https://bugzilla.redhat.com/show_bug.cgi?id=1182596

Bug ID: 1182596 Summary: AVC denials when running docker build Product: Fedora Version: 21 Component: docker-io Assignee: lsm5@redhat.com Reporter: pkamenickova@redhat.com QA Contact: extras-qa@fedoraproject.org CC: adimania@gmail.com, admiller@redhat.com, golang@lists.fedoraproject.org, hushan.jia@gmail.com, jchaloup@redhat.com, jperrin@centos.org, lsm5@redhat.com, mattdm@redhat.com, mgoldman@redhat.com, miminar@redhat.com, s@shk.io, thrcka@redhat.com, vbatts@redhat.com

Description of problem: Sometimes when running docker build, these AVC denials appear: type=AVC msg=audit(1421329727.232:1403): avc: denied { name_connect } for pid=14266 comm="yum" dest=21 scontext=system_u:system_r:docker_t:s0 tcontext=system_u:object_r:ftp_port_t:s0 tclass=tcp_socket permissive=1 type=AVC msg=audit(1421329730.463:1404): avc: denied { name_connect } for pid=14266 comm="yum" dest=55226 scontext=system_u:system_r:docker_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket permissive=1 type=AVC msg=audit(1421329735.658:1405): avc: denied { name_connect } for pid=14327 comm="urlgrabber-ext-" dest=63179 scontext=system_u:system_r:docker_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=1

Note: Because we are not sure what is correct behaviour of this, I have opened it as docker-io issue, not selinux.

Version-Release number of selected component (if applicable): selinux-policy-3.13.1-103.fc21.noarch docker-io-1.4.1-4.fc21.x86_64

How reproducible: Force yum to use some ftp repository, use RUN yum install command in Dockerfile Example: RUN yum install --enablerepo=fedoraftp -y zsh Run docker build

Steps to Reproduce: 1. yum install --enablerepo=updates-testing -y docker-io 2. service docker start 3. fedoraftp.repo: [fedoraftp] name=fedoraftp

baseurl=ftp://ftp.linux.cz/pub/linux/fedora/linux/releases/20/Everything/x86_64/os/ gpgcheck=0 enabled=1 4. Dockerfile: FROM fedora:20 ADD fedoraftp.repo /etc/yum.repos.d/fedoraftp.repo RUN yum install --disablerepo='*' --enablerepo=fedoraftp -y zsh 5. docker build -t example .

Actual results:

Expected results: No AVC denial

Additional info: Output of sesearch on Fedora21: sesearch --allow -s docker_t -t ftp_port_t Found 6 semantic av rules: allow docker_t port_type : tcp_socket name_bind ; allow docker_t port_type : udp_socket { recv_msg send_msg name_bind } ; allow nsswitch_domain port_type : tcp_socket { recv_msg send_msg } ; allow nsswitch_domain port_type : udp_socket { recv_msg send_msg } ; allow docker_t port_type : tcp_socket { recv_msg send_msg name_connect } ; allow nsswitch_domain reserved_port_type : tcp_socket name_connect ;

I've tried to reproduce this issue on Fedora 20 (selinux-policy-3.12.1-196.fc20.noarch) and RHEL 7 (selinux-policy-3.12.1-153.el7.noarch) - it seems these versions of selinux already have the rules for this kind of thing (maybe ??).

Fedora20 sesearch: sesearch --allow -s docker_t -t ftp_port_t Found 10 semantic av rules: allow corenet_unconfined_type port_type : tcp_socket { recv_msg send_msg name_bind name_connect } ; allow corenet_unconfined_type port_type : udp_socket { recv_msg send_msg name_bind } ; allow corenet_unconfined_type port_type : rawip_socket name_bind ; allow corenet_unconfined_type port_type : dccp_socket { recv_msg send_msg name_bind name_connect } ; allow docker_t port_type : tcp_socket name_bind ; allow docker_t port_type : udp_socket { recv_msg send_msg name_bind } ; allow nsswitch_domain port_type : tcp_socket { recv_msg send_msg } ; allow nsswitch_domain port_type : udp_socket { recv_msg send_msg } ; allow nsswitch_domain reserved_port_type : tcp_socket name_connect ; allow docker_t port_type : tcp_socket { recv_msg send_msg name_connect } ;