SELinux error when run a command on docker
Daniel J Walsh
dwalsh at redhat.com
Mon May 18 12:16:53 UTC 2015
On 05/17/2015 02:14 AM, Igor Gnatenko wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=1221911
>
> On Sun, May 17, 2015 at 1:59 AM, Antonio Insuasti Recalde
> <antonio at insuasti.ec> wrote:
>> Hi folks,
>>
>> I don't know if this is a bug, but when i start a container or execute
>> some command inside of container SELinux show this error:
>>
>> May 16 13:01:44 f22TC4.insuasti.ec setroubleshoot[29992]: SELinux is
>> preventing bash from 'read, write' accesses on the chr_file
>> /dev/pts/1. For complete SELinux messages. run sealert -l
>> 12910614-818d-4051-a03b-85f2851fd055
>> May 16 13:01:44 f22TC4.insuasti.ec python[29992]: SELinux is
>> preventing bash from 'read, write' accesses on the chr_file
>> /dev/pts/1.
>>
>> ***** Plugin
>> catchall (100. confidence) suggests **************************
>>
>> If you believe that
>> bash should be allowed read write access on the 1 chr_file by default.
>> Then you should
>> report this as a bug.
>> You can generate a
>> local policy module to allow this access.
>> Do
>> allow this access
>> for now by executing:
>> # grep bash
>> /var/log/audit/audit.log | audit2allow -M mypol
>> # semodule -i mypol.pp
>>
>>
>>
>> this is the out of Sealert
>>
>> [root at f22TC4 ~]# sealert -l 12910614-818d-4051-a03b-85f2851fd055
>> SELinux is preventing bash from 'read, write' accesses on the chr_file
>> /dev/pts/1.
>>
>> ***** Plugin catchall (100. confidence) suggests **************************
>>
>> If you believe that bash should be allowed read write access on the 1
>> chr_file by default.
>> Then you should report this as a bug.
>> You can generate a local policy module to allow this access.
>> Do
>> allow this access for now by executing:
>> # grep bash /var/log/audit/audit.log | audit2allow -M mypol
>> # semodule -i mypol.pp
>>
>>
>> Additional Information:
>> Source Context system_u:system_r:svirt_lxc_net_t:s0:c661,c803
>> Target Context system_u:object_r:docker_devpts_t:s0
>> Target Objects /dev/pts/1 [ chr_file ]
>> Source bash
>> Source Path bash
>> Port <Unknown>
>> Host f22TC4.insuasti.ec
>> Source RPM Packages
>> Target RPM Packages
>> Policy RPM selinux-policy-3.13.1-126.fc22.noarch
>> Selinux Enabled True
>> Policy Type targeted
>> Enforcing Mode Enforcing
>> Host Name f22TC4.insuasti.ec
>> Platform Linux f22TC4.insuasti.ec 4.0.2-300.fc22.x86_64 #1
>> SMP Thu May 7 16:05:02 UTC 2015 x86_64 x86_64
>> Alert Count 6
>> First Seen 2015-05-16 12:53:19 ECT
>> Last Seen 2015-05-16 13:01:43 ECT
>> Local ID 12910614-818d-4051-a03b-85f2851fd055
>>
>> Raw Audit Messages
>> type=AVC msg=audit(1431799303.910:1222): avc: denied { read write }
>> for pid=29986 comm="bash" path="/dev/pts/1" dev="devpts" ino=4
>> scontext=system_u:system_r:svirt_lxc_net_t:s0:c661,c803
>> tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file
>> permissive=0
>>
>>
>> Hash: bash,svirt_lxc_net_t,docker_devpts_t,chr_file,read,write
>>
>> this is the command i did run
>> # docker exec -t -i deamon_dave /bin/bash
>>
>> I'm using Fedora 22 TC 4 with docker docker-1.6.0-3.git9d26a07.fc22.x86_64
>>
>> Thank's for help
>>
>>
>> --
>> Antonio Insuasti R.
>> --
>> test mailing list
>> test at lists.fedoraproject.org
>> To unsubscribe:
>> https://admin.fedoraproject.org/mailman/listinfo/test
>
>
This bug is unrelated to the original report. The current docker policy
fixes this. Please open a bugzilla on this for F22 and we will see if
we can get the fix back ported to F22.
More information about the test
mailing list