https://bugzilla.redhat.com/show_bug.cgi?id=1182596
Bug ID: 1182596
Summary: AVC denials when running docker build
Product: Fedora
Version: 21
Component: docker-io
Assignee: lsm5(a)redhat.com
Reporter: pkamenickova(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: adimania(a)gmail.com, admiller(a)redhat.com,
golang(a)lists.fedoraproject.org, hushan.jia(a)gmail.com,
jchaloup(a)redhat.com, jperrin(a)centos.org,
lsm5(a)redhat.com, mattdm(a)redhat.com,
mgoldman(a)redhat.com, miminar(a)redhat.com, s(a)shk.io,
thrcka(a)redhat.com, vbatts(a)redhat.com
Description of problem:
Sometimes when running docker build, these AVC denials appear:
type=AVC msg=audit(1421329727.232:1403): avc: denied { name_connect } for
pid=14266 comm="yum" dest=21 scontext=system_u:system_r:docker_t:s0
tcontext=system_u:object_r:ftp_port_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1421329730.463:1404): avc: denied { name_connect } for
pid=14266 comm="yum" dest=55226 scontext=system_u:system_r:docker_t:s0
tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1421329735.658:1405): avc: denied { name_connect } for
pid=14327 comm="urlgrabber-ext-" dest=63179
scontext=system_u:system_r:docker_t:s0
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=1
Note: Because we are not sure what is correct behaviour of this, I have opened
it as docker-io issue, not selinux.
Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-103.fc21.noarch
docker-io-1.4.1-4.fc21.x86_64
How reproducible:
Force yum to use some ftp repository, use RUN yum install command in Dockerfile
Example: RUN yum install --enablerepo=fedoraftp -y zsh
Run docker build
Steps to Reproduce:
1. yum install --enablerepo=updates-testing -y docker-io
2. service docker start
3. fedoraftp.repo:
[fedoraftp]
name=fedoraftp
baseurl=ftp://ftp.linux.cz/pub/linux/fedora/linux/releases/20/Everything/x86_64/os/
gpgcheck=0
enabled=1
4. Dockerfile:
FROM fedora:20
ADD fedoraftp.repo /etc/yum.repos.d/fedoraftp.repo
RUN yum install --disablerepo='*' --enablerepo=fedoraftp -y zsh
5. docker build -t example .
Actual results:
Expected results:
No AVC denial
Additional info:
Output of sesearch on Fedora21:
sesearch --allow -s docker_t -t ftp_port_t
Found 6 semantic av rules:
allow docker_t port_type : tcp_socket name_bind ;
allow docker_t port_type : udp_socket { recv_msg send_msg name_bind } ;
allow nsswitch_domain port_type : tcp_socket { recv_msg send_msg } ;
allow nsswitch_domain port_type : udp_socket { recv_msg send_msg } ;
allow docker_t port_type : tcp_socket { recv_msg send_msg name_connect } ;
allow nsswitch_domain reserved_port_type : tcp_socket name_connect ;
I've tried to reproduce this issue on Fedora 20
(selinux-policy-3.12.1-196.fc20.noarch) and RHEL 7
(selinux-policy-3.12.1-153.el7.noarch) - it seems these versions of selinux
already have the rules for this kind of thing (maybe ??).
Fedora20 sesearch:
sesearch --allow -s docker_t -t ftp_port_t
Found 10 semantic av rules:
allow corenet_unconfined_type port_type : tcp_socket { recv_msg send_msg
name_bind name_connect } ;
allow corenet_unconfined_type port_type : udp_socket { recv_msg send_msg
name_bind } ;
allow corenet_unconfined_type port_type : rawip_socket name_bind ;
allow corenet_unconfined_type port_type : dccp_socket { recv_msg send_msg
name_bind name_connect } ;
allow docker_t port_type : tcp_socket name_bind ;
allow docker_t port_type : udp_socket { recv_msg send_msg name_bind } ;
allow nsswitch_domain port_type : tcp_socket { recv_msg send_msg } ;
allow nsswitch_domain port_type : udp_socket { recv_msg send_msg } ;
allow nsswitch_domain reserved_port_type : tcp_socket name_connect ;
allow docker_t port_type : tcp_socket { recv_msg send_msg name_connect } ;
--
You are receiving this mail because:
You are on the CC list for the bug.