https://bugzilla.redhat.com/show_bug.cgi?id=1206751
Bug ID: 1206751 Summary: Docker with overlay cannot run bash(prevented by SELinx) Product: Fedora Version: 21 Component: docker-io Severity: high Assignee: ichavero@redhat.com Reporter: robberphex@gmail.com QA Contact: extras-qa@fedoraproject.org CC: adimania@gmail.com, admiller@redhat.com, golang@lists.fedoraproject.org, hushan.jia@gmail.com, ichavero@redhat.com, jchaloup@redhat.com, jperrin@centos.org, lsm5@redhat.com, mattdm@redhat.com, mgoldman@redhat.com, miminar@redhat.com, s@shk.io, thrcka@redhat.com, vbatts@redhat.com
Description of problem:
the container cannot read .so file in overlay, and cannot relabel the file system.
How reproducible:
Steps to Reproduce: 1. Add "DOCKER_STORAGE_OPTIONS= --storage-driver=overlay" to /etc/sysconfig/docker-storage, and restart docker service. 2. repull the image(in my case, pull debian:jessie) 3. Run container(sudo docker run -it debian:jessie /bin/bash)
Actual results:
/bin/bash: error while loading shared libraries: libncurses.so.5: cannot open shared object file: No such file or directory (preventing by SELinx)
Expected results:
bash prompt in container
Additional info:
There is 4 SeLinux Alert: ----1---- SELinux is preventing docker from mount access on the filesystem /.
***** Plugin file (47.5 confidence) suggests ******************************
If you think this is caused by a badly mislabeled machine. Then you need to fully relabel. Do touch /.autorelabel; reboot
***** Plugin file (47.5 confidence) suggests ******************************
If you think this is caused by a badly mislabeled machine. Then you need to fully relabel. Do touch /.autorelabel; reboot
***** Plugin catchall (6.38 confidence) suggests **************************
If you believe that docker should be allowed mount access on the filesystem by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep docker /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context system_u:system_r:docker_t:s0 Target Context system_u:object_r:unlabeled_t:s0 Target Objects / [ filesystem ] Source docker Source Path docker Port <Unknown> Host rp.fedora Source RPM Packages Target RPM Packages filesystem-3.2-28.fc21.x86_64 Policy RPM selinux-policy-3.13.1-105.6.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name rp.fedora Platform Linux rp.fedora 3.19.1-201.fc21.x86_64 #1 SMP Wed Mar 18 04:29:24 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-03-28 09:08:17 CST Last Seen 2015-03-28 09:08:17 CST Local ID fcd44130-63b9-4680-9975-4dc6a416b566
Raw Audit Messages type=AVC msg=audit(1427504897.987:739): avc: denied { mount } for pid=1337 comm="docker" name="/" dev="overlay" ino=65132 scontext=system_u:system_r:docker_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
Hash: docker,docker_t,unlabeled_t,filesystem,mount
----2---- SELinux is preventing docker from unmount access on the filesystem .
***** Plugin file (47.5 confidence) suggests ******************************
If you think this is caused by a badly mislabeled machine. Then you need to fully relabel. Do touch /.autorelabel; reboot
***** Plugin file (47.5 confidence) suggests ******************************
If you think this is caused by a badly mislabeled machine. Then you need to fully relabel. Do touch /.autorelabel; reboot
***** Plugin catchall (6.38 confidence) suggests **************************
If you believe that docker should be allowed unmount access on the filesystem by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep docker /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context system_u:system_r:docker_t:s0 Target Context system_u:object_r:unlabeled_t:s0 Target Objects [ filesystem ] Source docker Source Path docker Port <Unknown> Host rp.fedora Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-105.6.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name rp.fedora Platform Linux rp.fedora 3.19.1-201.fc21.x86_64 #1 SMP Wed Mar 18 04:29:24 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-03-28 09:08:17 CST Last Seen 2015-03-28 09:08:17 CST Local ID c4a57cd0-ae92-4521-ad81-40a5e30a5627
Raw Audit Messages type=AVC msg=audit(1427504897.990:740): avc: denied { unmount } for pid=1337 comm="docker" scontext=system_u:system_r:docker_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
Hash: docker,docker_t,unlabeled_t,filesystem,unmount
----3---- SELinux is preventing docker from relabelfrom access on the filesystem .
