Bug 1378665

Summary:	docker: Error response from daemon: Container command could not be invoked
Product:	Red Hat Enterprise Linux 7	Reporter:	Alex Jia <ajia>
Component:	docker	Assignee:	Daniel Walsh <dwalsh>
Status:	CLOSED WONTFIX	QA Contact:	atomic-bugs <atomic-bugs>
Severity:	high	Docs Contact:
Priority:	high
Version:	7.3	CC:	amurdaca, atomic-qe, cevich, dwalsh, lsm5, lvrabec, mmalik, plautrba, pvrabec, ssekidde
Target Milestone:	rc	Keywords:	Extras, Regression
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-12-15 07:46:23 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Alex Jia 2016-09-23 03:00:05 UTC

Description of problem:
The SELinux blocks docker container running and run any command, 


Version-Release number of selected component (if applicable):

[cloud-user@atomic-host-001 ~]$ cat /etc/redhat-release 
Red Hat Enterprise Linux Atomic Host release 7.3

[cloud-user@atomic-host-001 ~]$ atomic host status
State: idle
Deployments:
● Atomic-7.3-tree-20160915.0:rhel-atomic-host/7/x86_64/standard
       Version: 7.3 (2016-09-20 14:44:34)
        Commit: 561537dc289445087debf17eb398f6190fb0674930fa04789d0844463b64c5e5
        OSName: rhel-atomic-host

  rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
       Version: 7.3 (2016-09-12 16:11:28)
        Commit: 1dea52b87ab6f4865fd5ceaa990ea436f912e9ec4af5e126c6890e1b8666d85a
        OSName: rhel-atomic-host

[cloud-user@atomic-host-001 ~]$ rpm -qa|grep selinux
selinux-policy-targeted-3.13.1-99.el7.noarch
libselinux-python-2.5-6.el7.x86_64
libselinux-2.5-6.el7.x86_64
docker-selinux-1.10.3-46.el7.14.x86_64
selinux-policy-3.13.1-99.el7.noarch
libselinux-utils-2.5-6.el7.x86_64


How reproducible:
always

Steps to Reproduce:
1. make sure SELinux is enforcing mode
2. docker run -it busybox


Actual results:

[cloud-user@atomic-host-001 ~]$ getenforce
Enforcing

[cloud-user@atomic-host-001 ~]$ sudo docker run -it busybox
Unable to find image 'busybox:latest' locally
Trying to pull repository registry.access.redhat.com/busybox ... 
unknown: Not Found
Trying to pull repository docker.io/library/busybox ... 
latest: Pulling from docker.io/library/busybox
8ddc19f16526: Pull complete 
Digest: sha256:a59906e33509d14c036c8678d687bd4eec81ed7c4b8ce907b888c607f6a1e0e6
Status: Downloaded newer image for docker.io/busybox:latest
permission denied
docker: Error response from daemon: Container command could not be invoked..


Expected results:


Additional info:

The same issue is on selinux-policy-3.13.1-100.el7.noarch.

<audit_log>

type=AVC msg=audit(1474599538.637:305248): avc:  denied  { transition } for  pid=63939 comm="exe" path="/bin/sh" dev="dm-4" ino=8388865 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c7,c909 tclass=process

</audit_log>

Comment 1 Alex Jia 2016-09-23 03:20:02 UTC

[cloud-user@atomic-host-001 ~]$ sudo atomic host unlock
Development mode enabled.  A writable overlayfs is now mounted on /usr.
All changes there will be discarded on reboot.

[cloud-user@atomic-host-001 ~]$ atomic host status
State: idle
Deployments:
● rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
       Version: 7.3 (2016-09-20 14:44:34)
        Commit: 561537dc289445087debf17eb398f6190fb0674930fa04789d0844463b64c5e5
        OSName: rhel-atomic-host
      Unlocked: development

[cloud-user@atomic-host-001 ~]$ ls
selinux-policy-3.13.1-100.el7.noarch.rpm  selinux-policy-targeted-3.13.1-100.el7.noarch.rpm

[cloud-user@atomic-host-001 ~]$ sudo rpm -Uvh selinux-policy-*
Preparing...                          ################################# [100%]
Updating / installing...
   1:selinux-policy-3.13.1-100.el7    ################################# [ 25%]
   2:selinux-policy-targeted-3.13.1-10################################# [ 50%]
Cleaning up / removing...
   3:selinux-policy-targeted-3.13.1-99################################# [ 75%]
   4:selinux-policy-3.13.1-99.el7     ################################# [100%]

[cloud-user@atomic-host-001 ~]$ sudo docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
docker.io/busybox   latest              2b8fd9751c4c        3 months ago        1.093 MB

[cloud-user@atomic-host-001 ~]$ sudo docker run -it busybox
permission denied
docker: Error response from daemon: Container command could not be invoked..

Comment 4 Lukas Vrabec 2016-09-23 13:14:37 UTC

This domain is maintained by docker team.  Switching component to docker. 

Anyway, 
Could attach output of: 
# ps -efZ | grep unconfined_service_t 

Thanks.

Comment 5 Daniel Walsh 2016-09-23 16:02:10 UTC

You need to move to the latest docker and selinux-policy packages available for 7.3.

docker-1.10.3-55.el7
selinux-policy-3.13.1-100.el7

Comment 10 RHEL Program Management 2020-12-15 07:46:23 UTC

After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.