Bug 1370935
| Summary: | docker-selinux broken in 7.3 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jeremy Eder <jeder> |
| Component: | docker | Assignee: | Lokesh Mandvekar <lsm5> |
| Status: | CLOSED ERRATA | QA Contact: | atomic-bugs <atomic-bugs> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 7.3 | CC: | dwalsh, gouyang, jhonce, jneedle, lsm5, lvrabec, mgrepl, mmarhefk, ncredi, sejug, walters, wmeng |
| Target Milestone: | rc | Keywords: | Extras |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-04 09:09:13 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1375561 | ||
|
Comment 2
Daniel Walsh
2016-08-29 09:36:13 UTC
Reportedly fixed by https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=11693024 See also: https://atomic-e2e-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/rhelah-autobrew-7.3-treecompose/ I agree this is a blocker. The latest docker-selinux should have /usr/bin/docker* labeled as docker_exec_t. yum reinstall docker-selinux restorecon -v /usr/bin/docker* ls -lZ /usr/bin/docker* If they are all labeled docker_exec_t, then you should be able to systemctl restart docker Or docker-latest Now check the label on the docker process. ps -eZ | grep docker They should all be labeled docker_t. That only applies to non-AH. For AH we want Docker to work by default. If you look at https://atomic-e2e-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/rhelah-autobrew-7.3-treecompose/ The error is: 02:02:16 Failed to resolve typeattributeset statement at /etc/selinux/targeted/tmp/modules/200/docker/cil:168 02:02:16 /usr/sbin/semodule: Failed! Is /etc/selinux/targeted/tmp/modules/200/docker/cil still available? The question is what typeattribute is it blowing up over. The issue was on selinux-policy Should be fixed in selinux-policy-3.13.1-97.el7 Docker package should be a requires on this patch. @Colin, Indeed you're right, after docker reinstall issue resolved. Yes I just checked in a fix for this in docker-selinux. edbbfc9001fbf949e4fb98392c647cdd820f06fe fixes this issue. Seems selinux policy in RHEL now has a domain for k8s which defines this path. This policy is not present in Rawhide though. *** Bug 1373952 has been marked as a duplicate of this bug. *** C#19 is this bug. I would say. c#21 is somewhat covered here. https://bugzilla.redhat.com/show_bug.cgi?id=1373648 Ok, works with:
# atomic host status
State: idle
Deployments:
● rhelah-autobuild:rhel-atomic-host/7.3/x86_64/autobrew/buildmaster
Version: 7.3.internal.0.27 (2016-09-08 12:49:40)
Commit: ff03b46032f9e12b033b322b4f2e0841543f04178d955963a08a1b7e71412413
OSName: rhel-atomic-host
# rpm -q docker selinux-policy
docker-1.10.3-53.el7.x86_64
selinux-policy-3.13.1-97.el7.noarch
Woohoo Finally. VERIFIED with these versions: docker-1.10.3-53.el7.x86_64 docker-selinux-1.10.3-53.el7.x86_64 selinux-policy-3.13.1-98.el7.noarch Beaker job which works with atomic/docker executables: https://beaker.engineering.redhat.com/recipes/3085819#tasks Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-2634.html |