***** Plugin file (47.5 confidence) suggests ******************************
If you think this is caused by a badly mislabeled machine. Then you need to fully relabel. Do touch /.autorelabel; reboot
***** Plugin file (47.5 confidence) suggests ******************************
If you think this is caused by a badly mislabeled machine. Then you need to fully relabel. Do touch /.autorelabel; reboot
***** Plugin catchall (6.38 confidence) suggests **************************
If you believe that docker should be allowed relabelfrom access on the filesystem by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep docker /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context system_u:system_r:docker_t:s0 Target Context system_u:object_r:unlabeled_t:s0 Target Objects [ filesystem ] Source docker Source Path docker Port <Unknown> Host rp.fedora Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-105.6.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name rp.fedora Platform Linux rp.fedora 3.19.1-201.fc21.x86_64 #1 SMP Wed Mar 18 04:29:24 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-03-28 09:08:17 CST Last Seen 2015-03-28 09:08:17 CST Local ID ad86497a-be89-4611-8686-7aa67e73f523
Raw Audit Messages type=AVC msg=audit(1427504897.998:741): avc: denied { relabelfrom } for pid=1337 comm="docker" scontext=system_u:system_r:docker_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
Hash: docker,docker_t,unlabeled_t,filesystem,relabelfrom
----4---- SELinux is preventing bash from read access on the file /var/lib/docker/overlay/1cbc0c1b2084b5f3c8fdc283032c124f6fb461242cc5b82fb183095a414869b9/root/lib/x86_64-linux-gnu/libncurses.so.5.9.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that bash should be allowed read access on the libncurses.so.5.9 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep bash /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context system_u:system_r:svirt_lxc_net_t:s0:c156,c1000 Target Context system_u:object_r:docker_var_lib_t:s0 Target Objects /var/lib/docker/overlay/1cbc0c1b2084b5f3c8fdc28303
2c124f6fb461242cc5b82fb183095a414869b9/root/lib/x8 6_64-linux-gnu/libncurses.so.5.9 [ file ] Source bash Source Path bash Port <Unknown> Host rp.fedora Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-105.6.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name rp.fedora Platform Linux rp.fedora 3.19.1-201.fc21.x86_64 #1 SMP Wed Mar 18 04:29:24 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-03-28 09:08:18 CST Last Seen 2015-03-28 09:08:18 CST Local ID 2a5fbf0f-dc4e-489b-a9ca-2541bb55209e
Raw Audit Messages type=AVC msg=audit(1427504898.269:754): avc: denied { read } for pid=10156 comm="bash" name="libncurses.so.5.9" dev="dm-0" ino=2100260 scontext=system_u:system_r:svirt_lxc_net_t:s0:c156,c1000 tcontext=system_u:object_r:docker_var_lib_t:s0 tclass=file permissive=0
Hash: bash,svirt_lxc_net_t,docker_var_lib_t,file,read
----end----
https://bugzilla.redhat.com/show_bug.cgi?id=1206751
--- Comment #1 from Lokesh Mandvekar lsm5@redhat.com --- Hi, could you please post what 'rpm -qi docker-io' says on your system?
https://bugzilla.redhat.com/show_bug.cgi?id=1206751
--- Comment #2 from robberphex@gmail.com --- (In reply to Lokesh Mandvekar from comment #1)
Hi, could you please post what 'rpm -qi docker-io' says on your system?
I am sorry for leak information.
$ rpm -qa | grep docker-io docker-io-1.5.0-1.fc21.x86_64
https://bugzilla.redhat.com/show_bug.cgi?id=1206751
Lokesh Mandvekar lsm5@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |dwalsh@redhat.com
--- Comment #3 from Lokesh Mandvekar lsm5@redhat.com --- Dan, guess you're the best person to comment on this.
https://bugzilla.redhat.com/show_bug.cgi?id=1206751
--- Comment #4 from Daniel Walsh dwalsh@redhat.com --- overlayfs and SELinux under docker do not currently work together. If you want to use overlafs, you should disable SELinux support in docker. The kernel team is working on fixing this upstream.
https://bugzilla.redhat.com/show_bug.cgi?id=1206751
Daniel Walsh dwalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |gansalmon@Gmail.com, | |itamar@ispbrasil.com.br, | |jonathan@jonmasters.org, | |kernel-maint@redhat.com, | |madhu.chinakonda@gmail.com, | |mchehab@infradead.org Component|docker-io |kernel Assignee|ichavero@redhat.com |kernel-maint@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1206751
Fedora Kernel Team kernel-team@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?
