Bug 1289846
Summary: | docker_exec_t docker_config_t docker_unit_file_t not valid (left unmapped) | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Chris Murphy <bugzilla> |
Component: | fedora-productimg-atomic | Assignee: | Colin Walters <walters> |
Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 24 | CC: | bugzilla, dominick.grift, dwalsh, lvrabec, mgrepl, plautrba, walters |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-08 12:30:35 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Chris Murphy
2015-12-09 07:07:49 UTC
Hi, Do you have docker-selinux rpm package installed? This looks like docker-selinux package is not installed in atomic. Fedora-Cloud_Atomic-x86_64-23.iso has docker-selinux-1.7.0-22.gitdcff4e1.fc23.x86_64 Fedora-Live-Workstation-x86_64-rawhide-20151208.iso does not include it. The OS running at the time of the reported problem, during btrfs send/receive, is Workstation-rawhide. And it's sending the root fs of a Fedora Atomic installation to a new fs. It may be atypical for Workstation to come across docker selinux contexts, but since atomics' /usr is mounted ro, the conventional way of relabeling isn't available. So I think all Fedora products need docker-selinux to avoid mislabeling. Then the live-workstation would need to have all packages installed locally that are installed in the Atomic platform. In this case it would be easy to add docker-selinux, but in the future we plan on having a separate policy and separate policy types for Atomic then Workstation. selinux-policy-atomic versus selinux-policy-targeted. The tool doing the relabeling should be labeled install_exec_t which will allow it mac_admin. runcon -t install_t restorecon ... might work also, if you are doing this as an admin. Yeah, likely: runcon -t install_t btrfs receive <newfs> would work. There's nothing really Atomic Host/ostree specific here - if you were trying to e.g. import a Fedora 23 rootfs as a btrfs volume on a Fedora 22 system, you could see the same thing. Could we play around selinux-policy-atomic.rpm available on https://copr.fedoraproject.org/coprs/mgrepl/selinux-policy/build/148502/ where we moved module store back to /etc. Source files for selinux-policy-atomic are also available using $ fedpkg clone selinux-policy $ fedpkg switch-branch private-master-atomic-policy Read https://bugzilla.redhat.com/show_bug.cgi?id=1290659 for more details. As I said I would not worry about using atomic policy because right now we don't have it working. Installation of docker policy fails so we don't have a working policy on Atomic Hosts. (In reply to Miroslav Grepl from comment #7) > As I said I would not worry about using atomic policy because right now we > don't have it working. Installation of docker policy fails so we don't have > a working policy on Atomic Hosts. In Fedora 23 the policy does function at a basic level, we just don't support semange. Which is obviously a huge restriction, but it does function. This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle. Changing version to '24'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase This message is a reminder that Fedora 24 is nearing its end of life. Approximately 2 (two) weeks from now Fedora will stop maintaining and issuing updates for Fedora 24. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '24'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 24 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Fedora 24 changed to end-of-life (EOL) status on 2017-08-08. Fedora 24 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. |