Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix AVC denial fordocker run --init #1085

Merged
merged 1 commit into from
Sep 1, 2020
Merged

fix AVC denial fordocker run --init #1085

merged 1 commit into from
Sep 1, 2020

Conversation

bcressey
Copy link
Contributor

Issue number:
Closes #1082

Description of changes:
docker-init has the runtime_exec_t label, rather than one of the labels that signify local content, but it's still a valid entrypoint to the container domains.

Testing done:

# docker run -it --init --rm debian
...
root@6644230d2e95:/# ls -l /proc/1/exe
lrwxrwxrwx. 1 root root 0 Aug 27 17:32 /proc/1/exe -> /sbin/docker-init

root@6644230d2e95:/# ls -lZ /sbin/docker-init
-rwxr-xr-x. 1 root root system_u:object_r:runtime_exec_t:s0 589280 Aug 24 17:23 /sbin/docker-init

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@bcressey
selinux-policy: allow docker-init transition
b084fe8 
`docker-init` has the `runtime_exec_t` label, rather than one of the
labels that signify local content, but it's still a valid entrypoint
to the container domains.

Signed-off-by: Ben Cressey <bcressey@amazon.com>
@bcressey bcressey requested review from tjkirch and samuelkarp August 27, 2020 17:38
webern
webern reviewed Aug 27, 2020
View reviewed changes
Copy link
Contributor

@webern webern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤓

@bcressey bcressey merged commit 14d606f into bottlerocket-os:develop Sep 1, 2020
@bcressey bcressey deleted the docker-init branch September 1, 2020 15:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@webern webern webern approved these changes

@samuelkarp samuelkarp samuelkarp approved these changes

@tjkirch tjkirch tjkirch approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

AVC denials when running docker run --init
4 participants
@bcressey @tjkirch @samuelkarp @webern