Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Running ipcs from busybox doesn't work inside container #46

Closed
filbranden opened this issue Jan 24, 2018 · 3 comments
Closed

Running ipcs from busybox doesn't work inside container #46

filbranden opened this issue Jan 24, 2018 · 3 comments

Comments

@filbranden
Copy link

Hi @rhatdan,

Running the ipcs command from busybox doesn't work inside a Docker container. The one from util-linux works, but not the one from busybox.

It turns out their implementation is different, the one from busybox starts by calling shmctl(0, SHM_INFO, ...) while the one from util-linux tries to access the /proc files first and only falls back to IPC_INFO if that fails.

This is the end result:

$ docker run busybox ipcs

kernel not configured for message queues

kernel not configured for shared memory

kernel not configured for semaphores

While the same works when running from a container that ships util-linux:

$ docker run fedora ipcs

------ Message Queues --------
key        msqid      owner      perms      used-bytes   messages    

------ Shared Memory Segments --------
key        shmid      owner      perms      bytes      nattch     status      

------ Semaphore Arrays --------
key        semid      owner      perms      nsems

Considering the functionality itself is not blocked (and accessing that information from the files under /proc/sysvipc/ works), I think this should be corrected by allowing IPC info inside a container.

I'll send a PR shortly that fixes this issue.

/cc @Random-Liu since this came up in kubernetes/kubernetes#58174
This was referenced Jan 24, 2018
Closed
Closed
@rhatdan
Copy link
Member

rhatdan commented Jan 25, 2018

What AVC's are you seeing.

@filbranden
Copy link
Author 

type=AVC msg=audit(1516749755.086:762): avc:  denied  { ipc_info } for  pid=9883 comm="ipcs" scontext=system_u:system_r:container_t:s0:c917,c993 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
type=AVC msg=audit(1516749755.086:763): avc:  denied  { ipc_info } for  pid=9883 comm="ipcs" scontext=system_u:system_r:container_t:s0:c917,c993 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
type=AVC msg=audit(1516749755.086:764): avc:  denied  { ipc_info } for  pid=9883 comm="ipcs" scontext=system_u:system_r:container_t:s0:c917,c993 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0

@rhatdan
Copy link
Member

rhatdan commented Jan 29, 2018

Ok I have pushed a fix for this. and am building new packages.

Fixed in container-selinux-2.44-1

@rhatdan rhatdan closed this as completed Jan 29, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@filbranden @rhatdan