| Summary: | docker-containerd.service is running as unlabeled_t | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Lukas Slebodnik <lslebodn> |
| Component: | docker | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CANTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 25 | CC: | adimania, admiller, amurdaca, dwalsh, ichavero, jcajka, jchaloup, lsm5, marianne, miminar, nalin, riek, vbatts |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-09-16 12:35:50 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
It works well with older version sh# rpm -q docker docker-selinux docker-1.12.1-11.git9a3752d.fc25.x86_64 docker-selinux-1.12.1-11.git9a3752d.fc25.x86_64 sh# ps auxfZ | grep docke[r] system_u:system_r:docker_t:s0 root 10228 0.0 0.0 354996 8192 ? Ssl 10:26 0:00 /usr/libexec/docker/docker-containerd --listen unix:///run/containerd.sock --shim /usr/libexec/docker/docker-containerd-shim system_u:system_r:docker_t:s0 root 10261 0.2 0.2 657456 34112 ? Ssl 10:26 0:00 dockerd --add-runtime oci=/usr/libexec/docker/docker-runc --default-runtime=oci --containerd /run/containerd.sock --exec-opt native.cgroupdriver=systemd --selinux-enabled --log-driver=journald -s btrfs It is a second time in docker 1.12 fedora lifetime where docker related service are running with wrong SELinuc context; @see BZ1363775. One would say it would be a time to run tests before pushing broken package to update-testing. I know you cannot cover all use cases but docker has to work with enabled SElinux. Running with unlabeled_t means that the service was running and then for some reason the process label became invalid. If you restart the service does the service run with a correct label? (In reply to Daniel Walsh from comment #2) > Running with unlabeled_t means that the service was running and then for > some reason the process label became invalid. I recently updated more packages (including docker* and selinux-policy* Do you have an idea what could case such broken state? > If you restart the service > does the service run with a correct label? Thank you very much for fast reply. It works for me after upgrading back to 1.12.1-12 and restarting docker-containerd.service docker.service. I am not sure but I know there were some bad docker-selinux/selinux-policy differences which was causing docker-selinux to fail to install. Perhaps this somehow caused the docker.pp to not be installed making the docker-current process invalid. OK, feel free to close the ticket if you think nobody else can hit this bug. I do not plan to reproduce it. |
Description of problem: the service docker-containerd.service is running with wrong SELinux context and therefore docker .service cannot be started. Version-Release number of selected component (if applicable): sh rpm -q docker docker-selinux selinux-policy docker-1.12.1-12.git9a3752d.fc25.x86_64 docker-selinux-1.12.1-12.git9a3752d.fc25.x86_64 selinux-policy-3.13.1-214.fc25.noarch How reproducible: Deterministic Steps to Reproduce: 1. systemctl start docker.service Actual results: sh# systemctl start docker.service Job for docker.service failed because the control process exited with error code. See "systemctl status docker.service" and "journalctl -xe" for details. sh# echo $? 1 Expected results: docker service is properly started without any AVCs Additional info: sh# systemctl start docker-containerd.service sh# systemctl status docker-containerd.service ● docker-containerd.service - Containerd Standalone OCI Container Daemon Loaded: loaded (/usr/lib/systemd/system/docker-containerd.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2016-09-16 10:10:36 CEST; 14s ago Docs: https://containerd.tools/ Main PID: 9302 (docker-containe) Tasks: 26 (limit: 8192) CGroup: /system.slice/docker-containerd.service ├─3891 /usr/libexec/docker/docker-containerd --listen unix:///run/containerd.sock --shim /usr/libexec/docker/docker-containerd-shim └─9302 /usr/libexec/docker/docker-containerd --listen unix:///run/containerd.sock --shim /usr/libexec/docker/docker-containerd-shim Sep 16 10:10:36 host.example.com systemd[1]: Started Containerd Standalone OCI Container Daemon. Sep 16 10:10:36 host.example.com docker-containerd[9302]: time="2016-09-16T10:10:36.174171281+02:00" level=warning msg="containerd: low RLIMIT_NOFILE changing to max" current=1024 sh# ps auxfZ | grep docke[r] system_u:object_r:unlabeled_t:s0 root 3891 0.0 0.0 677780 6456 ? Ssl Sep11 0:11 /usr/libexec/docker/docker-containerd --listen unix:///run/containerd.sock --shim /usr/libexec/docker/docker-containerd-shim system_u:object_r:unlabeled_t:s0 root 29536 0.0 0.2 1009660 41760 ? Ssl Sep14 0:35 dockerd --add-runtime oci=/usr/libexec/docker/docker-runc --default-runtime=oci --containerd /run/containerd.sock --exec-opt native.cgroupdriver=systemd --selinux-enabled --log-driver=journald -s btrfs --insecure-registry brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888 system_u:system_r:unconfined_service_t:s0 root 9302 0.0 0.0 279600 7612 ? Ssl 10:10 0:00 /usr/libexec/docker/docker-containerd --listen unix:///run/containerd.sock --shim /usr/libexec/docker/docker-containerd-shim