selinux denials when starting docker in F23
Dusty Mabe
dusty at dustymabe.com
Mon Oct 12 14:19:42 UTC 2015
On 10/12/2015 06:09 AM, Miroslav Grepl wrote:
> On 10/11/2015 01:41 PM, Daniel J Walsh wrote:
>>
>> On 10/10/2015 09:09 AM, Dusty Mabe wrote:
>>>
>>> On 10/10/2015 08:02 AM, Daniel J Walsh wrote:
>>>> On 10/09/2015 01:07 PM, Bruno Wolff III wrote:
>>>>> On Fri, Oct 09, 2015 at 12:43:52 -0400,
>>>>> Dusty Mabe <dusty at dustymabe.com> wrote:
>>>>>> On 10/08/2015 03:06 PM, Dusty Mabe wrote:
>>>>>>> and this is in the journal:
>>>>>>>
>>>>>>> ```
>>>>>>> Oct 08 19:04:31 cloudhost.localdomain audit[1]: USER_AVC pid=1 uid=0
>>>>>>> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
>>>>>>> msg='Unknown permission stop for class system
>>>>>>> exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
>>>>>>> Oct 08 19:04:31 cloudhost.localdomain audit[1]: USER_AVC pid=1 uid=0
>>>>>>> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
>>>>>>> msg='Unknown permission stop for class system
>>>>>>> exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
>>>>>>> ```
>>>>>> Any comments on the USER_AVC statements? Even if I have docker.pp I
>>>>>> still see these.
>>>>> I got something similar running getmail from cron. I asked about it on
>>>>> the selinux list but didn't get any suggestions on how to make a rule
>>>>> to allow this (audit2allow doesn't seem to handle this avc.)
>>>>> _______________________________________________
>>>>> cloud mailing list
>>>>> cloud at lists.fedoraproject.org
>>>>> https://admin.fedoraproject.org/mailman/listinfo/cloud
>>>>> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
>>>> If you systemctl daemon-rexec does the problem go away?
>>> No, I still see them. I did an reexec and then started and stopped a
>>> container. The `USER_AVC` messages get spit out to the journal on both
>>> start and stop.
>>>
>>> ```
>>> [root at footest ~]# journalctl -f | grep USER_AVC &
>>> [1] 11388
>>> [root at footest ~]# docker run -it --rm busybox /bin/sh
>>> Oct 10 13:08:16 footest audit[1]: USER_AVC pid=1 uid=0 auid=4294967295
>>> ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown
>>> permission start for class system exe="/usr/lib/systemd/systemd"
>>> sauid=0 hostname=? addr=? terminal=?'
>>> / #
>>> / # exit
>>> Oct 10 13:08:23 footest audit[1]: USER_AVC pid=1 uid=0 auid=4294967295
>>> ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown
>>> permission stop for class system exe="/usr/lib/systemd/systemd"
>>> sauid=0 hostname=? addr=? terminal=?'
>>> Oct 10 13:08:23 footest audit[1]: USER_AVC pid=1 uid=0 auid=4294967295
>>> ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown
>>> permission stop for class system exe="/usr/lib/systemd/systemd"
>>> sauid=0 hostname=? addr=? terminal=?'
>>> ```
>> So this means that selinux policy does not define a start call for the
>> system class. Meaning this is either a bug in systemd, systemd is
>> asking for a start access on system when it should be asking for it on a
>> service. Or selinux-policy needs to add a start permission for system.
>> I am thinking this is probably a problem with systemd. Adding
>> Miroslav to
>> see if he knows.
>>
> What OS? This is a systemd bug. AFAIK they added some fixes for it.
Fedora 23 beta cloud image [1] is where I started. I then fully updated
the system (dnf update -y) and rebooted before installing docker. Just
installing/starting docker gives me the USER_AVCs. If they fixed some
stuff it isn't in F23.
Dusty
[1] -
http://mirror.sfo12.us.leaseweb.net/fedora/linux/releases/test/23_Beta/Cloud/x86_64/Images/Fedora-Cloud-Base-23_Beta-20150915.x86_64.qcow2
More information about the cloud
mailing list