--- Comment #5 from Fedora Kernel Team kernel-team@fedoraproject.org --- *********** MASS BUG UPDATE **************
We apologize for the inconvenience. There is a large number of bugs to go through and several of them have gone stale. Due to this, we are doing a mass bug update across all of the Fedora 21 kernel bugs.
Fedora 21 has now been rebased to 3.19.5-200.fc21. Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel.
If you have moved on to Fedora 22, and are still experiencing this issue, please change the version to Fedora 22.
If you experience different issues, please open a new bug report for those.
https://bugzilla.redhat.com/show_bug.cgi?id=1206751
robberphex@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |UPSTREAM Flags|needinfo? | Last Closed| |2015-04-28 21:57:36
--- Comment #6 from robberphex@gmail.com --- I hove moved to Fedora 22, And docker with overlay still cannot work.
Because the error message is "SELinux is preventing docker from relabelfrom access on the directory /."
I think I'd better open a new bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1206751
Kayvan Sylvan kayvansylvan@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |kayvansylvan@gmail.com
--- Comment #7 from Kayvan Sylvan kayvansylvan@gmail.com --- I'm seeing this with Fedora 21 and docker-io 1.6.0
It's quite easy to reproduce:
[ksylvan@ksylvan-t420 src]$ docker run --rm -it -v $(pwd):/src busybox /bin/sh / # cd /src /src # ls ls: can't open '.': Permission denied /src # exit
[ksylvan@ksylvan-t420 src]$ rpm -qi docker-io Name : docker-io Version : 1.6.0 Release : 2.git3eac457.fc21 Architecture: x86_64 Install Date: Mon 27 Apr 2015 02:52:12 PM PDT
https://bugzilla.redhat.com/show_bug.cgi?id=1206751
--- Comment #8 from Daniel Walsh dwalsh@redhat.com --- Could you try docker-io-1.6.0-0.2.rc7.fc21
https://bugzilla.redhat.com/show_bug.cgi?id=1206751
Zvi "Viz" Effron viz@flippedperspective.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |viz@flippedperspective.com
--- Comment #9 from Zvi "Viz" Effron viz@flippedperspective.com --- I'm still seeing this with docker-1.6.0-3.git9d26a07.fc22 on Fedora 22. And turning off SELinux under Docker does fix.
Reproduction sample:
[root@sayuno ~]# docker run -ti --rm fedora:22 bash [root@7da227018b66 /]# ls ls: cannot open directory .: Permission denied
SELinux denial:
type=AVC msg=audit(1433186579.885:5411): avc: denied { read } for pid=20790 comm="ls" name="root" dev="md127" ino=5767506 scontext=system_u:system_r:svirt_lxc_net_t:s0:c530,c542 tcontext=system_u:object_r:docker_var_lib_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1433186581.388:5412): avc: denied { write } for pid=20730 comm="bash" name="root" dev="md127" ino=5767506 scontext=system_u:system_r:svirt_lxc_net_t:s0:c530,c542 tcontext=system_u:object_r:docker_var_lib_t:s0 tclass=dir permissive=0
https://bugzilla.redhat.com/show_bug.cgi?id=1206751
--- Comment #10 from Daniel Walsh dwalsh@redhat.com ---
ps -auxww | grep docker dwalsh 17416 0.0 0.0 114388 2372 pts/2 S+ 16:17 0:00 grep --color=auto docker root 18723 0.0 0.2 593128 23232 ? Ssl May29 0:20 /usr/bin/docker -d --selinux-enabled
https://bugzilla.redhat.com/show_bug.cgi?id=1206751
klingt.net@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |klingt.net@gmail.com
--- Comment #11 from klingt.net@gmail.com --- Same problem for me, using docker 1.8.2-fc22
https://bugzilla.redhat.com/show_bug.cgi?id=1206751
--- Comment #12 from Daniel Walsh dwalsh@redhat.com --- Did you disable SELinux in docker?
https://bugzilla.redhat.com/show_bug.cgi?id=1206751
--- Comment #13 from klingt.net@gmail.com --- /etc/sysconfig/docker
``` # /etc/sysconfig/docker
# Modify these options if you want to change the way the docker daemon runs OPTIONS='--selinux-enabled=false' DOCKER_CERT_PATH=/etc/docker
# Enable insecure registry communication by appending the registry URL # to the INSECURE_REGISTRY variable below and uncommenting it # INSECURE_REGISTRY='--insecure-registry '
# On SELinux System, if you remove the --selinux-enabled option, you # also need to turn on the docker_transition_unconfined boolean. setsebool -P docker_transition_unconfined
# Location used for temporary files, such as those created by # docker load and build operations. Default is /var/lib/docker/tmp # Can be overriden by setting the following environment variable. # DOCKER_TMPDIR=/var/tmp
# Controls the /etc/cron.daily/docker-logrotate cron job status. # To disable, uncomment the line below. # LOGROTATE=false ```
Disabling SELinux in docker was not enough, I also had to set SELinux from `enforcing` to `permissive` mode.
