'su' in a Docker container -> AVC
Daniel J Walsh
dwalsh at redhat.com
Wed Jun 17 21:46:16 UTC 2015
This is a leaked key from cron into the container. I have no idea how
the crond keyring got into the container. Did you somehow restart
docker via crond?
On 06/17/2015 08:46 AM, Laurent Rineau wrote:
> I have a container whose entrypoint uses 'su' to drop its privileges. The run of the container triggers an AVC, but the container seems to run normally.
>
> That is on a server, and the SELinux Troubleshooter sends me emails (see the attachment).
>
> Two questions:
>
> 1/ Is there a way to report bugs to Bugzilla using the command line sealert tool (or another command line tool), like what we can do using the GUI?
>
> 2/ What should I do to fix that issue, if that is one?
>
>
> I copy-paste here the AVC (the attached email have more information):
>
> type=AVC msg=audit(1434542552.136:6332403): avc: denied { search } for pid=11266 comm="su" scontext=system_u:system_r:svirt_lxc_net_t:s0:c68,c965 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=key
>
> type=SYSCALL msg=audit(1434542552.136:6332403): arch=x86_64 syscall=keyctl success=no exit=EACCES a0=0 a1=fffffffd a2=0 a3=7f7c50a132f0 items=0 ppid=11065 pid=11266 auid=4294967295 uid=500 gid=501 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=su exe=/usr/bin/su subj=system_u:system_r:svirt_lxc_net_t:s0:c68,c965 key=(null)
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20150617/f3120343/attachment.html>
More information about the selinux
mailing list