Re: selinux denials when starting docker in F23

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/08/2015 03:06 PM, Dusty Mabe wrote:

Hey guys anybody seen these when starting
docker-1.8.2-5.gitcb216be.fc23.x86_64:

```
Oct 08 18:55:47 cloudhost.localdomain audit[1513]: AVC avc: denied {
read } for  pid=1513 comm="iptables" path="net:[4026531957]"
dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
```

Nevertheless the docker daemon is up and running but if I start a
container and then force remove it I see:

```
Error deleting container: Error response from daemon: Cannot destroy
container
710f834e316946a422a00fb3470b895b387519ecb01a5b195cc818b9764f82a7:
Failed to set container state to RemovalInProgress: Status is already
RemovalInProgress
```

and this is in the journal:

```
Oct 08 19:04:31 cloudhost.localdomain audit[1]: USER_AVC pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='Unknown permission stop for class system
exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Oct 08 19:04:31 cloudhost.localdomain audit[1]: USER_AVC pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='Unknown permission stop for class system
exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
```
Also (on a separate machine - this time the f23 cloud vagrant box) - I am seeing this when I run `docker run -it --rm busybox /bin/sh`: 

```
[root@f23 ~]# docker run -it --rm busybox /bin/sh
permission denied
Error response from daemon: Cannot start container 48f491260754d82c292f0d52154cb9fc45f8dede1a9bdc9adbe9a465406671e5: [8] System error: permission denied 
```

and from the journal:

```
Oct 08 19:19:01 f23 audit[998]: AVC avc: denied { transition } for pid=998 comm="exe" path="/bin/sh" dev="dm-3" ino=33555457 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c581,c843 tclass=process permissive=0 
```
_______________________________________________
cloud mailing list
cloud@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/cloud
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Big List of Linux Books]     [Yosemite News]     [Linux Apps]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]

  Powered by Linux