Bug 1346185

Summary: Installing Extras 7.2 on RHEL 7.3 nightly causes wrong SELinux domain for the docker daemon and containers
Product: Red Hat Enterprise Linux 7 Reporter: Jan Pazdziora (Red Hat) <jpazdziora>
Component: dockerAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: dwalsh, gouyang, jpazdziora, lsm5, rhartman
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 09:08:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Pazdziora (Red Hat) 2016-06-14 08:30:34 UTC 
Description of problem:

Attempt to install docker on RHEL 7.3 nightly (RHEL-7.3-20160613.n.0 Server x86_64), either from released rhel-7-server-extras-rpms or from nightly EXTRAS-7.2-RHEL-7-20160603.1 leads to error during yum transaction, wrong type on /usr/bin/docker*, and docker daemon running as initrc_t.

Version-Release number of selected component (if applicable):

RHEL-7.3-20160613.n.0
docker-1.9.1-40.el7.x86_64 or docker-1.10.3-31.el7.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. yum install -y docker
2. ls -laZ /usr/bin/docker*
3. systemctl start docker 
4. docker run --privileged -ti rhel7 bash
5. In another terminal ps axuwwfZ

Actual results:

  Installing : policycoreutils-python-2.5-2.1.el7.x86_64          16/21 
  Installing : docker-selinux-1.10.3-31.el7.x86_64                17/21 
Re-declaration of boolean virt_sandbox_use_fusefs
Failed to create node
Bad boolean declaration at line 147 of /etc/selinux/targeted/tmp/modules/100/virt/cil
/usr/sbin/semodule:  Failed!
libsemanage.semanage_direct_install_info: Overriding docker module at lower priority 100 with module at priority 400.
  Installing : docker-forward-journald-1.10.3-31.el7.x86_64       18/21 
  Installing : docker-v1.10-migrator-1.10.3-31.el7.x86_64         19/21 

-rwxr-xr-x. root root system_u:object_r:docker_exec_t:s0 /usr/bin/docker
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/docker-current
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/docker-storage-setup

system_u:system_r:initrc_t:s0   root     10768  0.0  0.0 115244  1436 ?        Ss   04:22   0:00 /bin/sh -c /usr/bin/docker-current daemon            --authorization-plugin=rhel-push-plugin            --exec-opt native.cgroupdriver=systemd            $OPTIONS            $DOCKER_STORAGE_OPTIONS            $DOCKER_NETWORK_OPTIONS            $ADD_REGISTRY            $BLOCK_REGISTRY            $INSECURE_REGISTRY            2>&1 | /usr/bin/forward-journald -tag docker
system_u:system_r:initrc_t:s0   root     10770  9.5  2.3 506052 43940 ?        Sl   04:22   0:06  \_ /usr/bin/docker-current daemon --authorization-plugin=rhel-push-plugin --exec-opt native.cgroupdriver=systemd --selinux-enabled --log-driver=journald --add-registry registry.access.redhat.com
system_u:system_r:initrc_t:s0   root     11004  0.4  0.0  11776  1752 pts/2    Ss+  04:23   0:00  |   \_ bash
system_u:system_r:initrc_t:s0   root     10771  0.0  0.1 101728  2192 ?        Sl   04:22   0:00  \_ /usr/bin/forward-journald -tag docker

Expected results:

No error during rpm installation.

-rwxr-xr-x. root root system_u:object_r:docker_exec_t:s0 /usr/bin/docker
-rwxr-xr-x. root root system_u:object_r:docker_exec_t:s0 /usr/bin/docker-current
-rwxr-xr-x. root root system_u:object_r:docker_exec_t:s0 /usr/bin/docker-storage-setup

system_u:system_r:initrc_t:s0   root     29904  0.0  0.0 115244  1432 ?        Ss   04:17   0:00 /bin/sh -c /usr/bin/docker-current daemon            --authorization-plugin=rhel-push-plugin            --exec-opt native.cgroupdriver=systemd            $OPTIONS            $DOCKER_STORAGE_OPTIONS            $DOCKER_NETWORK_OPTIONS            $ADD_REGISTRY            $BLOCK_REGISTRY            $INSECURE_REGISTRY            2>&1 | /usr/bin/forward-journald -tag docker
system_u:system_r:docker_t:s0   root     29906  0.0  1.6 493484 30896 ?        Sl   04:17   0:00  \_ /usr/bin/docker-current daemon --authorization-plugin=rhel-push-plugin --exec-opt native.cgroupdriver=systemd --selinux-enabled --log-driver=journald --add-registry registry.access.redhat.com
system_u:system_r:spc_t:s0      root     30077  4.0  0.0  11776  1836 pts/2    Ss+  04:30   0:00  |   \_ bash
system_u:system_r:initrc_t:s0   root     29907  0.0  0.2 101728  4152 ?        Sl   04:17   0:00  \_ /usr/bin/forward-journald -tag docker

Additional info:
Comment 2 Daniel Walsh 2016-06-14 13:18:54 UTC 
We are going to need an updated docker-selinux to install on the 7.3 nightly's, Since our policy has forward ported fixes that will be going into 7.3 selinux-policy package.
Comment 9 Daniel Walsh 2016-08-19 22:26:18 UTC 
You need to have the latest selinux-policy in your updated package and an updated docker-selinux which I believe are available in the 7.3 streams now.
Comment 18 errata-xmlrpc 2016-11-04 09:08:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2634.html