On 05/17/2015 02:14 AM, Igor Gnatenko wrote: > https://bugzilla.redhat.com/show_bug.cgi?id=1221911 > > On Sun, May 17, 2015 at 1:59 AM, Antonio Insuasti Recalde > <antonio@xxxxxxxxxxx> wrote: >> Hi folks, >> >> I don't know if this is a bug, but when i start a container or execute >> some command inside of container SELinux show this error: >> >> May 16 13:01:44 f22TC4.insuasti.ec setroubleshoot[29992]: SELinux is >> preventing bash from 'read, write' accesses on the chr_file >> /dev/pts/1. For complete SELinux messages. run sealert -l >> 12910614-818d-4051-a03b-85f2851fd055 >> May 16 13:01:44 f22TC4.insuasti.ec python[29992]: SELinux is >> preventing bash from 'read, write' accesses on the chr_file >> /dev/pts/1. >> >> ***** Plugin >> catchall (100. confidence) suggests ************************** >> >> If you believe that >> bash should be allowed read write access on the 1 chr_file by default. >> Then you should >> report this as a bug. >> You can generate a >> local policy module to allow this access. >> Do >> allow this access >> for now by executing: >> # grep bash >> /var/log/audit/audit.log | audit2allow -M mypol >> # semodule -i mypol.pp >> >> >> >> this is the out of Sealert >> >> [root@f22TC4 ~]# sealert -l 12910614-818d-4051-a03b-85f2851fd055 >> SELinux is preventing bash from 'read, write' accesses on the chr_file >> /dev/pts/1. >> >> ***** Plugin catchall (100. confidence) suggests ************************** >> >> If you believe that bash should be allowed read write access on the 1 >> chr_file by default. >> Then you should report this as a bug. >> You can generate a local policy module to allow this access. >> Do >> allow this access for now by executing: >> # grep bash /var/log/audit/audit.log | audit2allow -M mypol >> # semodule -i mypol.pp >> >> >> Additional Information: >> Source Context system_u:system_r:svirt_lxc_net_t:s0:c661,c803 >> Target Context system_u:object_r:docker_devpts_t:s0 >> Target Objects /dev/pts/1 [ chr_file ] >> Source bash >> Source Path bash >> Port <Unknown> >> Host f22TC4.insuasti.ec >> Source RPM Packages >> Target RPM Packages >> Policy RPM selinux-policy-3.13.1-126.fc22.noarch >> Selinux Enabled True >> Policy Type targeted >> Enforcing Mode Enforcing >> Host Name f22TC4.insuasti.ec >> Platform Linux f22TC4.insuasti.ec 4.0.2-300.fc22.x86_64 #1 >> SMP Thu May 7 16:05:02 UTC 2015 x86_64 x86_64 >> Alert Count 6 >> First Seen 2015-05-16 12:53:19 ECT >> Last Seen 2015-05-16 13:01:43 ECT >> Local ID 12910614-818d-4051-a03b-85f2851fd055 >> >> Raw Audit Messages >> type=AVC msg=audit(1431799303.910:1222): avc: denied { read write } >> for pid=29986 comm="bash" path="/dev/pts/1" dev="devpts" ino=4 >> scontext=system_u:system_r:svirt_lxc_net_t:s0:c661,c803 >> tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file >> permissive=0 >> >> >> Hash: bash,svirt_lxc_net_t,docker_devpts_t,chr_file,read,write >> >> this is the command i did run >> # docker exec -t -i deamon_dave /bin/bash >> >> I'm using Fedora 22 TC 4 with docker docker-1.6.0-3.git9d26a07.fc22.x86_64 >> >> Thank's for help >> >> >> -- >> Antonio Insuasti R. >> -- >> test mailing list >> test@xxxxxxxxxxxxxxxxxxxxxxx >> To unsubscribe: >> https://admin.fedoraproject.org/mailman/listinfo/test > > This bug is unrelated to the original report. The current docker policy fixes this. Please open a bugzilla on this for F22 and we will see if we can get the fix back ported to F22. -- test mailing list test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
