This is a leaked key from cron into the container. I have no idea
how the crond keyring got into the container. Did you somehow
restart docker via crond?
On 06/17/2015 08:46 AM, Laurent Rineau
wrote:
I have a container whose entrypoint uses 'su' to drop its privileges. The run of the container triggers an AVC, but the container seems to run normally.
That is on a server, and the SELinux Troubleshooter sends me emails (see the attachment).
Two questions:
1/ Is there a way to report bugs to Bugzilla using the command line sealert tool (or another command line tool), like what we can do using the GUI?
2/ What should I do to fix that issue, if that is one?
I copy-paste here the AVC (the attached email have more information):
type=AVC msg=audit(1434542552.136:6332403): avc: denied { search } for pid=11266 comm="su" scontext=system_u:system_r:svirt_lxc_net_t:s0:c68,c965 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=key
type=SYSCALL msg=audit(1434542552.136:6332403): arch=x86_64 syscall=keyctl success=no exit=EACCES a0=0 a1=fffffffd a2=0 a3=7f7c50a132f0 items=0 ppid=11065 pid=11266 auid=4294967295 uid=500 gid=501 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=su exe=/usr/bin/su subj=system_u:system_r:svirt_lxc_net_t:s0:c68,c965 key=(null)
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
|
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
