https://bugzilla.redhat.com/show_bug.cgi?id=1112748 Bug ID: 1112748 Summary: Selinux prevents docker-io from updating /etc/passwd within a container Product: Fedora Version: 20 Component: docker-io Severity: high Assignee: lsm5(a)redhat.com Reporter: artaxerxes2(a)iname.com QA Contact: extras-qa(a)fedoraproject.org CC: admiller(a)redhat.com, golang(a)lists.fedoraproject.org, hushan.jia(a)gmail.com, lsm5(a)redhat.com, mattdm(a)redhat.com, mgoldman(a)redhat.com, s(a)shk.io, vbatts(a)redhat.com Description of problem: Running a certain docker command fails to run the container as expected since selinux intercept a call to update /etc/passwd within the container. Version-Release number of selected component (if applicable): Docker version 1.0.0, build 63fe64c/1.0.0 selinux policy version is 29 How reproducible: always Steps to Reproduce: 1. # yum upgrade 2. # yum install docker-io 3. add username to the docker group and restart the daemon 4. verify 'getenforce' returns 'Enforcing' 5. docker run -t -i -p 80:80 -p 20022:22 oskarhane/docker-wordpress-nginx-ssh Actual results: 140624 15:34:46 mysqld_safe Logging to syslog. 140624 15:34:46 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql mysql root password: Yohraequ2eiB wordpress password: ieHie5toi0zo ssh password: se2Gai9eengu usermod: failure while writing changes to /etc/passwd % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 58606 100 58606 0 0 60339 0 --:--:-- --:--:-- --:--:-- 62148 Archive: nginx-helper.1.8.1.zip nginx-helper.1.8.1 packaged creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/ inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/readme.txt creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/ inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/admin.php inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/install.php creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/lib/ inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/lib/nginx-sidebar.php inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/lib/nginx-general.php inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/lib/nginx-support.php creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/ creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/ inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/config.json creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/ inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/nginx-fontello.eot inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/nginx-fontello.svg inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/nginx-fontello.ttf inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/nginx-fontello.woff creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/css/ inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/css/nginx-fontello.css inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx.js inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/rtp-social-icons-32-32.png inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/logo.png inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/style.css extracting: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-icon-32x32.png inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/nginx-helper.php inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/compatibility.php creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/languages/ inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/languages/nginx-helper.mo inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/languages/nginx-helper.po inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/purger.php % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 38126 100 38126 0 0 151k 0 --:--:-- --:--:-- --:--:-- 154k Archive: wp-ffpc.1.5.0.zip wp-ffpc.1.5.0 packaged creating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/ inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc-acache.php inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc-class.php inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc.php inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc-nginx-sample.conf inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/readme.txt inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc-backend.php inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/uninstall.php creating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-common/ inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-common/wp-admin.css inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-common/wp-plugin-abstract.php inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-common/wp-plugin-utilities.php sed: warning: failed to set default file creation context to system_u:object_r:svirt_sandbox_file_t:s0:c8,c525: Permission deniedStarting memcached: memcached. 140624 15:34:59 mysqld_safe mysqld from pid file /var/run/mysqld/mysqld.pid ended /usr/local/lib/python2.7/dist-packages/supervisor-3.0-py2.7.egg/supervisor/options.py:295: UserWarning: Supervisord is running as root and it is searching for its configuration file in default locations (including its current working directory); you probably want to specify a "-c" argument specifying an absolute path to a configuration file for improved security. 'Supervisord is running as root and it is searching ' 2014-06-24 15:35:00,547 CRIT Supervisor running as root (no user in config file) 2014-06-24 15:35:00,646 INFO RPC interface 'supervisor' initialized 2014-06-24 15:35:00,646 CRIT Server 'unix_http_server' running without any HTTP authentication checking 2014-06-24 15:35:00,646 INFO supervisord started with pid 380 2014-06-24 15:35:01,648 INFO spawned: 'nginx' with pid 391 2014-06-24 15:35:01,650 INFO spawned: 'mysqld' with pid 392 2014-06-24 15:35:01,651 INFO spawned: 'php5-fpm' with pid 393 2014-06-24 15:35:01,652 INFO spawned: 'ssh' with pid 394 2014-06-24 15:35:02,756 INFO success: nginx entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2014-06-24 15:35:02,757 INFO success: mysqld entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2014-06-24 15:35:02,757 INFO success: php5-fpm entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2014-06-24 15:35:02,757 INFO success: ssh entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) Expected results: 140624 15:36:48 mysqld_safe Logging to syslog. 