Bug 1127357

Summary: Docker image is not able to patch file on host system
Product: Red Hat Enterprise Linux 7 Reporter: Eric Rich <erich>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: dwalsh, erich, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:42:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1064025    

Description Eric Rich 2014-08-06 18:13:39 UTC 
Description of problem:

I am not able to get a docker container to patch a file on a mounted directory. 

How reproducible: Very

Steps to Reproduce:

- Note: Use a non-root / system user that is a member of the docker group.

$ mkdir dockerplay

$ echo "Test" > dockerplay/file
$ cp dockerplay/file dockerplay/file.change
$ echo "Test2" >> dockerplay/file.change 

$ diff -u dockerplay/file dockerplay/file.change > dockerplay/file.patch

$ echo -e "FROM redhat/rhel7:0\nRUN yum install -y patch strace && yum clean all" > Dockerfile
$ docker build -t broker_patch dockerplay/

** Become root 
# chown -R nobody:nobody dockerplay
# chcon -Rt svirt_sandbox_file_t dockerplay/
# ls -laZ dockerplay/
drwxrwxr-x. nobody    nobody    unconfined_u:object_r:svirt_sandbox_file_t:s0 .
drwx------. developer developer unconfined_u:object_r:user_home_dir_t:s0 ..
-rw-rw-r--. nobody    nobody    unconfined_u:object_r:svirt_sandbox_file_t:s0 Dockerfile
-rw-rw-r--. nobody    nobody    unconfined_u:object_r:svirt_sandbox_file_t:s0 file
-rw-rw-r--. nobody    nobody    unconfined_u:object_r:svirt_sandbox_file_t:s0 file.change
-rw-rw-r--. nobody    nobody    unconfined_u:object_r:svirt_sandbox_file_t:s0 file.patch

$ docker run -t -i -u nobody --rm -v $(pwd)/dockerplay:/mnt broker_patch /bin/bash
bash-4.2$ cd /mnt
bash-4.2$ patch -p0 -s < file.patch 
The text leading up to this was:
--------------------------
|--- dockerplay/file    2014-08-06 13:16:51.030000000 -0400
|+++ dockerplay/file.change     2014-08-06 13:17:20.413000000 -0400
--------------------------
File to patch: file

Actual results:

patch: setting attribute security.selinux for security.selinux: Permission denied

-- Audit Logs from Reproducer --

type=SYSCALL msg=audit(1407346081.674:11863): arch=c000003e syscall=16 success=yes exit=0 a0=11 a1=89a2 a2=c21108be80 a3=0 items=0 ppid=1 pid=23487 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="docker" exe="/usr/bin/docker" subj=system_u:system_r:docker_t:s0 key=(null)
type=AVC msg=audit(1407346131.288:11864): avc:  denied  { relabelfrom } for  pid=28769 comm="patch" name="file.otXlBVt" dev="dm-0" ino=1188044 scontext=system_u:system_r:svirt_lxc_net_t:s0:c162,c955 tcontext=system_u:object_r:svirt_sandbox_file_t:s0 tclass=file
type=SYSCALL msg=audit(1407346131.288:11864): arch=c000003e syscall=189 success=no exit=-13 a0=ac9c10 a1=7fff3c25a530 a2=ac9c60 a3=2e items=0 ppid=1 pid=28769 auid=4294967295 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=pts1 ses=4294967295 comm="patch" exe="/usr/bin/patch" subj=system_u:system_r:svirt_lxc_net_t:s0:c162,c955 key=(null)
type=AVC msg=audit(1407346143.263:11865): avc:  denied  { relabelfrom } for  pid=28771 comm="patch" name="file.oWIbRuu" dev="dm-0" ino=1188044 scontext=system_u:system_r:svirt_lxc_net_t:s0:c162,c955 tcontext=system_u:object_r:svirt_sandbox_file_t:s0 tclass=file
type=SYSCALL msg=audit(1407346143.263:11865): arch=c000003e syscall=189 success=no exit=-13 a0=1aa0c10 a1=7ffffbf0f940 a2=1aa0c60 a3=2e items=0 ppid=1 pid=28771 auid=4294967295 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=pts1 ses=4294967295 comm="patch" exe="/usr/bin/patch" subj=system_u:system_r:svirt_lxc_net_t:s0:c162,c955 key=(null)

Expected results:

bash-4.2$ cd /mnt
bash-4.2$ patch -p0 -s < file.patch
The text leading up to this was:
--------------------------
|--- dockerplay/file    2014-08-06 13:16:51.030000000 -0400
|+++ dockerplay/file.change     2014-08-06 13:17:20.413000000 -0400
--------------------------
File to patch: file

-- Audit Logs from Reproducer --

type=SYSCALL msg=audit(1407346644.795:11888): arch=c000003e syscall=56 success=yes exit=28903 a0=6c020011 a1=0 a2=0 a3=0 items=0 ppid=1 pid=23672 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="docker" exe="/usr/bin/docker" subj=system_u:system_r:docker_t:s0 key=(null)
type=ANOM_PROMISCUOUS msg=audit(1407346644.911:11889): dev=vethae69 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295
type=SYSCALL msg=audit(1407346644.911:11889): arch=c000003e syscall=16 success=yes exit=0 a0=11 a1=89a2 a2=c21047c7e0 a3=0 items=0 ppid=1 pid=23487 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="docker" exe="/usr/bin/docker" subj=system_u:system_r:docker_t:s0 key=(null)
type=ANOM_PROMISCUOUS msg=audit(1407346677.146:11890): dev=vethae69 prom=0 old_prom=256 auid=4294967295 uid=0 gid=0 ses=4294967295

Additional info:

Running as a privileged use works! 

$ docker run -t -i -u nobody --rm --privileged -v $(pwd)/dockerplay:/mnt broker_patch /bin/bash
Comment 2 Daniel Walsh 2014-08-06 21:31:04 UTC 
In your container what does "id -Z" say?

Does it show SELinux as disabled?
Comment 3 Eric Rich 2014-08-06 21:37:58 UTC 
$ docker run -t -i -u nobody --rm -v $HOME/dockerplay/:/mnt rhel7 /bin/bash 
bash-4.2$ id -Z
id: --context (-Z) works only on an SELinux-enabled kernel
bash-4.2$ exit

$ docker run -t -i -u nobody --rm --privileged -v $HOME/dockerplay/:/mnt rhel7 /bin/bash                                                                                                     
bash-4.2$ id -Z
id: --context (-Z) works only on an SELinux-enabled kernel
bash-4.2$ exit
exit
Comment 4 Eric Rich 2014-08-06 21:41:06 UTC 
$ getenforce
Enforcing

^^ from the host.
Comment 5 Daniel Walsh 2014-08-06 22:59:10 UTC 
eb488fe790bcd3394c317c88d990ba54510617dc fixes this in git.

Have no idea why it is doing it, but I have no problem allowing it.

Needs back port to F20, F21 and RHEL7
Comment 11 Daniel Walsh 2015-01-29 14:46:25 UTC 
Milos what version of docker?
Comment 12 Milos Malik 2015-01-29 14:56:14 UTC 
# rpm -qa docker\*
docker-1.4.1-1.el7.x86_64
#

Going to test it with the latest one.
Comment 15 errata-xmlrpc 2015-03-05 10:42:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0458.html
Comment 18 Daniel Walsh 2015-03-31 21:34:24 UTC 
Well it is walking the file system and changing the context.  Hopefully it is comparable to chcon -R -t svirt_sandbox_file_t /mount/pint