https://bugzilla.redhat.com/show_bug.cgi?id=1206751
--- Comment #14 from Daniel Walsh dwalsh@redhat.com --- What AVC messages are you seeing
ausearch -m avc,user_avc -ts recent
https://bugzilla.redhat.com/show_bug.cgi?id=1206751
--- Comment #15 from klingt.net@gmail.com --- ausearch -m avc,user_avc -ts yesterday
``` ... time->Sun Sep 27 17:03:08 2015 type=AVC msg=audit(1443373388.517:411): avc: denied { read } for pid=1328 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 ---- time->Sun Sep 27 17:03:08 2015 type=AVC msg=audit(1443373388.518:412): avc: denied { entrypoint } for pid=1308 comm="exe" path="/bin/dash" dev="vda1" ino=1164530 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:object_r:docker_var_lib_t:s0 tclass=file permissive=0 ---- time->Sun Sep 27 17:03:08 2015 type=AVC msg=audit(1443373388.546:415): avc: denied { read } for pid=1332 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 ---- time->Sun Sep 27 17:03:08 2015 type=AVC msg=audit(1443373388.576:417): avc: denied { read } for pid=1336 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 ---- time->Sun Sep 27 17:03:08 2015 type=AVC msg=audit(1443373388.584:419): avc: denied { read } for pid=1337 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 ---- time->Sun Sep 27 17:03:08 2015 type=AVC msg=audit(1443373388.593:421): avc: denied { read } for pid=1340 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 ---- time->Sun Sep 27 17:03:08 2015 type=AVC msg=audit(1443373388.601:423): avc: denied { read } for pid=1341 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 ---- time->Sun Sep 27 17:03:08 2015 type=AVC msg=audit(1443373388.611:425): avc: denied { read } for pid=1342 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 ---- ```
Set SELinux to permissive mode:
``` time->Sun Sep 27 17:05:34 2015 type=AVC msg=audit(1443373534.163:88): avc: denied { read } for pid=719 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 ---- time->Sun Sep 27 17:05:35 2015 type=AVC msg=audit(1443373535.199:124): avc: denied { entrypoint } for pid=858 comm="exe" path="/bin/dash" dev="vda1" ino=1164530 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:object_r:docker_var_lib_t:s0 tclass=file permissive=1 ---- time->Sun Sep 27 17:08:32 2015 type=AVC msg=audit(1443373712.152:175): avc: denied { read } for pid=1129 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 ---- time->Sun Sep 27 17:08:32 2015 type=AVC msg=audit(1443373712.310:181): avc: denied { entrypoint } for pid=1147 comm="exe" path="/bin/busybox" dev="vda1" ino=260590 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:object_r:docker_var_lib_t:s0 tclass=file permissive=1 ---- time->Sun Sep 27 17:09:10 2015 type=AVC msg=audit(1443373750.571:185): avc: denied { entrypoint } for pid=1242 comm="exe" path="/bin/dash" dev="vda1" ino=1164530 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:object_r:docker_var_lib_t:s0 tclass=file permissive=1 ```
https://bugzilla.redhat.com/show_bug.cgi?id=1206751
--- Comment #16 from Daniel Walsh dwalsh@redhat.com --- I think this is fixed in the latest docker-selinux package
yum -y update --enablerepo=updates-testing docker-selinux
https://bugzilla.redhat.com/show_bug.cgi?id=1206751
--- Comment #17 from klingt.net@gmail.com --- There is no update?
