Re: selinux denials when starting docker in F23

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On 10/10/2015 09:09 AM, Dusty Mabe wrote:
>
>
> On 10/10/2015 08:02 AM, Daniel J Walsh wrote:
>>
>> On 10/09/2015 01:07 PM, Bruno Wolff III wrote:
>>> On Fri, Oct 09, 2015 at 12:43:52 -0400,
>>>   Dusty Mabe <dusty@xxxxxxxxxxxxx> wrote:
>>>>
>>>> On 10/08/2015 03:06 PM, Dusty Mabe wrote:
>>>>> and this is in the journal:
>>>>>
>>>>> ```
>>>>> Oct 08 19:04:31 cloudhost.localdomain audit[1]: USER_AVC pid=1 uid=0
>>>>> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
>>>>> msg='Unknown permission stop for class system
>>>>> exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
>>>>> Oct 08 19:04:31 cloudhost.localdomain audit[1]: USER_AVC pid=1 uid=0
>>>>> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
>>>>> msg='Unknown permission stop for class system
>>>>> exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
>>>>> ```
>>>> Any comments on the USER_AVC statements? Even if I have docker.pp I
>>>> still see these.
>>> I got something similar running getmail from cron. I asked about it on
>>> the selinux list but didn't get any suggestions on how to make a rule
>>> to allow this (audit2allow doesn't seem to handle this avc.)
>>> _______________________________________________
>>> cloud mailing list
>>> cloud@xxxxxxxxxxxxxxxxxxxxxxx
>>> https://admin.fedoraproject.org/mailman/listinfo/cloud
>>> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
>> If you systemctl daemon-rexec does the problem go away?
>
> No, I still see them. I did an reexec and then started and stopped a
> container. The `USER_AVC` messages get spit out to the journal on both
> start and stop.
>
> ```
> [root@footest ~]# journalctl -f | grep USER_AVC &
> [1] 11388
> [root@footest ~]# docker run -it --rm busybox /bin/sh
> Oct 10 13:08:16 footest audit[1]: USER_AVC pid=1 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown
> permission start for class system exe="/usr/lib/systemd/systemd"
> sauid=0 hostname=? addr=? terminal=?'
> / #
> / # exit
> Oct 10 13:08:23 footest audit[1]: USER_AVC pid=1 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown
> permission stop for class system exe="/usr/lib/systemd/systemd"
> sauid=0 hostname=? addr=? terminal=?'
> Oct 10 13:08:23 footest audit[1]: USER_AVC pid=1 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown
> permission stop for class system exe="/usr/lib/systemd/systemd"
> sauid=0 hostname=? addr=? terminal=?'
> ```
So this means that selinux policy does not define a start call for the
system class.  Meaning this is either a bug in systemd, systemd is
asking for a start access on system when it should be asking for it on a
service.  Or selinux-policy needs to add a start permission for system.
  I am thinking this is probably a problem with systemd.  Adding
Miroslav to
see if he knows.
_______________________________________________
cloud mailing list
cloud@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/cloud
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Big List of Linux Books]     [Yosemite News]     [Linux Apps]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]

  Powered by Linux