Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1273110
Summary: | SELinux is preventing /usr/bin/docker from 'write' accesses on the sock_file docker.sock. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Larry O'Leary <loleary> |
Component: | abrt | Assignee: | abrt <abrt-devel-list> |
Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 22 | CC: | abrt-devel-list, dominick.grift, dvlasenk, dwalsh, iprikryl, jfilak, lvrabec, mgrepl, mhabrnal, michal.toman, mmilata, plautrba |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:81e66233810f691333f2d4d60ae51ace0a62639152b76bbd8721eb538b30a1bd;VARIANT_ID=workstation; | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-10-21 16:12:38 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Larry O'Leary
2015-10-19 15:47:39 UTC
How did you get he docker command to run as abrt_t? ps -eZ | grep docker It should be running as docker_t? systemctl restart docker Should launch it with the right context. Also make sure docker-selinux is installed properly dnf -y reinstall docker-selinux That is what is very strange. It is not running as abrt_t... not sure why the alert is reporting that. system_u:system_r:docker_t:s0 1819 ? 00:00:28 docker The abrt_t context continues to be reported even across machine restarts. I reinstalled the docker-selinux package for good measure and received the same error: Source Context system_u:system_r:abrt_t:s0-s0:c0.c1023 Target Context system_u:object_r:docker_var_run_t:s0 Target Objects docker.sock [ sock_file ] Source docker Source Path /usr/bin/docker Port <Unknown> Host (removed) Source RPM Packages docker-1.8.2-1.gitf1db8f2.fc22.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-128.16.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.1.10-200.fc22.x86_64 #1 SMP Mon Oct 5 14:22:49 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-10-20 14:22:09 CDT Last Seen 2015-10-20 14:22:09 CDT Local ID 873359c9-9b40-4589-a393-43abcf8ba8a8 Raw Audit Messages type=AVC msg=audit(1445368929.930:8995): avc: denied { write } for pid=2132 comm="docker" name="docker.sock" dev="tmpfs" ino=1363161 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:docker_var_run_t:s0 tclass=sock_file permissive=0 type=SYSCALL msg=audit(1445368929.930:8995): arch=x86_64 syscall=connect success=no exit=EACCES a0=6 a1=c20808f090 a2=17 a3=0 items=0 ppid=2131 pid=2132 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=docker exe=/usr/bin/docker subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null) Hash: docker,abrt_t,docker_var_run_t,sock_file,write Daniel, I just noticed that this error is actually number 4 of 4 when starting the container. The previous 3 are as follows: SELinux is preventing /u01/app/oracle/product/11.2.0/xe/bin/oracle from execute access on the file /SYSV00000000 (deleted). ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /SYSV00000000 (deleted) default label should be etc_runtime_t. Then you can run restorecon. Do # /sbin/restorecon -v /SYSV00000000 (deleted) ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that oracle should be allowed execute access on the SYSV00000000 (deleted) file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep oracle /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_lxc_net_t:s0:c786,c811 Target Context system_u:object_r:tmpfs_t:s0 Target Objects /SYSV00000000 (deleted) [ file ] Source oracle Source Path /u01/app/oracle/product/11.2.0/xe/bin/oracle Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-128.16.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.1.10-200.fc22.x86_64 #1 SMP Mon Oct 5 14:22:49 UTC 2015 x86_64 x86_64 Alert Count 3 First Seen 2015-10-20 14:22:09 CDT Last Seen 2015-10-20 14:22:09 CDT Local ID 4e4261d0-ab5f-4981-a0c1-995881b0bc35 Raw Audit Messages type=AVC msg=audit(1445368929.193:8990): avc: denied { execute } for pid=2075 comm="oracle" path=2F535953563030303030303030202864656C6574656429 dev="tmpfs" ino=196608 scontext=system_u:system_r:svirt_lxc_net_t:s0:c786,c811 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1445368929.193:8990): arch=x86_64 syscall=shmat per=400000 success=no exit=EACCES a0=30000 a1=60000000 a2=0 a3=0 items=0 ppid=2074 pid=2075 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm=oracle exe=/u01/app/oracle/product/11.2.0/xe/bin/oracle subj=system_u:system_r:svirt_lxc_net_t:s0:c786,c811 