Bug 1225549

Summary: docker relabel of volumes should use shared volumes by default
Product: Red Hat Enterprise Linux 7 Reporter: Laurent Rineau <laurent.rineau__fedora>
Component: dockerAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED ERRATA QA Contact: Luwen Su <lsu>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.1CC: dwalsh, lsm5, miabbott, sghosh
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: docker was labeling shared volumes private by default. Consequence: Other containers could not use the content Fix: Fixed the code to label shared volumes correctly Result: Shared volumes now work with SELInux in enforcing mode.
 Story Points: ---
Clone Of:
: 1225556 (view as bug list) Environment:
Last Closed: 2015-06-23 09:29:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1211379, 1225556    

Description Laurent Rineau 2015-05-27 16:23:58 UTC 
Docker version 1.6.0-11.0.1.el7 has been pushed to RHEL 7.1 (I am actually using CentOS 7.1). That version contains the relabelling feature for volumes, and by default the volumes are private.

That breaks the compatibility with existing containers setups that share a volume. If the admin of the containers do not change the command lines to launch the containers, the first launched container will relabel the volume, and the following launched container will get AVC trying to use the volume.

I appreciate that RHEL/CentOS gets newer versions of Docker, but the backward compatibility should be respected:
  - the default should be "shared",
  - the default could be taken from a configuration option, set to "private" in the config file shipped with the RPM package, but still with "shared" as the default value if the config file does not say otherwise.
Comment 2 Daniel Walsh 2015-05-27 16:42:35 UTC 
Could you attach the docker command where you are seeing this behaviour? I agree the default should be shared for volume containers, and it should do nothing for bind mount volumes.
Comment 3 Laurent Rineau 2015-06-01 11:09:47 UTC 
The problematic docker version:

cgal ~/tmp/docker-test $ docker version
Client version: 1.6.0
Client API version: 1.18
Go version (client): go1.4.2
Git commit (client): 8aae715/1.6.0
OS/Arch (client): linux/amd64
Server version: 1.6.0
Server API version: 1.18
Go version (server): go1.4.2
Git commit (server): 8aae715/1.6.0
OS/Arch (server): linux/amd64

Here are the commands I run:

cgal ~/tmp/docker-test $ ls -lZd volume_dir   
drwxr-xr-x. lrineau geometryfactory system_u:object_r:svirt_sandbox_file_t:s0 volume_dir

cgal ~/tmp/docker-test $ docker run -v $PWD/volume_dir:/volume:ro fedora /bin/ls /volume 
cgal ~/tmp/docker-test $ ls -lZd volume_dir
drwxr-xr-x. lrineau geometryfactory system_u:object_r:svirt_sandbox_file_t:s0:c321,c330 volume_dir

You can see that the range of volume_dir has been changed to a private label.

If I setup the volume with ":z":

cgal ~/tmp/docker-test $ docker run -v $PWD/volume_dir:/volume:z fedora /bin/ls /volume
cgal ~/tmp/docker-test $ ls -lZd volume_dir                                            
drwxr-xr-x. lrineau geometryfactory system_u:object_r:svirt_sandbox_file_t:s0 volume_dir

If I setup the volume without any mode:

cgal ~/tmp/docker-test $ docker run -v $PWD/volume_dir:/volume fedora /bin/ls /volume 
cgal ~/tmp/docker-test $ ls -lZd volume_dir                                          
drwxr-xr-x. lrineau geometryfactory system_u:object_r:svirt_sandbox_file_t:s0 volume_dir

If neither Z nor z are added to the mode, it should be shared by default. But if the mode is "ro", then the volume is relabeled to a private label. And that is the bug.
Comment 4 Daniel Walsh 2015-06-01 12:52:28 UTC 
Lets check if this is fixed in docker-1.6.2.
Comment 6 Luwen Su 2015-06-15 04:35:23 UTC 
In docker-1.6.2-10.el7.x86_64,
1.Create a dir on host:
#mkdir label
# ls -aZ
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 label

# docker run -it -v label:/label-test rhel7 /bin/bash
[root@9fe47cee7961 /]# ls -aZ   
drwxr-xr-x. root root system_u:object_r:admin_home_t:s0 label-test

2.Mount with `ro`
# docker run -it -v /root/label:/label-test:ro rhel7 /bin/bash 
[root@05c2abb88a1c /]# ls -aZ
drwxr-xr-x. root root system_u:object_r:admin_home_t:s0 label-test

Move to verified
Comment 7 Luwen Su 2015-06-15 06:07:39 UTC 
Sorry for missing steps, make up the rest.
Without `z:Z` the volume label will not change:
Give a `z`:
# docker run -it -v /root/test/sites/test.conf:/etc/nginx/conf.d/default.conf:z nginx ls -aZ /etc/nginx/conf.d/default.conf 
system_u:object_r:svirt_sandbox_file_t:s0 /etc/nginx/conf.d/default.conf
# ls -aZ test.conf 
-rw-r--r--. root root system_u:object_r:svirt_sandbox_file_t:s0 test.conf

then is `ro`, no change:
# docker run -it -v /root/test/sites/test.conf:/etc/nginx/conf.d/default.conf:ro nginx ls -aZ /etc/nginx/conf.d/default.conf 
system_u:object_r:svirt_sandbox_file_t:s0 /etc/nginx/conf.d/default.conf
# ls -aZ test.conf 
-rw-r--r--. root root system_u:object_r:svirt_sandbox_file_t:s0 test.conf

with `Z`, change again:
# docker run -it -v /root/test/sites/test.conf:/etc/nginx/conf.d/default.conf:Z nginx ls -aZ /etc/nginx/conf.d/default.conf 
system_u:object_r:svirt_sandbox_file_t:s0:c519,c558 /etc/nginx/conf.d/default.conf
Comment 9 errata-xmlrpc 2015-06-23 09:29:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1167.html
Comment 10 Laurent Rineau 2015-06-28 16:04:27 UTC 
The new build is now officially on CentOS 7. Thanks a lot for the fix!