This repository was archived by the owner on Oct 16, 2020. It is now read-only.
This repository was archived by the owner on Oct 16, 2020. It is now read-only.
Core 884.0.0 - Enabling SELinux in prevents Docker containers from running #1015
Description
When starting a new instance with this cloud-config:
#cloud-config
coreos:
update:
reboot-strategy: "off"
units:
- name: setup-selinux.service
command: start
enable: true
content: |
[Unit]
Description=Enable SELinux
ConditionPathExists=!/var/lib/selinux-has-been-setup
Before=early-docker.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/opt/bin/setup-selinux
ExecStartPost=/usr/bin/touch /var/lib/selinux-has-been-setup
write_files:
- path: /opt/bin/setup-selinux
permissions: 0744
owner: root
content: |
#!/usr/bin/env bash
set -ex
rm /etc/audit/rules.d/80-selinux.rules
rm /etc/audit/rules.d/99-default.rules
rm /etc/selinux/mcs
cp -a /usr/lib/selinux/mcs /etc/selinux
rm /var/lib/selinux
cp -a /usr/lib/selinux/policy /var/lib/selinux
semodule -DB
systemctl restart audit-rules
cp --remove-destination $(readlink -f /etc/selinux/config) /etc/selinux/config
sed -i 's/SELINUX=permissive/SELINUX=enforcing/' /etc/selinux/config
setenforce 1
manage_etc_hosts: localhostRunning a simple Docker container fails:
$ docker run -ti --rm busybox
Unable to find image 'busybox:latest' locally
latest: Pulling from library/busybox
039b63dd2cba: Pull complete
c51f86c28340: Pull complete
Digest: sha256:eb3c0d4680f9213ee5f348ea6d39489a1f85a318a2ae09e012c426f78252a6d2
Status: Downloaded newer image for busybox:latest
Error response from daemon: Cannot start container 981a3ab0ba9925608a3e083bca37691e2b8154a8adb7412afbebcf051abebc2c: [8] System error: permission denied
And produces the following AVC messages:
audit[922]: AVC avc: denied { entrypoint } for pid=922 comm="exe" path="/bin/sh" dev="overlay" ino=17490 scontext=system_u:system_r:svirt_lxc_net_t:s0:c551,c767 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
kernel: audit: type=1400 audit(1449218666.592:154): avc: denied { entrypoint } for pid=922 comm="exe" path="/bin/sh" dev="overlay" ino=17490 scontext=system_u:system_r:svirt_lxc_net_t:s0:c551,c767 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
audit[828]: AVC avc: denied { relabelfrom } for pid=828 comm="docker" name="resolv.conf" dev="vda9" ino=290 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:svirt_lxc_file_t:s0:c551,c767 tclass=file permissive=0
audit[828]: AVC avc: denied { relabelfrom } for pid=828 comm="docker" name="hostname" dev="vda9" ino=287 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:svirt_lxc_file_t:s0:c551,c767 tclass=file permissive=0
audit[828]: AVC avc: denied { relabelfrom } for pid=828 comm="docker" name="hosts" dev="vda9" ino=286 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:svirt_lxc_file_t:s0:c551,c767 tclass=file permissive=0
audit[828]: AVC avc: denied { relabelfrom } for pid=828 comm="docker" name="resolv.conf" dev="vda9" ino=290 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:svirt_lxc_file_t:s0:c551,c767 tclass=file permissive=0
audit[828]: AVC avc: denied { relabelfrom } for pid=828 comm="docker" name="hostname" dev="vda9" ino=287 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:svirt_lxc_file_t:s0:c551,c767 tclass=file permissive=0
audit[828]: AVC avc: denied { relabelfrom } for pid=828 comm="docker" name="hosts" dev="vda9" ino=286 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:svirt_lxc_file_t:s0:c551,c767 tclass=file permissive=0