On 06/18/2015 05:54 AM, Laurent Rineau wrote: > Le Thursday 18 June 2015 09:50:18 Laurent Rineau a écrit : >> Le Wednesday 17 June 2015 17:46:16 Daniel J Walsh a écrit : >>> This is a leaked key from cron into the container. I have no idea how >>> the crond keyring got into the container. Did you somehow restart >>> docker via crond? >> I do not understand how crond_t got involved. > > I am able to reproduce it on two different machines (Fedora 20 and CentOS 7, both x86_64), with: > > docker run --rm fedora bash -x -c 'useradd -u 1000 -d /home/toto toto; su toto -c "date"' > > What is really strange is that the "1000" has to be the id of a user that is logged on the machine (who we can see in `who`). I have tried to run that command with different users: root, me (500 or 1000), and two other users (1003 and 1005), using different user ids in the command. That is reproducible. > > So, even if docker enforce a separation of namespace for user ids, there must be side effects. I imagine that those "keys" are related to user sessions, and that the Linux kernel leaks those keys between cgroups. > > > The CentOS machine uses: > docker-1.5.0-28.el7.centos.x86_64 > docker-selinux-1.6.0-11.0.1.el7.centos.x86_64 > > The Fedora machine uses: > docker-io-1.5.0-1.fc20.x86_64 > selinux-policy-targeted-3.12.1-197.fc20.noarch > > > I hope it can help... > Actually this is a known problem with kernel keyrings not being namespace aware. Since the crond process created the keyring, root processes within the container are trying to use it and SELinux is blocking the access. We should probably just don'taudit access to the kernel keyring until we can get a keyring that works with namespaces. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
