Le Thursday 18 June 2015 09:50:18 Laurent Rineau a écrit : > Le Wednesday 17 June 2015 17:46:16 Daniel J Walsh a écrit : > > This is a leaked key from cron into the container. I have no idea how > > the crond keyring got into the container. Did you somehow restart > > docker via crond? > > I do not understand how crond_t got involved. I am able to reproduce it on two different machines (Fedora 20 and CentOS 7, both x86_64), with: docker run --rm fedora bash -x -c 'useradd -u 1000 -d /home/toto toto; su toto -c "date"' What is really strange is that the "1000" has to be the id of a user that is logged on the machine (who we can see in `who`). I have tried to run that command with different users: root, me (500 or 1000), and two other users (1003 and 1005), using different user ids in the command. That is reproducible. So, even if docker enforce a separation of namespace for user ids, there must be side effects. I imagine that those "keys" are related to user sessions, and that the Linux kernel leaks those keys between cgroups. The CentOS machine uses: docker-1.5.0-28.el7.centos.x86_64 docker-selinux-1.6.0-11.0.1.el7.centos.x86_64 The Fedora machine uses: docker-io-1.5.0-1.fc20.x86_64 selinux-policy-targeted-3.12.1-197.fc20.noarch I hope it can help... -- Laurent Rineau http://fedoraproject.org/wiki/LaurentRineau -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
