Bug 1336857
| Summary: | SELinux context not set properly when building vagrant box | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Praveen Kumar <prkumar> |
| Component: | docker | Assignee: | Lokesh Mandvekar <lsm5> |
| Status: | CLOSED ERRATA | QA Contact: | atomic-bugs <atomic-bugs> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.2 | CC: | dwalsh, gouyang, lmohanty, lsm5 |
| Target Milestone: | rc | Keywords: | Extras |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-04 09:08:37 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Praveen Kumar
2016-05-17 15:13:43 UTC
Looks like docker-selinux did not update? (In reply to Daniel Walsh from comment #2) > Looks like docker-selinux did not update? You mean in rpm package side or in the box (because in the box it updated to 1.9.1-40.el7.x86_64) ? Could you do yum reinstall docker-selinux matchpathcon /usr/bin/docker* (In reply to Daniel Walsh from comment #4) > Could you do > > yum reinstall docker-selinux > matchpathcon /usr/bin/docker* # matchpathcon /usr/bin/docker* /usr/bin/docker system_u:object_r:docker_exec_t:s0 /usr/bin/docker-current system_u:object_r:docker_exec_t:s0 /usr/bin/docker-storage-setup system_u:object_r:docker_exec_t:s0 Does that mean in their is something messy in the kickstart (https://github.com/praveenkumar/adb-atomic-developer-bundle/blob/ose_32/build_tools/kickstarts/rhel-7-cdk-vagrant.ks) ? That looks good, what is the labels though ls -lZ /usr/bin/docker* (In reply to Daniel Walsh from comment #6) > That looks good, what is the labels though > ls -lZ /usr/bin/docker* # ls -Zl /usr/bin/docker* -rwxr-xr-x. 1 system_u:object_r:docker_exec_t:s0 root root 532 May 3 16:01 /usr/bin/docker -rwxr-xr-x. 1 system_u:object_r:bin_t:s0 root root 38643559 May 3 16:04 /usr/bin/docker-current -rwxr-xr-x. 1 system_u:object_r:bin_t:s0 root root 26693 Apr 26 14:51 /usr/bin/docker-storage-setup restorecon -v /usr/bin/docker* Should fix. But it looks like we have a bug in the scripts that do not label these correctly on creation. If docker-selinux was installed before docker and docker-latest, they would get labeled correctly. (In reply to Daniel Walsh from comment #8) > restorecon -v /usr/bin/docker* > > Should fix. > > But it looks like we have a bug in the scripts that do not label these > correctly on creation. > > If docker-selinux was installed before docker and docker-latest, they would > get labeled correctly. That's right even if I do reinstall of docker-selinux it doesn't get labeled correct. we have to use `restorecon` which if kind of bug and I think same issue we filled earlier (#1281805) and it was closed by saying that now ordering of docker-selinux and docker is fixed. I think we have to revisit and find out why it is happening. The docker package and docker-latest packages need to require(pre) the docker-selinux package, to make sure it is fully installed before the contents of docker or docker-latest are layed down. ALternatively docker-selinux should run restorecon on /usr/bin/docker* in its post install. @lsm Any update on this bug? Fixed in docker-1.10. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-2634.html |