Bug 1289846

Summary:	docker_exec_t docker_config_t docker_unit_file_t not valid (left unmapped)
Product:	[Fedora] Fedora	Reporter:	Chris Murphy <bugzilla>
Component:	fedora-productimg-atomic	Assignee:	Colin Walters <walters>
Status:	CLOSED EOL	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	24	CC:	bugzilla, dominick.grift, dwalsh, lvrabec, mgrepl, plautrba, walters
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2017-08-08 12:30:35 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Chris Murphy 2015-12-09 07:07:49 UTC

Description of problem:




Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-162.fc24.noarch

btrfs-progs v4.3.1


How reproducible:


Steps to Reproduce:
1. Installed this -> Fedora-Cloud_Atomic-x86_64-23.iso to ext4
2. Booted Fedora-Live-Workstation-x86_64-rawhide-20151208.iso, which has the above listed component versions
3. btrfs-convert the atomic ext4 root fs.
4. mkfs.btrfs a new separate btrfs volume.
5. btrfs send <nameofsubvolsnapshotonconvertedfs> | btrfs receive <newfs>

Actual results:

During send receive, the following kernel messages

Dec 09 01:52:05 localhost kernel: SELinux:  Context system_u:object_r:docker_exec_t:s0 is not valid (left unmapped).

Dec 09 01:53:19 localhost kernel: SELinux:  Context system_u:object_r:docker_unit_file_t:s0 is not valid (left unmapped).


Dec 09 01:54:43 localhost audit[2136]: AVC avc:  denied  { mac_admin } for  pid=2136 comm="btrfs" capability=33  scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2 permissive=1
Dec 09 01:54:43 localhost kernel: SELinux:  Context system_u:object_r:docker_config_t:s0 is not valid (left unmapped).


The last one interrupts the btrfs process, unless booted enforcing=0. Uncertain if the unmapped result will cause problems using the resulting atomic-on-btrfs installation.


Expected results:

docker_exec_t docker_config_t docker_unit_file_t should be valid contexts whether the running system is atomic or not.


Additional info:

Comment 1 Lukas Vrabec 2015-12-09 09:55:43 UTC

Hi, 
Do you have docker-selinux rpm package installed?

Comment 2 Daniel Walsh 2015-12-09 14:54:39 UTC

This looks like docker-selinux package is not installed in atomic.

Comment 3 Chris Murphy 2015-12-09 19:13:06 UTC

Fedora-Cloud_Atomic-x86_64-23.iso has docker-selinux-1.7.0-22.gitdcff4e1.fc23.x86_64

Fedora-Live-Workstation-x86_64-rawhide-20151208.iso does not include it.

The OS running at the time of the reported problem, during btrfs send/receive, is Workstation-rawhide. And it's sending the root fs of a Fedora Atomic installation to a new fs.

It may be atypical for Workstation to come across docker selinux contexts, but since atomics' /usr is mounted ro, the conventional way of relabeling isn't available. So I think all Fedora products need docker-selinux to avoid mislabeling.

Comment 4 Daniel Walsh 2015-12-09 20:03:19 UTC

Then the live-workstation would need to have all packages installed locally that are installed in the Atomic platform.  In this case it would be easy to add docker-selinux, but in the future we plan on having a separate policy and separate policy types for Atomic then Workstation.

selinux-policy-atomic versus selinux-policy-targeted.

The tool doing the relabeling should be labeled install_exec_t which will allow it mac_admin.

runcon -t install_t restorecon ... might work also, if you are doing this as an admin.

Comment 5 Colin Walters 2015-12-09 20:07:49 UTC

Yeah, likely:

runcon -t install_t btrfs receive <newfs>

would work.

Comment 6 Colin Walters 2015-12-09 20:08:44 UTC

There's nothing really Atomic Host/ostree specific here - if you were trying to e.g. import a Fedora 23 rootfs as a btrfs volume on a Fedora 22 system, you could see the same thing.

Comment 7 Miroslav Grepl 2015-12-22 08:57:19 UTC

Could we play around selinux-policy-atomic.rpm available on 

https://copr.fedoraproject.org/coprs/mgrepl/selinux-policy/build/148502/

where we moved module store back to /etc. Source files for selinux-policy-atomic are also available using

$ fedpkg clone selinux-policy
$ fedpkg switch-branch private-master-atomic-policy

Read https://bugzilla.redhat.com/show_bug.cgi?id=1290659 for more details.

As I said I would not worry about using atomic policy because right now we don't have it working. Installation of docker policy fails so we don't have a working policy on Atomic Hosts.

Comment 8 Colin Walters 2015-12-22 12:30:11 UTC

(In reply to Miroslav Grepl from comment #7)

> As I said I would not worry about using atomic policy because right now we
> don't have it working. Installation of docker policy fails so we don't have
> a working policy on Atomic Hosts.

In Fedora 23 the policy does function at a basic level, we just don't support semange.  Which is obviously a huge restriction, but it does function.

Comment 9 Jan Kurik 2016-02-24 15:51:40 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase

Comment 10 Fedora End Of Life 2017-07-25 19:37:08 UTC

This message is a reminder that Fedora 24 is nearing its end of life.
Approximately 2 (two) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 24. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '24'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 24 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Comment 11 Fedora End Of Life 2017-08-08 12:30:35 UTC

Fedora 24 changed to end-of-life (EOL) status on 2017-08-08. Fedora 24 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.