https://bugzilla.redhat.com/show_bug.cgi?id=1221911
On Sun, May 17, 2015 at 1:59 AM, Antonio Insuasti Recalde
<antonio(a)insuasti.ec> wrote:
> Hi folks,
>
> I don't know if this is a bug, but when i start a container or execute
> some command inside of container SELinux show this error:
>
> May 16 13:01:44 f22TC4.insuasti.ec setroubleshoot[29992]: SELinux is
> preventing bash from 'read, write' accesses on the chr_file
> /dev/pts/1. For complete SELinux messages. run sealert -l
> 12910614-818d-4051-a03b-85f2851fd055
> May 16 13:01:44 f22TC4.insuasti.ec python[29992]: SELinux is
> preventing bash from 'read, write' accesses on the chr_file
> /dev/pts/1.
>
> ***** Plugin
> catchall (100. confidence) suggests **************************
>
> If you believe that
> bash should be allowed read write access on the 1 chr_file by default.
> Then you should
> report this as a bug.
> You can generate a
> local policy module to allow this access.
> Do
> allow this access
> for now by executing:
> # grep bash
> /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
>
>
> this is the out of Sealert
>
> [root@f22TC4 ~]# sealert -l 12910614-818d-4051-a03b-85f2851fd055
> SELinux is preventing bash from 'read, write' accesses on the chr_file
> /dev/pts/1.
>
> ***** Plugin catchall (100. confidence) suggests **************************
>
> If you believe that bash should be allowed read write access on the 1
> chr_file by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep bash /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
>
> Additional Information:
> Source Context system_u:system_r:svirt_lxc_net_t:s0:c661,c803
> Target Context system_u:object_r:docker_devpts_t:s0
> Target Objects /dev/pts/1 [ chr_file ]
> Source bash
> Source Path bash
> Port <Unknown>
> Host f22TC4.insuasti.ec
> Source RPM Packages
> Target RPM Packages
> Policy RPM selinux-policy-3.13.1-126.fc22.noarch
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Host Name f22TC4.insuasti.ec
> Platform Linux f22TC4.insuasti.ec 4.0.2-300.fc22.x86_64 #1
> SMP Thu May 7 16:05:02 UTC 2015 x86_64 x86_64
> Alert Count 6
> First Seen 2015-05-16 12:53:19 ECT
> Last Seen 2015-05-16 13:01:43 ECT
> Local ID 12910614-818d-4051-a03b-85f2851fd055
>
> Raw Audit Messages
> type=AVC msg=audit(1431799303.910:1222): avc: denied { read write }
> for pid=29986 comm="bash" path="/dev/pts/1"
dev="devpts" ino=4
> scontext=system_u:system_r:svirt_lxc_net_t:s0:c661,c803
> tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file
> permissive=0
>
>
> Hash: bash,svirt_lxc_net_t,docker_devpts_t,chr_file,read,write
>
> this is the command i did run
> # docker exec -t -i deamon_dave /bin/bash
>
> I'm using Fedora 22 TC 4 with docker docker-1.6.0-3.git9d26a07.fc22.x86_64
>
> Thank's for help
>
>
> --
> Antonio Insuasti R.
> --
> test mailing list
> test(a)lists.fedoraproject.org
> To unsubscribe:
>
https://admin.fedoraproject.org/mailman/listinfo/test
This bug is unrelated to the original report. The current docker policy
fixes this. Please open a bugzilla on this for F22 and we will see if
we can get the fix back ported to F22.