moby: unable to modify permissions of /dev/stdout without tty
Description
Permission denied error when attempting to chmod /dev/stdout
without passing -t
to docker run
. Selinux is enabled and enforcing.
Steps to reproduce the issue:
- Enable selinux on daemon
- Set to enforcing mode
- Run
docker run -i fedora chmod +r /dev/stdout
Describe the results you received:
chmod: changing permissions of ‘/dev/stdout’: Permission denied. avc denied errors (see below)
Describe the results you expected:
The command/container to be run without permissions error.
Additional information you deem important (e.g. issue happens only occasionally):
Container Linux 1235.9.0
$ cat /etc/os-release
NAME="Container Linux by CoreOS"
ID=coreos
VERSION=1235.9.0
VERSION_ID=1235.9.0
BUILD_ID=2017-02-02-0235
PRETTY_NAME="Container Linux by CoreOS 1235.9.0 (Ladybug)"
ANSI_COLOR="38;5;75"
HOME_URL="https://coreos.com/"
BUG_REPORT_URL="https://github.com/coreos/bugs/issues"
$ docker version
Client:
Version: 1.12.6
API version: 1.24
Go version: go1.6.3
Git commit: d5236f0
Built: Thu Feb 2 02:27:34 2017
OS/Arch: linux/amd64
Server:
Version: 1.12.6
API version: 1.24
Go version: go1.6.3
Git commit: d5236f0
Built: Thu Feb 2 02:27:34 2017
OS/Arch: linux/amd64
# /etc/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=containerd.service docker.socket early-docker.target network.target
Requires=containerd.service docker.socket early-docker.target
[Service]
Type=notify
EnvironmentFile=-/run/flannel/flannel_docker_opts.env
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/lib/coreos/dockerd --host=fd:// --containerd=/var/run/docker/libcontainerd/docker-containerd.sock --selinux-enabled --userns-remap=docker $DOCKER_OPTS $DOCKER_CGROUPS $DOCKER_OPT_BIP $DOCKER_OPT_MTU $DOCKER_OPT_IPMASQ
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=1048576
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
# Uncomment TasksMax if your systemd version supports it.
# Only systemd 226 and above support this version.
TasksMax=infinity
TimeoutStartSec=0
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
[Install]
WantedBy=multi-user.target
$ getenforce
Enforcing
$ docker run -i fedora chmod +r /dev/stdout
chmod: changing permissions of '/dev/stdout': Permission denied
$ docker run -it fedora chmod +r /dev/stdout
$ dmesg | grep avc
[ 2331.370824] audit: type=1400 audit(1487292483.922:92): avc: denied { setattr } for pid=1922 comm="chmod" name="" dev="pipefs" ino=22235 scontext=system_u:system_r:svirt_lxc_net_t:s0:c393,c530 tcontext=system_u:system_r:kernel_t:s0 tclass=fifo_file permissive=0
Fedora 25
# cat /etc/os-release
NAME=Fedora
VERSION="25 (Atomic Host)"
ID=fedora
VERSION_ID=25
PRETTY_NAME="Fedora 25 (Atomic Host)"
ANSI_COLOR="0;34"
CPE_NAME="cpe:/o:fedoraproject:fedora:25"
HOME_URL="https://fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=25
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=25
PRIVACY_POLICY_URL=https://fedoraproject.org/wiki/Legal:PrivacyPolicy
VARIANT="Atomic Host"
VARIANT_ID=atomic.host
# docker version
Client:
Version: 1.12.6
API version: 1.24
Package version: docker-common-1.12.6-5.git037a2f5.fc25.x86_64
Go version: go1.7.4
Git commit: 037a2f5/1.12.6
Built: Wed Jan 18 12:11:29 2017
OS/Arch: linux/amd64
Server:
Version: 1.12.6
API version: 1.24
Package version: docker-common-1.12.6-5.git037a2f5.fc25.x86_64
Go version: go1.7.4
Git commit: 037a2f5/1.12.6
Built: Wed Jan 18 12:11:29 2017
OS/Arch: linux/amd64
# systemctl cat docker
# /etc/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target docker-containerd.service
Wants=docker-storage-setup.service
Requires=docker-containerd.service
[Service]
Type=notify
EnvironmentFile=-/etc/sysconfig/docker
EnvironmentFile=-/etc/sysconfig/docker-storage
EnvironmentFile=-/etc/sysconfig/docker-network
Environment=GOTRACEBACK=crash
Environment=DOCKER_HTTP_HOST_COMPAT=1
ExecStart=/usr/bin/dockerd-current \
--add-runtime oci=/usr/libexec/docker/docker-runc-current \
--default-runtime=oci \
--selinux-enabled \
--containerd /run/containerd.sock \
--exec-opt native.cgroupdriver=systemd \
--userland-proxy-path=/usr/libexec/docker/docker-proxy-current \
$OPTIONS \
$DOCKER_STORAGE_OPTIONS \
$DOCKER_NETWORK_OPTIONS \
$ADD_REGISTRY \
$BLOCK_REGISTRY \
$INSECURE_REGISTRY
ExecReload=/bin/kill -s HUP $MAINPID
TasksMax=8192
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity
TimeoutStartSec=0
Restart=on-abnormal
[Install]
WantedBy=multi-user.target
# /usr/lib/systemd/system/docker.service.d/flannel.conf
[Service]
EnvironmentFile=-/run/flannel/docker
# getenforce
Enforcing
# docker run -i fedora chmod +r /dev/stdout
chmod: changing permissions of '/dev/stdout': Permission denied
# docker run -ti fedora chmod +r /dev/stdout
# cat /var/log/audit/audit.log | grep denied
type=AVC msg=audit(1487292992.182:404): avc: denied { setattr } for pid=2791 comm="chmod" name="" dev="pipefs" ino=29054 scontext=system_u:system_r:container_t:s0:c123,c494 tcontext=system_u:system_r:container_runtime_t:s0 tclass=fifo_file permissive=0
About this issue
- Original URL
- State: open
- Created 7 years ago
- Reactions: 2
- Comments: 17 (6 by maintainers)
@rhatdan @justincormack the real issue (which necessitated chmod’ing
/dev/stdout
) is here:I’m pretty sure we’re all aware of how to do that. The root cause, that
/dev/stdout
cannot be written to, is a big deal when you are running somebody else’s code.If you are trying to run a command and write the output to a file and, getting permission denied. then point the output in a file under
/tmp
command > /tmp/file
@justincormack any thoughts? it seems it has been solved only in limited use cases. In this one, the container defaults to root user and switches to another, unprivileged user.
/dev/stdout
is inaccessible to them.