1273110 – SELinux is preventing /usr/bin/docker from 'write' accesses on the sock_file docker.sock.

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1273110 - SELinux is preventing /usr/bin/docker from 'write' accesses on the sock_file docker.sock.

Summary: SELinux is preventing /usr/bin/docker from 'write' accesses on the sock_file ...

Keywords:
Status:	CLOSED DUPLICATE of bug 1194280
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	abrt
Sub Component:
Version:	22
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	abrt
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:81e66233810f691333f2d4d60ae...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-10-19 15:47 UTC by Larry O'Leary
Modified:	2015-10-21 16:12 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-10-21 16:12:38 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1194280	0	high	CLOSED	please allow abrtd to run "docker inspect $ID"	2023-09-12 00:44:08 UTC
Red Hat Bugzilla	1245477	0	urgent	CLOSED	SELinux is preventing abrt-hook-ccpp from using the 'sigchld' accesses on a process.	2022-05-16 11:32:56 UTC

Internal Links: 1194280 1245477

Description Larry O'Leary 2015-10-19 15:47:39 UTC

Description of problem:
Start Oracle XE in docker container:

$ docker run -d alexeiled/docker-oracle-xe-11g:latest && sleep 180
SELinux is preventing /usr/bin/docker from 'write' accesses on the sock_file docker.sock.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that docker should be allowed write access on the docker.sock sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep docker /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context                system_u:object_r:docker_var_run_t:s0
Target Objects                docker.sock [ sock_file ]
Source                        docker
Source Path                   /usr/bin/docker
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           docker-1.8.2-1.gitf1db8f2.fc22.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.16.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.1.10-200.fc22.x86_64 #1 SMP Mon
                              Oct 5 14:22:49 UTC 2015 x86_64 x86_64
Alert Count                   3
First Seen                    2015-10-02 11:22:29 CDT
Last Seen                     2015-10-19 10:40:01 CDT
Local ID                      c5bb6279-dd01-447a-9d38-89fa59033353

Raw Audit Messages
type=AVC msg=audit(1445269201.387:2769): avc:  denied  { write } for  pid=13273 comm="docker" name="docker.sock" dev="tmpfs" ino=22487 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:docker_var_run_t:s0 tclass=sock_file permissive=0


type=SYSCALL msg=audit(1445269201.387:2769): arch=x86_64 syscall=connect success=no exit=EACCES a0=6 a1=c20805b090 a2=17 a3=0 items=0 ppid=13272 pid=13273 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=docker exe=/usr/bin/docker subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)

Hash: docker,abrt_t,docker_var_run_t,sock_file,write

Version-Release number of selected component:
selinux-policy-3.13.1-128.16.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.10-200.fc22.x86_64
type:           libreport

Comment 1 Daniel Walsh 2015-10-20 12:21:12 UTC

How did you get he docker command to run as abrt_t?

ps -eZ | grep docker

It should be running as docker_t?

systemctl restart docker

Should launch it with the right context.

Also make sure docker-selinux is installed properly

dnf -y reinstall docker-selinux

Comment 2 Larry O'Leary 2015-10-20 19:27:05 UTC

That is what is very strange. It is not running as abrt_t... not sure why the alert is reporting that.

system_u:system_r:docker_t:s0    1819 ?        00:00:28 docker


The abrt_t context continues to be reported even across machine restarts.

I reinstalled the docker-selinux package for good measure and received the same error:

Source Context                system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context                system_u:object_r:docker_var_run_t:s0
Target Objects                docker.sock [ sock_file ]
Source                        docker
Source Path                   /usr/bin/docker
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           docker-1.8.2-1.gitf1db8f2.fc22.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.16.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.1.10-200.fc22.x86_64 #1 SMP Mon
                              Oct 5 14:22:49 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-10-20 14:22:09 CDT
Last Seen                     2015-10-20 14:22:09 CDT
Local ID                      873359c9-9b40-4589-a393-43abcf8ba8a8

Raw Audit Messages
type=AVC msg=audit(1445368929.930:8995): avc:  denied  { write } for  pid=2132 comm="docker" name="docker.sock" dev="tmpfs" ino=1363161 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:docker_var_run_t:s0 tclass=sock_file permissive=0


type=SYSCALL msg=audit(1445368929.930:8995): arch=x86_64 syscall=connect success=no exit=EACCES a0=6 a1=c20808f090 a2=17 a3=0 items=0 ppid=2131 pid=2132 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=docker exe=/usr/bin/docker subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)

Hash: docker,abrt_t,docker_var_run_t,sock_file,write

Comment 3 Larry O'Leary 2015-10-20 19:39:59 UTC

Daniel, I just noticed that this error is actually number 4 of 4 when starting the container. The previous 3 are as follows:

SELinux is preventing /u01/app/oracle/product/11.2.0/xe/bin/oracle from execute access on the file /SYSV00000000 (deleted).

