https://bugzilla.redhat.com/show_bug.cgi?id=1112748
Bug ID: 1112748
Summary: Selinux prevents docker-io from updating /etc/passwd
within a container
Product: Fedora
Version: 20
Component: docker-io
Severity: high
Assignee: lsm5(a)redhat.com
Reporter: artaxerxes2(a)iname.com
QA Contact: extras-qa(a)fedoraproject.org
CC: admiller(a)redhat.com, golang(a)lists.fedoraproject.org,
hushan.jia(a)gmail.com, lsm5(a)redhat.com,
mattdm(a)redhat.com, mgoldman(a)redhat.com, s(a)shk.io,
vbatts(a)redhat.com
Description of problem:
Running a certain docker command fails to run the container as expected since
selinux intercept a call to update /etc/passwd within the container.
Version-Release number of selected component (if applicable):
Docker version 1.0.0, build 63fe64c/1.0.0
selinux policy version is 29
How reproducible: always
Steps to Reproduce:
1. # yum upgrade
2. # yum install docker-io
3. add username to the docker group and restart the daemon
4. verify 'getenforce' returns 'Enforcing'
5. docker run -t -i -p 80:80 -p 20022:22 oskarhane/docker-wordpress-nginx-ssh
Actual results:
140624 15:34:46 mysqld_safe Logging to syslog.
140624 15:34:46 mysqld_safe Starting mysqld daemon with databases from
/var/lib/mysql
mysql root password: Yohraequ2eiB
wordpress password: ieHie5toi0zo
ssh password: se2Gai9eengu
usermod: failure while writing changes to /etc/passwd
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 58606 100 58606 0 0 60339 0 --:--:-- --:--:-- --:--:-- 62148
Archive: nginx-helper.1.8.1.zip
nginx-helper.1.8.1 packaged
creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/
inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/readme.txt
creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/admin.php
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/install.php
creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/lib/
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/lib/nginx-sidebar.php
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/lib/nginx-general.php
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/lib/nginx-support.php
creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/
creating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/config.json
creating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/nginx-fontello.eot
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/nginx-fontello.svg
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/nginx-fontello.ttf
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/nginx-fontello.woff
creating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/css/
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/css/nginx-fontello.css
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx.js
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/rtp-social-icons-32-32.png
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/logo.png
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/style.css
extracting:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-icon-32x32.png
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/nginx-helper.php
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/compatibility.php
creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/languages/
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/languages/nginx-helper.mo
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/languages/nginx-helper.po
inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/purger.php
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 38126 100 38126 0 0 151k 0 --:--:-- --:--:-- --:--:-- 154k
Archive: wp-ffpc.1.5.0.zip
wp-ffpc.1.5.0 packaged
creating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/
inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc-acache.php
inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc-class.php
inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc.php
inflating:
/usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc-nginx-sample.conf
inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/readme.txt
inflating:
/usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc-backend.php
inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/uninstall.php
creating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-common/
inflating:
/usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-common/wp-admin.css
inflating:
/usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-common/wp-plugin-abstract.php
inflating:
/usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-common/wp-plugin-utilities.php
sed: warning: failed to set default file creation context to
system_u:object_r:svirt_sandbox_file_t:s0:c8,c525: Permission deniedStarting
memcached: memcached.
140624 15:34:59 mysqld_safe mysqld from pid file /var/run/mysqld/mysqld.pid
ended
/usr/local/lib/python2.7/dist-packages/supervisor-3.0-py2.7.egg/supervisor/options.py:295:
UserWarning: Supervisord is running as root and it is searching for its
configuration file in default locations (including its current working
directory); you probably want to specify a "-c" argument specifying an absolute
path to a configuration file for improved security.
'Supervisord is running as root and it is searching '
2014-06-24 15:35:00,547 CRIT Supervisor running as root (no user in config
file)
2014-06-24 15:35:00,646 INFO RPC interface 'supervisor' initialized
2014-06-24 15:35:00,646 CRIT Server 'unix_http_server' running without any HTTP
authentication checking
2014-06-24 15:35:00,646 INFO supervisord started with pid 380
2014-06-24 15:35:01,648 INFO spawned: 'nginx' with pid 391
2014-06-24 15:35:01,650 INFO spawned: 'mysqld' with pid 392
2014-06-24 15:35:01,651 INFO spawned: 'php5-fpm' with pid 393
2014-06-24 15:35:01,652 INFO spawned: 'ssh' with pid 394
2014-06-24 15:35:02,756 INFO success: nginx entered RUNNING state, process has
stayed up for > than 1 seconds (startsecs)
2014-06-24 15:35:02,757 INFO success: mysqld entered RUNNING state, process has
stayed up for > than 1 seconds (startsecs)
2014-06-24 15:35:02,757 INFO success: php5-fpm entered RUNNING state, process
has stayed up for > than 1 seconds (startsecs)
2014-06-24 15:35:02,757 INFO success: ssh entered RUNNING state, process has
stayed up for > than 1 seconds (startsecs)
Expected results:
140624 15:36:48 mysqld_safe Logging to syslog.
