[TriLUG] Docker and SELinux Woes?
Jack Hill via TriLUG
trilug at trilug.org
Fri Mar 27 13:39:29 EDT 2015
Hi all,
After taking some package upgrades and rebooting my workstation last
night, I've noticed a curious problem (I also see a very similar on our
central-IT managed docker hosts, but am not as sure when that started)
that appears to be SELinux related. My workstation is ScientificLinux 7
and the central-IT managed machines are RHEL 7.
The symptom is that processes in containers can't read their /etc/hosts.
The relevant audit log line is:
type=AVC msg=audit(1427464443.327:57991): avc: denied { read } for
pid=7329 comm="resolveip" name="hosts" dev="dm-0" ino=2885652
scontext=system_u:system_r:svirt_lxc_net_t:s0:c816,c956
tcontext=system_u:object_r:docker_var_lib_t:s0 tclass=file
I think that this is the relevant bit of policy:
process = "system_u:system_r:svirt_lxc_net_t:s0"
content = "system_u:object_r:virt_var_lib_t:s0"
file = "system_u:object_r:svirt_sandbox_file_t:s0"
sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0"
Notice that docker_var_lib_t is not mentioned here. That does, however,
appear to be the correct label for the file according to
/etc/selinux/moduels/active/file_contexts. Is the policy wrong or is the
file mislabeled or am I on the wrong track.
Thanks,
Jack
More information about the TriLUG
mailing list