selinux denials when starting docker in F23

Dusty Mabe dusty at dustymabe.com
Sat Oct 10 14:02:06 UTC 2015 


On 10/09/2015 11:46 AM, Dusty Mabe wrote:
>
>
> On 10/09/2015 06:12 AM, Daniel J Walsh wrote:
>>
>> This looks like docker is running with the wrong context.  Make sure
>> docker-selinux is installed. and /usr/bin/docker has the right label.
>>
>> restorecon -v /usr/bin/docker
>>
>> If docker is still labeled bin_t, then check if docker.pp is installed
>>
>> semodule -l | grep docker
>>
>> If you don't see docker listed, check if docker-selinux is installed.
>>
>> yum install docker-selinux
>>
>> If docker label changes you need to restart the docker daemon
>>
>> systemctl restart docker
>> ps -eZ | grep docker
>>
>> Should be running as docker_t
>>
>> There could be a conflict between selinux-policy and docker-selinux, I
>> think selinux-policy has dropped docker.pp from its list of policy
>> packages, which it should do.
>> docker-selinux is now supposed to ship it.   But it could be
>> docker-selinux is installed and then selinux-policy gets updated and
>> removes the docker.pp file.
>>
>> Just speculating on what could cause this.
>
> It's odd. If I start fresh with an 'older' F23 cloud image I never see 
> docker.pp installed:
>
> ```
> [root at f23 ~]# rpm -q selinux-policy-targeted
> selinux-policy-targeted-3.13.1-144.fc23.noarch
> [root at f23 ~]# semodule -l | grep docker
> [root at f23 ~]# dnf install -y docker &> /dev/null
> [root at f23 ~]# rpm -q docker-selinux
> docker-selinux-1.8.2-5.gitcb216be.fc23.x86_64
> [root at f23 ~]# semodule -l | grep docker
> [root at f23 ~]# ls -lZ /usr/bin/docker
> -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 20707376 Sep 21 
> 20:21 /usr/bin/docker
> [root at f23 ~]# dnf update selinux-policy-targeted -y &> /dev/null
> [root at f23 ~]# semodule -l | grep docker
> [root at f23 ~]#
> ```
>
> If I start with a slightly newer F23 cloud image I see:
>
> ```
> [root at footest ~]# rpm -q selinux-policy-targeted
> selinux-policy-targeted-3.13.1-147.fc23.noarch
> [root at footest ~]# semodule -l | grep docker
> [root at footest ~]# dnf install -y docker &> /dev/null
> [root at footest ~]# rpm -q docker-selinux
> docker-selinux-1.8.2-5.gitcb216be.fc23.x86_64
> [root at footest ~]# semodule -l | grep docker
> docker
> [root at footest ~]# ls -lZ /usr/bin/docker
> -rwxr-xr-x. 1 root root system_u:object_r:docker_exec_t:s0 20707376 
> Sep 21 20:21 /usr/bin/docker
> [root at footest ~]# dnf update selinux-policy-targeted -y
> Last metadata expiration check performed 0:04:49 ago on Fri Oct  9 
> 15:40:48 2015.
> Dependencies resolved.
> Nothing to do.
> Complete!
> ```
>
> So.. Is there a bug here? Seems like it.

I opened this bug.. https://bugzilla.redhat.com/show_bug.cgi?id=1270521

Dusty

More information about the cloud mailing list