.fc28.x86_64
type:           libreport

Comment 1 Daniel Stiner 2018-04-29 16:20:19 UTC
Previously worked under Fedora 27, broken after clean upgrade to Fedora 28 Beta.

$ dnf info docker
Installed Packages
Name         : docker
Epoch        : 2
Version      : 1.13.1
Release      : 51.git4032bd5.fc28
Arch         : x86_64
Size         : 67 M
Source       : docker-1.13.1-51.git4032bd5.fc28.src.rpm
Repo         : @System
From repo    : fedora
Summary      : Automates deployment of containerized applications
URL          : https://github.com/projectatomic/docker

Comment 2 Daniel Walsh 2018-04-30 12:01:35 UTC
Did you switch to a Overlay2 back end?

restorecon -R -v /var/lib/docker 

Change the labels in /var/lib/docker/overlay2
And solve this problem?

Comment 3 Daniel Stiner 2018-04-30 15:07:57 UTC
I did not manually change the back-end, but it appears I am using overlay2. Running restorecon did fix the issue, thanks for that!

Is there a chance other people will run into this? I'm happy to try and reproduce the upgrade in a VM or whatever else may be useful.

$ docker info
...Storage Driver: overlay2...

$ restorecon -R -v /var/lib/docker
Relabeled /var/lib/docker/tmp/docker-builder601697712/<file> from system_u:object_r:var_lib_t:s0 to system_u:object_r:container_var_lib_t:s0

Comment 4 Daniel Walsh 2018-04-30 15:11:37 UTC
I am not sure how this can happen. If you were to rm -rf /var/lib/docker, I think everything would get labeled correctly.  

For some reason during the update you either had an overlay2 directory prexisting, and we did not catch it, or somehow it got mislabeled.

Comment 5 Daniel Stiner 2018-05-01 01:59:24 UTC
I'm not sure either. I have tried applied custom SELinux policy on this machine before, but nothing Docker related.

Unless someone else runs in to this, I'd say this can be closed. Thanks for your help!

Random asides:
- Based on create date of /var/lib/docker/overlay2/ I installed docker in Feb of 2017, would have been running Fedora 25 back then
- Just for kicks I did a clean F27 install and upgraded it, docker worked as expected before and after the upgrade.

Note You need to log in before you can comment on or make changes to this bug.