Bug 1412803
| Summary: | SELinux AVC when starting OCP container | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Marko Myllynen <myllynen> |
| Component: | docker | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | atomic-bugs <atomic-bugs> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.3 | CC: | amurdaca, brubisch, jswensso, lsm5, pasik |
| Target Milestone: | rc | Keywords: | Extras |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-04-07 12:15:34 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1420851 | ||
Our latest docker is docker-1.12.5-14.el7 (In reply to Daniel Walsh from comment #1) > Our latest docker is docker-1.12.5-14.el7 On our public RHEL channels we have: docker-1.10.3-59.el7.x86_64 docker-latest-1.12.3-10.el7.x86_64 The docker-latest package provides docker-latest service and configuration files but OCP packages have dependencies to the docker (not docker-latest) package and they use the docker service and configurations (not docker-latest). Thanks. I'm happy to confirm docker 1.12.5-14 (to be officially released in few days) fixes this issue. I filed two other BZs on remotely related lower impact issues: https://bugzilla.redhat.com/show_bug.cgi?id=1413535 https://bugzilla.redhat.com/show_bug.cgi?id=1413536 Thanks. This issue is fixed in current releases, closing. Thanks. container-selinux-2.9-4.el7.noarch docker-1.12.6-11.el7.x86_64 selinux-policy-3.13.1-102.el7_3.16.noarch |
Description of problem: With latest RHEL 7.3 / OCP 3.3 as of 2017-01-12 OCP deployment fails, I'm seeing the following when e.g. docker-registry-1-deploy / router-1-deploy pods are in ContainerCreating state during OCP deployment: [root@infra01 ~]# rpm -q selinux-policy docker docker-selinux container-selinux selinux-policy-3.13.1-102.el7_3.7.noarch docker-1.10.3-59.el7.x86_64 package docker-selinux is not installed container-selinux-1.10.3-59.el7.x86_64 [root@infra01 ~]# grep denied /var/log/audit/audit.log | head -n 1 type=AVC msg=audit(1484251796.227:1917): avc: denied { transition } for pid=15134 comm="exe" path="/usr/bin/pod" dev="dm-4" ino=2104360 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c0,c5 tclass=process [root@infra01 ~]# grep -c denied /var/log/audit/audit.log 93 If SELinux is in Permissive, things works as expected. Thanks.