Share and learn in the Docker community.
Is anyone using DISA STIG for RHEL Profiles and Docker-CE?
I keep receiving the following message:
OCI runtime create failed: copying bootstrap data to pipe caused \"write init-p: broken pipe\"": unknown
We would like to continue to use DISA STIG if possibly.
~
Base Install: Docker works as expected
CIS Benchmark Server #2: Docker works as expected.
OS: Almalinux 9,1
I narrowed it down to fapolicyd. Does anyone have experience with fapolicyd rules to enable docker.
I am having the same problem. This rule is blocking “docker run hello-world” from working:
rule=5 dec=deny_audit perm=open auid=-1 pid=2563591 exe=/ : path=/usr/lib64/libsseccomp.so.2.5.2 ftype=application/x-sharedlib trust=1
rule=5 dec=deny_audit perm=open auid=-1 pid=2563591 exe=/ : path=/usr/lib64/libc.so.6 ftype=application/x-sharedlib trust=1
(run fapolicyd --permissive --debug-deny)
These libraries are in the trust db. It has to do with this rule
deny_audit perm=any pattern=ld_so : all
I do not know too much about this but I think this is to block ld.so exploits. I am still puzzled what to do about this. It seems like that rule is necessary for STIGs.
OS: Almalinux 9.1 (5.14.0-162.23.1.e19_1.x86_64) with DISA STIG profile (no GUI).
Docker: 23.0.4