Bug 1281805

Summary: docker 1.8.2 fails to perform any action when selinux set to enforcing
Product: Red Hat Enterprise Linux 7 Reporter: Praveen Kumar <prkumar>
Component: dockerAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: medium Docs Contact:
Priority: urgent    
Version: 7.2CC: ajia, bleanhar, dustymabe, kanderso, kumarpraveen.nitdgp, lfriedma, lsm5, mjenner, sdodson, tpoitras
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: docker-1.8.2-10.el7 Doc Type: Bug Fix
Doc Text:
Previously, Docker 1.8.2 was failing to perform any actions if SELinux was set to enforcing mode. This is no longer an issue, and Docker images now run as expected.
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-08 15:37:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Praveen Kumar 2015-11-13 13:02:23 UTC
Description of problem:
Docker 1.8.2 is failing because of selinux enforcing mode.

# docker run -it --rm openshift3/ose version
permission denied
Error response from daemon: Cannot start container ce18f78eaa824a5dcead11dd23e47477d161f5eacf38d6b9b2a4e960ca9dd6bb: [8] System error: permission denied

$ getenforce 
Enforcing

$ sudo setenforce 0

# docker run -it --rm openshift3/ose version
openshift v3.1.0.4-3-ga6353c7
kubernetes v1.1.0-origin-1107-g4c8e6f4
etcd 2.1.2


Version-Release number of selected component (if applicable):

$ cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.2 (Maipo)

$ docker --version
Docker version 1.8.2, build a01dc02/1.8.2

$ rpm -qa | grep selinux
libselinux-2.2.2-6.el7.x86_64
selinux-policy-3.13.1-60.el7.noarch
selinux-policy-targeted-3.13.1-60.el7.noarch
libselinux-python-2.2.2-6.el7.x86_64
docker-selinux-1.8.2-8.el7.x86_64
libselinux-utils-2.2.2-6.el7.x86_64


How reproducible:
Everytime

Steps to Reproduce:
1. Start docker service with selinux enabled box
2. Try to run a image

Actual results:
It fail to run docker image.

Expected results:
It should run docker image as expected.

Additional info:
N/A

Let me know if any more details required.

Comment 2 Daniel Walsh 2015-11-13 14:25:41 UTC
Any avc messages?

yum reinstall docker-selinux

Could help.

Comment 3 Praveen Kumar 2015-11-16 06:41:49 UTC
(In reply to Daniel Walsh from comment #2)
> Any avc messages?
# ausearch -m avc 
----
time->Mon Nov 16 02:32:06 2015
type=SYSCALL msg=audit(1447659126.109:1157): arch=c000003e syscall=59 success=no exit=-13 a0=c20815e2e0 a1=c2081603e0 a2=c208149a80 a3=0 items=0 ppid=936 pid=13090 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="exe" exe="/usr/bin/docker" subj=system_u:system_r:unconfined_service_t:s0 key=(null)
type=AVC msg=audit(1447659126.109:1157): avc:  denied  { transition } for  pid=13090 comm="exe" path="/usr/bin/cat" dev="dm-5" ino=67110949 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c108,c1017 tclass=process

> yum reinstall docker-selinux

# yum reinstall docker-selinux
Loaded plugins: product-id, search-disabled-repos, subscription-manager
Installed package docker-selinux-1.8.2-8.el7.x86_64 (from koji-override-0) not available.
Error: Nothing to do

I followed below step to make it work.
# yum remove -y docker-selinux; yum install -y docker-selinux
# systemctl restart docker

Comment 4 Praveen Kumar 2015-11-17 10:58:04 UTC
Also (Before and after updating docker-selinux package).

$ sudo rpm -V docker coreutils
S.5....T.  c /etc/sysconfig/docker-storage
S.5....T.  c /etc/sysconfig/docker-storage-setup

Comment 6 Daniel Walsh 2015-11-17 16:43:52 UTC
Praveen are you still seeing the problem?

ps -eZ | grep docker

Lokesh don't we have a fix for this in Fedora?

Comment 7 Martin Jenner 2015-11-17 22:39:22 UTC
I tried some of the openshift3/* images live in production and did not hit issues

-bash-4.2# atomic host status
  TIMESTAMP (UTC)         VERSION   ID             OSNAME               REFSPEC                                                        
* 2015-11-10 16:11:46     7.2       ec85fba1bf     rhel-atomic-host     rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard


docker run -it --rm <image> version

openshift3/ose-docker-builder
openshift3/ose-docker-builder
openshift3/ose-f5-router
openshift3/ose-haproxy-router

Comment 8 Dusty Mabe 2015-11-18 00:12:12 UTC
This is an arbitrary rpm transaction ordering issue.. Sometimes it happens (because the ordering sorts docker-selinux before docker) and sometimes it doesn't. 

In the vagrant box we are using for CDK we got unlucky. This is from the kickstart logs:

```
[root@localhost anaconda]# grep "scriptlet failed" /var/log/anaconda/packaging.log
15:46:13,521 INFO packaging: warning: %post(docker-selinux-1.8.2-8.el7.x86_64) scriptlet failed, exit status 255
```

This was fixed in Fedora I believe:
http://pkgs.fedoraproject.org/cgit/docker.git/commit/?h=f23&id=d6be327e7fc7bc777b6106e69011754609266a21

Comment 9 Praveen Kumar 2015-11-18 05:45:07 UTC
(In reply to Dusty Mabe from comment #8)
> This is an arbitrary rpm transaction ordering issue.. Sometimes it happens
> (because the ordering sorts docker-selinux before docker) and sometimes it
> doesn't. 
> 
> In the vagrant box we are using for CDK we got unlucky. This is from the
> kickstart logs:
> 
> ```
> [root@localhost anaconda]# grep "scriptlet failed"
> /var/log/anaconda/packaging.log
> 15:46:13,521 INFO packaging: warning:
> %post(docker-selinux-1.8.2-8.el7.x86_64) scriptlet failed, exit status 255
> ```

Thanks Dusty for explanation. So we have to wait till 1.8.2-10 land to RHEL tree and CDK build will pick it up till than that bad hack is only way to go.  


> This was fixed in Fedora I believe:
> http://pkgs.fedoraproject.org/cgit/docker.git/commit/
> ?h=f23&id=d6be327e7fc7bc777b6106e69011754609266a21

Comment 11 Alex Jia 2015-11-20 09:36:19 UTC
docker run works well and no any AVC denied error occurs on docker-1.8.2-10.el7.x86_64, so move the bug to verified status.


# getenforce
Enforcing

# rpm -q docker
docker-1.8.2-10.el7.x86_64

# docker run -it --rm openshift3/ose version
openshift v3.1.0.4-3-ga6353c7
kubernetes v1.1.0-origin-1107-g4c8e6f4
etcd 2.1.2

Comment 14 errata-xmlrpc 2015-12-08 15:37:01 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2554.html