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/SYSV00000000 (deleted) default label should be etc_runtime_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /SYSV00000000 (deleted)

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that oracle should be allowed execute access on the SYSV00000000 (deleted) file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep oracle /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:svirt_lxc_net_t:s0:c786,c811
Target Context                system_u:object_r:tmpfs_t:s0
Target Objects                /SYSV00000000 (deleted) [ file ]
Source                        oracle
Source Path                   /u01/app/oracle/product/11.2.0/xe/bin/oracle
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.16.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.1.10-200.fc22.x86_64 #1 SMP Mon
                              Oct 5 14:22:49 UTC 2015 x86_64 x86_64
Alert Count                   3
First Seen                    2015-10-20 14:22:09 CDT
Last Seen                     2015-10-20 14:22:09 CDT
Local ID                      4e4261d0-ab5f-4981-a0c1-995881b0bc35

Raw Audit Messages
type=AVC msg=audit(1445368929.193:8990): avc:  denied  { execute } for  pid=2075 comm="oracle" path=2F535953563030303030303030202864656C6574656429 dev="tmpfs" ino=196608 scontext=system_u:system_r:svirt_lxc_net_t:s0:c786,c811 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1445368929.193:8990): arch=x86_64 syscall=shmat per=400000 success=no exit=EACCES a0=30000 a1=60000000 a2=0 a3=0 items=0 ppid=2074 pid=2075 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm=oracle exe=/u01/app/oracle/product/11.2.0/xe/bin/oracle subj=system_u:system_r:svirt_lxc_net_t:s0:c786,c811 key=(null)

Hash: oracle,svirt_lxc_net_t,tmpfs_t,file,execute






SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the sigchld access on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that abrt-hook-ccpp should be allowed sigchld access on processes labeled kernel_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep abrt-hook-ccpp /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:svirt_lxc_net_t:s0:c786,c811
Target Context                system_u:system_r:kernel_t:s0
Target Objects                Unknown [ process ]
Source                        abrt-hook-ccpp
Source Path                   /usr/libexec/abrt-hook-ccpp
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           abrt-addon-coredump-helper-2.6.1-5.fc22.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.16.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.1.10-200.fc22.x86_64 #1 SMP Mon
                              Oct 5 14:22:49 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-10-20 14:22:09 CDT
Last Seen                     2015-10-20 14:22:09 CDT
Local ID                      da032ac9-b348-4ee7-8def-c3924571c0a1

Raw Audit Messages
type=AVC msg=audit(1445368929.884:8992): avc:  denied  { sigchld } for  pid=2086 comm="abrt-hook-ccpp" scontext=system_u:system_r:svirt_lxc_net_t:s0:c786,c811 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=0


type=SYSCALL msg=audit(1445368929.884:8992): arch=x86_64 syscall=wait4 success=no exit=EACCES a0=825 a1=7fff5806a7cc a2=0 a3=0 items=0 ppid=31384 pid=2086 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=abrt-hook-ccpp exe=/usr/libexec/abrt-hook-ccpp subj=system_u:system_r:kernel_t:s0 key=(null)

Hash: abrt-hook-ccpp,svirt_lxc_net_t,kernel_t,process,sigchld




SELinux is preventing /usr/bin/docker from search access on the directory net.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that docker should be allowed search access on the net directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep docker /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context                system_u:object_r:sysctl_net_t:s0
Target Objects                net [ dir ]
Source                        docker
Source Path                   /usr/bin/docker
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           docker-1.8.2-1.gitf1db8f2.fc22.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.16.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.1.10-200.fc22.x86_64 #1 SMP Mon
                              Oct 5 14:22:49 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-10-20 14:22:09 CDT
Last Seen                     2015-10-20 14:22:09 CDT
Local ID                      b11c0df0-b169-42d6-81ac-94676b12aebc

Raw Audit Messages
type=AVC msg=audit(1445368929.922:8993): avc:  denied  { search } for  pid=2132 comm="docker" name="net" dev="proc" ino=1193 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0


type=SYSCALL msg=audit(1445368929.922:8993): arch=x86_64 syscall=open success=no exit=EACCES a0=c20802c000 a1=80000 a2=0 a3=0 items=0 ppid=2131 pid=2132 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=docker exe=/usr/bin/docker subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)

Hash: docker,abrt_t,sysctl_net_t,dir,search

Comment 4 Daniel Walsh 2015-10-20 21:47:09 UTC

This looks like you are running a non privileged container with oracle inside of it? 

Could you just remove abrt_t.  It seems to be taking over the container for some reason.

Do the abrt guys know what is going on here?

Comment 5 Larry O'Leary 2015-10-20 22:20:46 UTC

(In reply to Daniel Walsh from comment #4)
> This looks like you are running a non privileged container with oracle
> inside of it? 

Correct. Host user belongs to group docker. Process in the container is running as user oracle.

> Could you just remove abrt_t.  It seems to be taking over the container for
> some reason.

What do you mean, remove it?

Comment 6 Jakub Filak 2015-10-21 05:45:50 UTC

(In reply to Daniel Walsh from comment #4)
> Do the abrt guys know what is going on here?

It looks like a process within the container crashed and abrtd tried to run `docker inspect $conatiner_id`. See bug #1194280 for more details.


(In reply to  Larry O'Leary from comment #4)
> SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the sigchld access on a process.(In reply to Larry O'Leary from comment #3)

abrt-hook-ccpp tried to get backtrace from the crashed process while it was dumping the process' core file. See bug #1245477 for more details.


> SELinux is preventing /u01/app/oracle/product/11.2.0/xe/bin/oracle from execute access on the file /SYSV00000000 (deleted).

If you do not want SELinux guys to fix this one. We can close this bug report as duplicate of bug #1194280.

Comment 7 Daniel Walsh 2015-10-21 16:12:38 UTC


*** This bug has been marked as a duplicate of bug 1194280 ***

Note You need to log in before you can comment on or make changes to this bug.