Hi folks,
I don't know if this is a bug, but when i start a container or execute
some command inside of container SELinux show this error:
May 16 13:01:44 f22TC4.insuasti.ec setroubleshoot[29992]: SELinux is
preventing bash from 'read, write' accesses on the chr_file
/dev/pts/1. For complete SELinux messages. run sealert -l
12910614-818d-4051-a03b-85f2851fd055
May 16 13:01:44 f22TC4.insuasti.ec python[29992]: SELinux is
preventing bash from 'read, write' accesses on the chr_file
/dev/pts/1.
***** Plugin
catchall (100. confidence) suggests **************************
If you believe that
bash should be allowed read write access on the 1 chr_file by default.
Then you should
report this as a bug.
You can generate a
local policy module to allow this access.
Do
allow this access
for now by executing:
# grep bash
/var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
this is the out of Sealert
[root@f22TC4 ~]# sealert -l 12910614-818d-4051-a03b-85f2851fd055
SELinux is preventing bash from 'read, write' accesses on the chr_file
/dev/pts/1.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that bash should be allowed read write access on the 1
chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep bash /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:svirt_lxc_net_t:s0:c661,c803
Target Context system_u:object_r:docker_devpts_t:s0
Target Objects /dev/pts/1 [ chr_file ]
Source bash
Source Path bash
Port <Unknown>
Host f22TC4.insuasti.ec
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-126.fc22.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name f22TC4.insuasti.ec
Platform Linux f22TC4.insuasti.ec 4.0.2-300.fc22.x86_64 #1
SMP Thu May 7 16:05:02 UTC 2015 x86_64 x86_64
Alert Count 6
First Seen 2015-05-16 12:53:19 ECT
Last Seen 2015-05-16 13:01:43 ECT
Local ID 12910614-818d-4051-a03b-85f2851fd055
Raw Audit Messages
type=AVC msg=audit(1431799303.910:1222): avc: denied { read write }
for pid=29986 comm="bash" path="/dev/pts/1" dev="devpts"
ino=4
scontext=system_u:system_r:svirt_lxc_net_t:s0:c661,c803
tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file
permissive=0
Hash: bash,svirt_lxc_net_t,docker_devpts_t,chr_file,read,write
this is the command i did run
# docker exec -t -i deamon_dave /bin/bash
I'm using Fedora 22 TC 4 with docker docker-1.6.0-3.git9d26a07.fc22.x86_64
Thank's for help
--
Antonio Insuasti R.