selinux denials when starting docker in F23
Daniel J Walsh
dwalsh at redhat.com
Fri Oct 9 10:12:08 UTC 2015
On 10/08/2015 03:23 PM, Dusty Mabe wrote:
>
>
> On 10/08/2015 03:06 PM, Dusty Mabe wrote:
>> Hey guys anybody seen these when starting
>> docker-1.8.2-5.gitcb216be.fc23.x86_64:
>>
>> ```
>> Oct 08 18:55:47 cloudhost.localdomain audit[1513]: AVC avc: denied {
>> read } for pid=1513 comm="iptables" path="net:[4026531957]"
>> dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0
>> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
>> ```
>>
>> Nevertheless the docker daemon is up and running but if I start a
>> container and then force remove it I see:
>>
>> ```
>> Error deleting container: Error response from daemon: Cannot destroy
>> container
>> 710f834e316946a422a00fb3470b895b387519ecb01a5b195cc818b9764f82a7:
>> Failed to set container state to RemovalInProgress: Status is already
>> RemovalInProgress
>> ```
>>
>> and this is in the journal:
>>
>> ```
>> Oct 08 19:04:31 cloudhost.localdomain audit[1]: USER_AVC pid=1 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
>> msg='Unknown permission stop for class system
>> exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
>> Oct 08 19:04:31 cloudhost.localdomain audit[1]: USER_AVC pid=1 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
>> msg='Unknown permission stop for class system
>> exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
>> ```
>
> Also (on a separate machine - this time the f23 cloud vagrant box) - I
> am seeing this when I run `docker run -it --rm busybox /bin/sh`:
>
> ```
> [root at f23 ~]# docker run -it --rm busybox /bin/sh
> permission denied
> Error response from daemon: Cannot start container
> 48f491260754d82c292f0d52154cb9fc45f8dede1a9bdc9adbe9a465406671e5: [8]
> System error: permission denied
> ```
>
> and from the journal:
>
> ```
> Oct 08 19:19:01 f23 audit[998]: AVC avc: denied { transition } for
> pid=998 comm="exe" path="/bin/sh" dev="dm-3" ino=33555457
> scontext=system_u:system_r:unconfined_service_t:s0
> tcontext=system_u:system_r:svirt_lxc_net_t:s0:c581,c843 tclass=process
> permissive=0
> ```
> _______________________________________________
> cloud mailing list
> cloud at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/cloud
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
This looks like docker is running with the wrong context. Make sure
docker-selinux is installed. and /usr/bin/docker has the right label.
restorecon -v /usr/bin/docker
If docker is still labeled bin_t, then check if docker.pp is installed
semodule -l | grep docker
If you don't see docker listed, check if docker-selinux is installed.
yum install docker-selinux
If docker label changes you need to restart the docker daemon
systemctl restart docker
ps -eZ | grep docker
Should be running as docker_t
There could be a conflict between selinux-policy and docker-selinux, I
think selinux-policy has dropped docker.pp from its list of policy
packages, which it should do.
docker-selinux is now supposed to ship it. But it could be
docker-selinux is installed and then selinux-policy gets updated and
removes the docker.pp file.
Just speculating on what could cause this.
More information about the cloud
mailing list