140624 15:36:48 mysqld_safe Starting mysqld daemon with databases from
/var/lib/mysql
mysql root password: Eehujoh3ooyo
wordpress password: nana8aiTh6ju
ssh password: Eengoo2liMie
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 58606 100 58606 0 0 38969 0 0:00:01 0:00:01 --:--:-- 39412
Archive: nginx-helper.1.8.1.zip
nginx-helper.1.8.1 packaged
creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/
creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/install.php
creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/lib/
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/lib/nginx-general.php
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/lib/nginx-sidebar.php
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/lib/nginx-support.php
creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/logo.png
extracting:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-icon-32x32.png
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/rtp-social-icons-32-32.png
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx.js
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/style.css
creating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/
creating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/nginx-fontello.ttf
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/nginx-fontello.woff
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/nginx-fontello.svg
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/nginx-fontello.eot
creating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/css/
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/css/nginx-fontello.css
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/config.json
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/admin.php
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/nginx-helper.php
inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/readme.txt
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/compatibility.php
creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/languages/
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/languages/nginx-helper.mo
inflating:
/usr/share/nginx/www/wp-content/plugins/nginx-helper/languages/nginx-helper.po
inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/purger.php
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 38126 100 38126 0 0 49638 0 --:--:-- --:--:-- --:--:-- 49903
Archive: wp-ffpc.1.5.0.zip
wp-ffpc.1.5.0 packaged
creating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/
inflating:
/usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc-nginx-sample.conf
inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc-class.php
creating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-common/
inflating:
/usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-common/wp-admin.css
inflating:
/usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-common/wp-plugin-abstract.php
inflating:
/usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-common/wp-plugin-utilities.php
inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/uninstall.php
inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc.php
inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/readme.txt
inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc-acache.php
inflating:
/usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc-backend.php
Starting memcached: memcached.
/usr/local/lib/python2.7/dist-packages/supervisor-3.0-py2.7.egg/supervisor/options.py:295:
UserWarning: Supervisord is running as root and it is searching for its
configuration file in default locations (including its current working
directory); you probably want to specify a "-c" argument specifying an absolute
path to a configuration file for improved security.
'Supervisord is running as root and it is searching '
2014-06-24 15:37:02,595 CRIT Supervisor running as root (no user in config
file)
2014-06-24 15:37:02,603 INFO RPC interface 'supervisor' initialized
2014-06-24 15:37:02,603 CRIT Server 'unix_http_server' running without any HTTP
authentication checking
2014-06-24 15:37:02,603 INFO supervisord started with pid 385
140624 15:37:03 mysqld_safe mysqld from pid file /var/run/mysqld/mysqld.pid
ended
2014-06-24 15:37:03,606 INFO spawned: 'nginx' with pid 396
2014-06-24 15:37:03,607 INFO spawned: 'mysqld' with pid 397
2014-06-24 15:37:03,608 INFO spawned: 'php5-fpm' with pid 398
2014-06-24 15:37:03,609 INFO spawned: 'ssh' with pid 399
2014-06-24 15:37:04,716 INFO success: nginx entered RUNNING state, process has
stayed up for > than 1 seconds (startsecs)
2014-06-24 15:37:04,716 INFO success: mysqld entered RUNNING state, process has
stayed up for > than 1 seconds (startsecs)
2014-06-24 15:37:04,716 INFO success: php5-fpm entered RUNNING state, process
has stayed up for > than 1 seconds (startsecs)
2014-06-24 15:37:04,716 INFO success: ssh entered RUNNING state, process has
stayed up for > than 1 seconds (startsecs)
Additional info:
If selinux is set to non-enforcing (setenforce 0), then the problem disappears.
Looking at the audit.log file there is nothing related to failed update around
the time of the usermod command is launched.
I tried the exact same steps on CentOS 6.5 and had no issue at all, even in
Enforcing mode.
--
You are receiving this mail because:
You are on the CC list for the bug.