https://bugzilla.redhat.com/show_bug.cgi?id=1206751
Bug ID: 1206751
Summary: Docker with overlay cannot run bash(prevented by
SELinx)
Product: Fedora
Version: 21
Component: docker-io
Severity: high
Assignee: ichavero(a)redhat.com
Reporter: robberphex(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: adimania(a)gmail.com, admiller(a)redhat.com,
golang(a)lists.fedoraproject.org, hushan.jia(a)gmail.com,
ichavero(a)redhat.com, jchaloup(a)redhat.com,
jperrin(a)centos.org, lsm5(a)redhat.com,
mattdm(a)redhat.com, mgoldman(a)redhat.com,
miminar(a)redhat.com, s(a)shk.io, thrcka(a)redhat.com,
vbatts(a)redhat.com
Description of problem:
the container cannot read .so file in overlay, and cannot relabel the file
system.
How reproducible:
Steps to Reproduce:
1. Add "DOCKER_STORAGE_OPTIONS= --storage-driver=overlay" to
/etc/sysconfig/docker-storage, and restart docker service.
2. repull the image(in my case, pull debian:jessie)
3. Run container(sudo docker run -it debian:jessie /bin/bash)
Actual results:
/bin/bash: error while loading shared libraries: libncurses.so.5: cannot open
shared object file: No such file or directory
(preventing by SELinx)
Expected results:
bash prompt in container
Additional info:
There is 4 SeLinux Alert:
----1----
SELinux is preventing docker from mount access on the filesystem /.
***** Plugin file (47.5 confidence) suggests ******************************
If you think this is caused by a badly mislabeled machine.
Then you need to fully relabel.
Do
touch /.autorelabel; reboot
***** Plugin file (47.5 confidence) suggests ******************************
If you think this is caused by a badly mislabeled machine.
Then you need to fully relabel.
Do
touch /.autorelabel; reboot
***** Plugin catchall (6.38 confidence) suggests **************************
If you believe that docker should be allowed mount access on the filesystem by
default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep docker /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:docker_t:s0
Target Context system_u:object_r:unlabeled_t:s0
Target Objects / [ filesystem ]
Source docker
Source Path docker
Port <Unknown>
Host rp.fedora
Source RPM Packages
Target RPM Packages filesystem-3.2-28.fc21.x86_64
Policy RPM selinux-policy-3.13.1-105.6.fc21.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name rp.fedora
Platform Linux rp.fedora 3.19.1-201.fc21.x86_64 #1 SMP Wed
Mar 18 04:29:24 UTC 2015 x86_64 x86_64
Alert Count 1
First Seen 2015-03-28 09:08:17 CST
Last Seen 2015-03-28 09:08:17 CST
Local ID fcd44130-63b9-4680-9975-4dc6a416b566
Raw Audit Messages
type=AVC msg=audit(1427504897.987:739): avc: denied { mount } for pid=1337
comm="docker" name="/" dev="overlay" ino=65132
scontext=system_u:system_r:docker_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
Hash: docker,docker_t,unlabeled_t,filesystem,mount
----2----
SELinux is preventing docker from unmount access on the filesystem .
***** Plugin file (47.5 confidence) suggests ******************************
If you think this is caused by a badly mislabeled machine.
Then you need to fully relabel.
Do
touch /.autorelabel; reboot
***** Plugin file (47.5 confidence) suggests ******************************
If you think this is caused by a badly mislabeled machine.
Then you need to fully relabel.
Do
touch /.autorelabel; reboot
***** Plugin catchall (6.38 confidence) suggests **************************
If you believe that docker should be allowed unmount access on the filesystem
by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep docker /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:docker_t:s0
Target Context system_u:object_r:unlabeled_t:s0
Target Objects [ filesystem ]
Source docker
Source Path docker
Port <Unknown>
Host rp.fedora
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-105.6.fc21.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name rp.fedora
Platform Linux rp.fedora 3.19.1-201.fc21.x86_64 #1 SMP Wed
Mar 18 04:29:24 UTC 2015 x86_64 x86_64
Alert Count 1
First Seen 2015-03-28 09:08:17 CST
Last Seen 2015-03-28 09:08:17 CST
Local ID c4a57cd0-ae92-4521-ad81-40a5e30a5627
Raw Audit Messages
type=AVC msg=audit(1427504897.990:740): avc: denied { unmount } for pid=1337
comm="docker" scontext=system_u:system_r:docker_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
Hash: docker,docker_t,unlabeled_t,filesystem,unmount
----3----
SELinux is preventing docker from relabelfrom access on the filesystem .
***** Plugin file (47.5 confidence) suggests ******************************
If you think this is caused by a badly mislabeled machine.
Then you need to fully relabel.
Do
touch /.autorelabel; reboot
***** Plugin file (47.5 confidence) suggests ******************************
If you think this is caused by a badly mislabeled machine.
Then you need to fully relabel.
Do
touch /.autorelabel; reboot
***** Plugin catchall (6.38 confidence) suggests **************************
If you believe that docker should be allowed relabelfrom access on the
filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep docker /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:docker_t:s0
Target Context system_u:object_r:unlabeled_t:s0
Target Objects [ filesystem ]
Source docker
Source Path docker
Port <Unknown>
Host rp.fedora
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-105.6.fc21.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name rp.fedora
Platform Linux rp.fedora 3.19.1-201.fc21.x86_64 #1 SMP Wed
Mar 18 04:29:24 UTC 2015 x86_64 x86_64
Alert Count 1
First Seen 2015-03-28 09:08:17 CST
Last Seen 2015-03-28 09:08:17 CST
Local ID ad86497a-be89-4611-8686-7aa67e73f523
Raw Audit Messages
type=AVC msg=audit(1427504897.998:741): avc: denied { relabelfrom } for
pid=1337 comm="docker" scontext=system_u:system_r:docker_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
Hash: docker,docker_t,unlabeled_t,filesystem,relabelfrom
----4----
SELinux is preventing bash from read access on the file
/var/lib/docker/overlay/1cbc0c1b2084b5f3c8fdc283032c124f6fb461242cc5b82fb183095a414869b9/root/lib/x86_64-linux-gnu/libncurses.so.5.9.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that bash should be allowed read access on the libncurses.so.5.9
file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep bash /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:svirt_lxc_net_t:s0:c156,c1000
Target Context system_u:object_r:docker_var_lib_t:s0
Target Objects
/var/lib/docker/overlay/1cbc0c1b2084b5f3c8fdc28303
2c124f6fb461242cc5b82fb183095a414869b9/root/lib/x8
6_64-linux-gnu/libncurses.so.5.9 [ file ]
Source bash
Source Path bash
Port <Unknown>
Host rp.fedora
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-105.6.fc21.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name rp.fedora
Platform Linux rp.fedora 3.19.1-201.fc21.x86_64 #1 SMP Wed
Mar 18 04:29:24 UTC 2015 x86_64 x86_64
Alert Count 1
First Seen 2015-03-28 09:08:18 CST
Last Seen 2015-03-28 09:08:18 CST
Local ID 2a5fbf0f-dc4e-489b-a9ca-2541bb55209e
Raw Audit Messages
type=AVC msg=audit(1427504898.269:754): avc: denied { read } for pid=10156
comm="bash" name="libncurses.so.5.9" dev="dm-0" ino=2100260
scontext=system_u:system_r:svirt_lxc_net_t:s0:c156,c1000
tcontext=system_u:object_r:docker_var_lib_t:s0 tclass=file permissive=0
Hash: bash,svirt_lxc_net_t,docker_var_lib_t,file,read
----end----
--
You are receiving this mail because:
You are on the CC list for the bug.