1758227 – SELinux is preventing app from connectto access on the unix_stream_socket /run/docker.sock.

Bug 1758227 - SELinux is preventing app from connectto access on the unix_stream_socket /run/docker.sock.

Summary: SELinux is preventing app from connectto access on the unix_stream_socket /ru...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	31
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-10-03 15:41 UTC by Craig
Modified:	2022-10-05 16:07 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2019-10-03 18:20:26 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Craig 2019-10-03 15:41:33 UTC

Description of problem:
I'm trying to run a Java application that accesses docker and getting this selinux denial:

---
SELinux is preventing app from connectto access on the unix_stream_socket /run/docker.sock.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that app should be allowed connectto access on the docker.sock unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'app' --raw | audit2allow -M my-app
# semodule -X 300 -i my-app.pp

Additional Information:
Source Context                system_u:system_r:container_t:s0:c868,c940
Target Context                system_u:system_r:container_runtime_t:s0
Target Objects                /run/docker.sock [ unix_stream_socket ]
Source                        app
Source Path                   app
Port                          <Unknown>
Host                          craigatwork
Source RPM Packages           
Target RPM Packages           
Policy RPM                    <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     craigatwork
Platform                      Linux craigatwork 5.2.14-200.fc30.x86_64 #1 SMP
                              Tue Sep 10 12:17:24 UTC 2019 x86_64 x86_64
Alert Count                   1
First Seen                    2019-10-03 11:26:47 EDT
Last Seen                     2019-10-03 11:26:47 EDT
Local ID                      85e8ff31-2ee8-4a6e-8bd2-c8ed250ff9d6

Raw Audit Messages
type=AVC msg=audit(1570116407.41:1177): avc:  denied  { connectto } for  pid=283184 comm="app" path="/run/docker.sock" scontext=system_u:system_r:container_t:s0:c868,c940 tcontext=system_u:system_r:container_runtime_t:s0 tclass=unix_stream_socket permissive=0


Hash: app,container_t,container_runtime_t,unix_stream_socket,connectto
---

Version-Release number of selected component (if applicable):
selinux-policy 3.14.4-35.fc31

How reproducible:
Very.

Steps to Reproduce:
1. dnf install java-1.8.0-openjdk-devel git
2. git clone https://github.com/spring-projects/spring-session
3. cd spring-session
4. ./gradlew integrationTest

Actual results:
selinux denial resulting failure message: "Can not connect to Ryuk"

Expected results:
no selinux denial, tests passing.

Additional info:

Comment 1 Daniel Walsh 2019-10-03 18:20:26 UTC

If you want to do something as dangerous as allowing the container to connect to the docker.sock, then you need to turn off SELinux separation.

Run with `--security-opt label=disable` 

BTW Does this project work with Podman?

Comment 2 Craig 2019-10-03 19:48:34 UTC

(In reply to Daniel Walsh from comment #1)
> If you want to do something as dangerous as allowing the container to
> connect to the docker.sock, then you need to turn off SELinux separation.

I'm sorry, I don't follow what you're suggesting.

I'm just trying to use https://www.testcontainers.org/ which runs docker images then allows tests to use those containers.

> 
> Run with `--security-opt label=disable` 
> 
> BTW Does this project work with Podman?

As far as I can tell, https://www.testcontainers.org/ does not use podman.
I'm also unclear as to why that's of interest?

Comment 3 Daniel Walsh 2019-10-03 19:51:26 UTC

I am saying your docker command is broken, because you have it with SELinux confinement attempting to do something SELinux would never allow so this is not a bug.
You need to disable SELinux confinement.

Docker is not part of Fedora, It has been replaced my Podman or Moby-Engine.

Comment 4 Dirk 2022-10-05 16:07:18 UTC

I know this is old and Daniel has essentially answered the question.
But I think the `--security-opt label=disable` approach cannot be easily configured in
`~/.testcontainers.properties` and it grants more privileges than actually needed imho.

The better way is to disable "ryuk".
This should work:

    export TESTCONTAINERS_RYUK_DISABLED=true; ./gradlew integrationTest

Ryuk is a privileged master container that needs write access to the Docker socket to manage the actual testcontainers.
This is how it looks like, if you convince SELinux to allow it (with a personal Podman Socket):

    % podman ps --format "{{.ID}}" |xargs podman inspect -f '{{ .Name }} {{ .Mounts }}' 
    testcontainers-ryuk-28b3d824-4224-4fad-9933-6806ed4778bc [{bind  /run/user/1000/podman/podman.sock /var/run/docker.sock   [nosuid nodev rbind] true rprivate}]
    (other testcontainers managed by the one above)

With Docker instead of Podman and the Docker daemon running as root things are even worse and yet more advisable to disable ryuk.
(see https://www.testcontainers.org/features/configuration/#disabling-ryuk)

Note You need to log in before you can comment on or make changes to this bug.