140624 15:36:48 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql mysql root password: Eehujoh3ooyo wordpress password: nana8aiTh6ju ssh password: Eengoo2liMie % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 58606 100 58606 0 0 38969 0 0:00:01 0:00:01 --:--:-- 39412 Archive: nginx-helper.1.8.1.zip nginx-helper.1.8.1 packaged creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/ creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/ inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/install.php creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/lib/ inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/lib/nginx-general.php inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/lib/nginx-sidebar.php inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/lib/nginx-support.php creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/ inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/logo.png extracting: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-icon-32x32.png inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/rtp-social-icons-32-32.png inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx.js inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/style.css creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/ creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/ inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/nginx-fontello.ttf inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/nginx-fontello.woff inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/nginx-fontello.svg inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/nginx-fontello.eot creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/css/ inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/css/nginx-fontello.css inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/config.json inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/admin.php inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/nginx-helper.php inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/readme.txt inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/compatibility.php creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/languages/ inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/languages/nginx-helper.mo inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/languages/nginx-helper.po inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/purger.php % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 38126 100 38126 0 0 49638 0 --:--:-- --:--:-- --:--:-- 49903 Archive: wp-ffpc.1.5.0.zip wp-ffpc.1.5.0 packaged creating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/ inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc-nginx-sample.conf inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc-class.php creating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-common/ inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-common/wp-admin.css inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-common/wp-plugin-abstract.php inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-common/wp-plugin-utilities.php inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/uninstall.php inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc.php inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/readme.txt inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc-acache.php inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc-backend.php Starting memcached: memcached. /usr/local/lib/python2.7/dist-packages/supervisor-3.0-py2.7.egg/supervisor/options.py:295: UserWarning: Supervisord is running as root and it is searching for its configuration file in default locations (including its current working directory); you probably want to specify a "-c" argument specifying an absolute path to a configuration file for improved security. 'Supervisord is running as root and it is searching ' 2014-06-24 15:37:02,595 CRIT Supervisor running as root (no user in config file) 2014-06-24 15:37:02,603 INFO RPC interface 'supervisor' initialized 2014-06-24 15:37:02,603 CRIT Server 'unix_http_server' running without any HTTP authentication checking 2014-06-24 15:37:02,603 INFO supervisord started with pid 385 140624 15:37:03 mysqld_safe mysqld from pid file /var/run/mysqld/mysqld.pid ended 2014-06-24 15:37:03,606 INFO spawned: 'nginx' with pid 396 2014-06-24 15:37:03,607 INFO spawned: 'mysqld' with pid 397 2014-06-24 15:37:03,608 INFO spawned: 'php5-fpm' with pid 398 2014-06-24 15:37:03,609 INFO spawned: 'ssh' with pid 399 2014-06-24 15:37:04,716 INFO success: nginx entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2014-06-24 15:37:04,716 INFO success: mysqld entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2014-06-24 15:37:04,716 INFO success: php5-fpm entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2014-06-24 15:37:04,716 INFO success: ssh entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) Additional info: If selinux is set to non-enforcing (setenforce 0), then the problem disappears. Looking at the audit.log file there is nothing related to failed update around the time of the usermod command is launched. I tried the exact same steps on CentOS 6.5 and had no issue at all, even in Enforcing mode. -- You are receiving this mail because: You are on the CC list for the bug.