selinux denials when starting docker in F23
Dusty Mabe
dusty at dustymabe.com
Sat Oct 10 13:09:11 UTC 2015
On 10/10/2015 08:02 AM, Daniel J Walsh wrote:
>
> On 10/09/2015 01:07 PM, Bruno Wolff III wrote:
>> On Fri, Oct 09, 2015 at 12:43:52 -0400,
>> Dusty Mabe <dusty at dustymabe.com> wrote:
>>>
>>> On 10/08/2015 03:06 PM, Dusty Mabe wrote:
>>>> and this is in the journal:
>>>>
>>>> ```
>>>> Oct 08 19:04:31 cloudhost.localdomain audit[1]: USER_AVC pid=1 uid=0
>>>> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
>>>> msg='Unknown permission stop for class system
>>>> exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
>>>> Oct 08 19:04:31 cloudhost.localdomain audit[1]: USER_AVC pid=1 uid=0
>>>> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
>>>> msg='Unknown permission stop for class system
>>>> exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
>>>> ```
>>> Any comments on the USER_AVC statements? Even if I have docker.pp I
>>> still see these.
>> I got something similar running getmail from cron. I asked about it on
>> the selinux list but didn't get any suggestions on how to make a rule
>> to allow this (audit2allow doesn't seem to handle this avc.)
>> _______________________________________________
>> cloud mailing list
>> cloud at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/cloud
>> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
> If you systemctl daemon-rexec does the problem go away?
No, I still see them. I did an reexec and then started and stopped a
container. The `USER_AVC` messages get spit out to the journal on both
start and stop.
```
[root at footest ~]# journalctl -f | grep USER_AVC &
[1] 11388
[root at footest ~]# docker run -it --rm busybox /bin/sh
Oct 10 13:08:16 footest audit[1]: USER_AVC pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission
start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=?
addr=? terminal=?'
/ #
/ # exit
Oct 10 13:08:23 footest audit[1]: USER_AVC pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission
stop for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=?
addr=? terminal=?'
Oct 10 13:08:23 footest audit[1]: USER_AVC pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission
stop for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=?
addr=? terminal=?'
```
More information about the cloud
mailing list