View Issue Details

IDProjectCategoryView StatusLast Update
0017580CentOS-7selinux-policypublic2020-07-09 13:26
Reporterslow33 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
PlatformOSOS Version7
Product Version 
Target VersionFixed in Version 
Summary0017580: SELinux is preventing /usr/bin/docker from 'entrypoint' accesses on the file /usr/bin/docker.
DescriptionDescription of problem:
SELinux is preventing /usr/bin/docker from 'entrypoint' accesses on the file /usr/bin/docker.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that docker should be allowed entrypoint access on the docker file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'docker' --raw | audit2allow -M my-docker
# semodule -i my-docker.pp

Additional Information:
Source Context unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
Target Context system_u:object_r:container_runtime_exec_t:s0
Target Objects /usr/bin/docker [ file ]
Source docker
Source Path /usr/bin/docker
Port <Unknown>
Host (removed)
Source RPM Packages docker-ce-cli-19.03.12-3.el7.x86_64
Target RPM Packages docker-ce-cli-19.03.12-3.el7.x86_64
Policy RPM selinux-policy-3.13.1-266.el7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name (removed)
Platform Linux (removed) 3.10.0-1127.el7.x86_64 #1 SMP Tue
                              Mar 31 23:36:51 UTC 2020 x86_64 x86_64
Alert Count 1
First Seen 2020-07-08 17:36:47 KST
Last Seen 2020-07-08 17:36:47 KST
Local ID 3b5955f4-89f7-40b6-b550-2bbbd56f2155

Raw Audit Messages
type=AVC msg=audit(1594197407.242:5296): avc: denied { entrypoint } for pid=8244 comm="sh" path="/usr/bin/docker" dev="dm-0" ino=549516 scontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_runtime_exec_t:s0 tclass=file permissive=1


type=SYSCALL msg=audit(1594197407.242:5296): arch=x86_64 syscall=execve success=yes exit=0 a0=1152e60 a1=1160060 a2=11558c0 a3=7fff6335efe0 items=0 ppid=8243 pid=8244 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=15 comm=docker exe=/usr/bin/docker subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 key=(null)

Hash: docker,rpm_script_t,container_runtime_exec_t,file,entrypoint

Version-Release number of selected component:
selinux-policy-3.13.1-266.el7.noarch
Additional Informationreporter: libreport-2.1.11.1
hashmarkername: setroubleshoot
kernel: 3.10.0-1127.el7.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.
abrt_hash60698c886e0604141ebe930330980f52acf5eae84b99eef00560787674b4f7db
URL

Activities

ManuelWolfshant

ManuelWolfshant

2020-07-09 13:26

manager   ~0037345

AFAICS you are not using the docker packages shipped by CentOS but the community edition. Due to this there are exactly 2 things that can be done to move forward ( which do not exclude one another ) :
- do what the setroubleshoot plugin says:create and load a custom selinux policy
- submita request to Redhat via bugzilla.redhat.com to extend the selinux-policy package and add the requirements of docker-ce. If/when RH accepts it and incorporates it into RHEL and releases a patched version, CentOS will pick it up automatically.

Issue History

Date Modified Username Field Change
2020-07-09 01:30 slow33 New Issue
2020-07-09 13:26 ManuelWolfshant Note Added: 0037345