selinux denials when starting docker in F23

Dusty Mabe dusty at dustymabe.com
Fri Oct 9 15:46:53 UTC 2015 


On 10/09/2015 06:12 AM, Daniel J Walsh wrote:
>
> This looks like docker is running with the wrong context.  Make sure
> docker-selinux is installed. and /usr/bin/docker has the right label.
>
> restorecon -v /usr/bin/docker
>
> If docker is still labeled bin_t, then check if docker.pp is installed
>
> semodule -l | grep docker
>
> If you don't see docker listed, check if docker-selinux is installed.
>
> yum install docker-selinux
>
> If docker label changes you need to restart the docker daemon
>
> systemctl restart docker
> ps -eZ | grep docker
>
> Should be running as docker_t
>
> There could be a conflict between selinux-policy and docker-selinux, I
> think selinux-policy has dropped docker.pp from its list of policy
> packages, which it should do.
> docker-selinux is now supposed to ship it.   But it could be
> docker-selinux is installed and then selinux-policy gets updated and
> removes the docker.pp file.
>
> Just speculating on what could cause this.

It's odd. If I start fresh with an 'older' F23 cloud image I never see 
docker.pp installed:

```
[root at f23 ~]# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.13.1-144.fc23.noarch
[root at f23 ~]# semodule -l | grep docker
[root at f23 ~]# dnf install -y docker &> /dev/null
[root at f23 ~]# rpm -q docker-selinux
docker-selinux-1.8.2-5.gitcb216be.fc23.x86_64
[root at f23 ~]# semodule -l | grep docker
[root at f23 ~]# ls -lZ /usr/bin/docker
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 20707376 Sep 21 20:21 
/usr/bin/docker
[root at f23 ~]# dnf update selinux-policy-targeted -y &> /dev/null
[root at f23 ~]# semodule -l | grep docker
[root at f23 ~]#
```

If I start with a slightly newer F23 cloud image I see:

```
[root at footest ~]# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.13.1-147.fc23.noarch
[root at footest ~]# semodule -l | grep docker
[root at footest ~]# dnf install -y docker &> /dev/null
[root at footest ~]# rpm -q docker-selinux
docker-selinux-1.8.2-5.gitcb216be.fc23.x86_64
[root at footest ~]# semodule -l | grep docker
docker
[root at footest ~]# ls -lZ /usr/bin/docker
-rwxr-xr-x. 1 root root system_u:object_r:docker_exec_t:s0 20707376 Sep 
21 20:21 /usr/bin/docker
[root at footest ~]# dnf update selinux-policy-targeted -y
Last metadata expiration check performed 0:04:49 ago on Fri Oct  9 
15:40:48 2015.
Dependencies resolved.
Nothing to do.
Complete!
```

So.. Is there a bug here? Seems like it.

Dusty

More information about the cloud mailing list