SELinux error when run a command on docker

Saturday, 16 May 2015

Hi folks,

I don't know if this is a bug, but when i start a container or execute
some command inside of container SELinux show this error:

May 16 13:01:44 f22TC4.insuasti.ec setroubleshoot[29992]: SELinux is
preventing bash from 'read, write' accesses on the chr_file
/dev/pts/1. For complete SELinux messages. run sealert -l
12910614-818d-4051-a03b-85f2851fd055
May 16 13:01:44 f22TC4.insuasti.ec python[29992]: SELinux is
preventing bash from 'read, write' accesses on the chr_file
/dev/pts/1.

                                                  *****  Plugin
catchall (100. confidence) suggests   **************************

                                                  If you believe that
bash should be allowed read write access on the 1 chr_file by default.
                                                  Then you should
report this as a bug.
                                                  You can generate a
local policy module to allow this access.
                                                  Do
                                                  allow this access
for now by executing:
                                                  # grep bash
/var/log/audit/audit.log | audit2allow -M mypol
                                                  # semodule -i mypol.pp

this is the out of Sealert

[root@f22TC4 ~]# sealert -l 12910614-818d-4051-a03b-85f2851fd055
SELinux is preventing bash from 'read, write' accesses on the chr_file
/dev/pts/1.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that bash should be allowed read write access on the 1
chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep bash /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:svirt_lxc_net_t:s0:c661,c803
Target Context                system_u:object_r:docker_devpts_t:s0
Target Objects                /dev/pts/1 [ chr_file ]
Source                        bash
Source Path                   bash
Port                          <Unknown>
Host                          f22TC4.insuasti.ec
Source RPM Packages
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-126.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     f22TC4.insuasti.ec
Platform                      Linux f22TC4.insuasti.ec 4.0.2-300.fc22.x86_64 #1
                              SMP Thu May 7 16:05:02 UTC 2015 x86_64 x86_64
Alert Count                   6
First Seen                    2015-05-16 12:53:19 ECT
Last Seen                     2015-05-16 13:01:43 ECT
Local ID                      12910614-818d-4051-a03b-85f2851fd055

Raw Audit Messages
type=AVC msg=audit(1431799303.910:1222): avc:  denied  { read write }
for  pid=29986 comm="bash" path="/dev/pts/1" dev="devpts"
ino=4
scontext=system_u:system_r:svirt_lxc_net_t:s0:c661,c803
tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file
permissive=0

Hash: bash,svirt_lxc_net_t,docker_devpts_t,chr_file,read,write

this is the command i did run
# docker exec -t -i deamon_dave /bin/bash

I'm using Fedora 22 TC 4 with docker docker-1.6.0-3.git9d26a07.fc22.x86_64

Thank's for help

-- 
Antonio Insuasti R.

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

SELinux error when run a command on docker