``` dnf update --enablerepo=updates-testing docker-selinux Fedora 22 - x86_64 - Test Updates 12 MB/s | 6.2 MB 00:00 Last metadata expiration check performed 0:00:04 ago on Mon Sep 28 16:02:10 2015. Dependencies resolved. Nothing to do. Complete! ```
https://bugzilla.redhat.com/show_bug.cgi?id=1206751
--- Comment #18 from Adam Miller admiller@redhat.com --- slap a --refresh on there or try with yum-deprecated ... dnf is bad
https://bugzilla.redhat.com/show_bug.cgi?id=1206751
--- Comment #19 from klingt.net@gmail.com --- I had no luck using `dnf update --refresh --enablerepo=updates-testing docker-selinux` or `yum-deprecated update --enablerepo=updates-testing docker-selinux`. Both showed that there are no packages to update.
https://bugzilla.redhat.com/show_bug.cgi?id=1206751
--- Comment #20 from Daniel Walsh dwalsh@redhat.com --- koji is telling me
docker-1.8.2-4.gitcb216be.fc22 f22-updates-candidate lsm5
Is available.
https://bugzilla.redhat.com/show_bug.cgi?id=1206751
--- Comment #21 from klingt.net@gmail.com --- There are updates found when I use the `--enablerepo=updates-testing" switch, but there is no `docker-selinux`:
``` Dependencies Resolved
============================================================================================================================================================================================================================================= Package Arch Version Repository Size ============================================================================================================================================================================================================================================= Installing: golang-bin x86_64 1.5.1-0.fc22 updates-testing 40 M replacing golang-pkg-bin-linux-amd64.x86_64 1.4.2-3.fc22 replacing golang-pkg-linux-amd64.noarch 1.4.2-3.fc22 kernel-core x86_64 4.1.8-200.fc22 updates-testing 19 M kernel-headers x86_64 4.1.8-200.fc22 updates-testing 1.0 M replacing kernel-headers.x86_64 4.1.7-200.fc22 Updating: freetype x86_64 2.5.5-2.fc22 updates-testing 406 k glib2 x86_64 2.44.1-2.fc22 updates-testing 2.2 M golang x86_64 1.5.1-0.fc22 updates-testing 1.1 M golang-src noarch 1.5.1-0.fc22 updates-testing 3.6 M iproute x86_64 3.16.0-4.fc22 updates-testing 538 k koji noarch 1.10.0-2.fc22 updates-testing 223 k krb5-devel x86_64 1.13.2-7.fc22 updates-testing 648 k krb5-libs x86_64 1.13.2-7.fc22 updates-testing 837 k man-db x86_64 2.7.1-9.fc22 updates-testing 823 k perl x86_64 4:5.20.3-328.fc22 updates-testing 8.0 M perl-Pod-Escapes noarch 1:1.06-328.fc22 updates-testing 62 k perl-libs x86_64 4:5.20.3-328.fc22 updates-testing 748 k perl-macros x86_64 4:5.20.3-328.fc22 updates-testing 54 k python x86_64 2.7.10-8.fc22 updates-testing 93 k python-libs x86_64 2.7.10-8.fc22 updates-testing 5.8 M python-pycurl x86_64 7.19.5.1-2.fc22 updates-testing 177 k selinux-policy noarch 3.13.1-128.16.fc22 updates-testing 423 k selinux-policy-targeted noarch 3.13.1-128.16.fc22 updates-testing 4.1 M yum noarch 3.4.3-508.fc22 updates-testing 1.2 M Installing for dependencies: go-srpm-macros noarch 1-2.fc22 updates-testing 7.9 k
Transaction Summary ============================================================================================================================================================================================================================================= Install 3 Packages (+1 Dependent package) Upgrade 19 Packages ```
https://bugzilla.redhat.com/show_bug.cgi?id=1206751
--- Comment #22 from klingt.net@gmail.com --- To my previous post: I've run `dnf update --refresh --enablerepo=updates-testing` without `docker-selinux` argument to see if it's doing anything at all.
https://bugzilla.redhat.com/show_bug.cgi?id=1206751
Daniel Walsh dwalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jcajka@redhat.com Component|kernel |docker Assignee|kernel-maint@redhat.com |lsm5@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1206751
Seb L. D8F55524@dynmail.crt1.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |D8F55524@dynmail.crt1.net
--- Comment #23 from Seb L. D8F55524@dynmail.crt1.net --- Hi,
Regarding most of the AVCs reported in comment 15:
type=AVC msg=audit(1443373388.517:411): avc: denied { read } for pid=1328 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
=> missing context for the nsfs device
Same cause (for those AVCs and only those) as bug https://bugzilla.redhat.com/show_bug.cgi?id=1234757#c7 , same resolution (see nsfs_fix.patch to be applied to the selinux-policy repo: https://bugzilla.redhat.com/attachment.cgi?id=1090403 ).
Best regards, Sébastien
golang@lists.fedoraproject.org