Re: selinux denials when starting docker in F23

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/09/2015 06:12 AM, Daniel J Walsh wrote:


This looks like docker is running with the wrong context.  Make sure
docker-selinux is installed. and /usr/bin/docker has the right label.

restorecon -v /usr/bin/docker

If docker is still labeled bin_t, then check if docker.pp is installed

semodule -l | grep docker

If you don't see docker listed, check if docker-selinux is installed.

yum install docker-selinux

If docker label changes you need to restart the docker daemon

systemctl restart docker
ps -eZ | grep docker

Should be running as docker_t

There could be a conflict between selinux-policy and docker-selinux, I
think selinux-policy has dropped docker.pp from its list of policy
packages, which it should do.
docker-selinux is now supposed to ship it.   But it could be
docker-selinux is installed and then selinux-policy gets updated and
removes the docker.pp file.

Just speculating on what could cause this.
It's odd. If I start fresh with an 'older' F23 cloud image I never see docker.pp installed: 

```
[root@f23 ~]# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.13.1-144.fc23.noarch
[root@f23 ~]# semodule -l | grep docker
[root@f23 ~]# dnf install -y docker &> /dev/null
[root@f23 ~]# rpm -q docker-selinux
docker-selinux-1.8.2-5.gitcb216be.fc23.x86_64
[root@f23 ~]# semodule -l | grep docker
[root@f23 ~]# ls -lZ /usr/bin/docker
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 20707376 Sep 21 20:21 /usr/bin/docker 
[root@f23 ~]# dnf update selinux-policy-targeted -y &> /dev/null
[root@f23 ~]# semodule -l | grep docker
[root@f23 ~]#
```

If I start with a slightly newer F23 cloud image I see:

```
[root@footest ~]# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.13.1-147.fc23.noarch
[root@footest ~]# semodule -l | grep docker
[root@footest ~]# dnf install -y docker &> /dev/null
[root@footest ~]# rpm -q docker-selinux
docker-selinux-1.8.2-5.gitcb216be.fc23.x86_64
[root@footest ~]# semodule -l | grep docker
docker
[root@footest ~]# ls -lZ /usr/bin/docker
-rwxr-xr-x. 1 root root system_u:object_r:docker_exec_t:s0 20707376 Sep 21 20:21 /usr/bin/docker 
[root@footest ~]# dnf update selinux-policy-targeted -y
Last metadata expiration check performed 0:04:49 ago on Fri Oct 9 15:40:48 2015. 
Dependencies resolved.
Nothing to do.
Complete!
```

So.. Is there a bug here? Seems like it.

Dusty

_______________________________________________
cloud mailing list
cloud@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/cloud
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Big List of Linux Books]     [Yosemite News]     [Linux Apps]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]

  Powered by Linux