key=(null) Hash: oracle,svirt_lxc_net_t,tmpfs_t,file,execute SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the sigchld access on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that abrt-hook-ccpp should be allowed sigchld access on processes labeled kernel_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep abrt-hook-ccpp /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_lxc_net_t:s0:c786,c811 Target Context system_u:system_r:kernel_t:s0 Target Objects Unknown [ process ] Source abrt-hook-ccpp Source Path /usr/libexec/abrt-hook-ccpp Port <Unknown> Host (removed) Source RPM Packages abrt-addon-coredump-helper-2.6.1-5.fc22.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-128.16.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.1.10-200.fc22.x86_64 #1 SMP Mon Oct 5 14:22:49 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-10-20 14:22:09 CDT Last Seen 2015-10-20 14:22:09 CDT Local ID da032ac9-b348-4ee7-8def-c3924571c0a1 Raw Audit Messages type=AVC msg=audit(1445368929.884:8992): avc: denied { sigchld } for pid=2086 comm="abrt-hook-ccpp" scontext=system_u:system_r:svirt_lxc_net_t:s0:c786,c811 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=0 type=SYSCALL msg=audit(1445368929.884:8992): arch=x86_64 syscall=wait4 success=no exit=EACCES a0=825 a1=7fff5806a7cc a2=0 a3=0 items=0 ppid=31384 pid=2086 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=abrt-hook-ccpp exe=/usr/libexec/abrt-hook-ccpp subj=system_u:system_r:kernel_t:s0 key=(null) Hash: abrt-hook-ccpp,svirt_lxc_net_t,kernel_t,process,sigchld SELinux is preventing /usr/bin/docker from search access on the directory net. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that docker should be allowed search access on the net directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep docker /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:abrt_t:s0-s0:c0.c1023 Target Context system_u:object_r:sysctl_net_t:s0 Target Objects net [ dir ] Source docker Source Path /usr/bin/docker Port <Unknown> Host (removed) Source RPM Packages docker-1.8.2-1.gitf1db8f2.fc22.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-128.16.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.1.10-200.fc22.x86_64 #1 SMP Mon Oct 5 14:22:49 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-10-20 14:22:09 CDT Last Seen 2015-10-20 14:22:09 CDT Local ID b11c0df0-b169-42d6-81ac-94676b12aebc Raw Audit Messages type=AVC msg=audit(1445368929.922:8993): avc: denied { search } for pid=2132 comm="docker" name="net" dev="proc" ino=1193 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1445368929.922:8993): arch=x86_64 syscall=open success=no exit=EACCES a0=c20802c000 a1=80000 a2=0 a3=0 items=0 ppid=2131 pid=2132 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=docker exe=/usr/bin/docker subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null) Hash: docker,abrt_t,sysctl_net_t,dir,search This looks like you are running a non privileged container with oracle inside of it? Could you just remove abrt_t. It seems to be taking over the container for some reason. Do the abrt guys know what is going on here? (In reply to Daniel Walsh from comment #4) > This looks like you are running a non privileged container with oracle > inside of it? Correct. Host user belongs to group docker. Process in the container is running as user oracle. > Could you just remove abrt_t. It seems to be taking over the container for > some reason. What do you mean, remove it? (In reply to Daniel Walsh from comment #4) > Do the abrt guys know what is going on here? It looks like a process within the container crashed and abrtd tried to run `docker inspect $conatiner_id`. See bug #1194280 for more details. (In reply to Larry O'Leary from comment #4) > SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the sigchld access on a process.(In reply to Larry O'Leary from comment #3) abrt-hook-ccpp tried to get backtrace from the crashed process while it was dumping the process' core file. See bug #1245477 for more details. > SELinux is preventing /u01/app/oracle/product/11.2.0/xe/bin/oracle from execute access on the file /SYSV00000000 (deleted). If you do not want SELinux guys to fix this one. We can close this bug report as duplicate of bug #1194280. *** This bug has been marked as a duplicate of bug 1194280 *** |