Bug 1413239
| Summary: | docker run fails when attempting to run container with SELinux spc_t type | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Sam Ghods <ceptorial> |
| Component: | docker | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | atomic-bugs <atomic-bugs> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.3 | CC: | amurdaca, lsm5, stwalter |
| Target Milestone: | rc | Keywords: | Extras |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-06-30 15:08:28 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Sam Ghods
2017-01-14 01:33:48 UTC
Are you seeing AVC's? There was a bug in container-selinux which was causing this issue, I believe that this will be fixed in the next release. Yes, from audit.log:
node=compute-node10 type=AVC msg=audit(1484951512.650:2130331): avc: denied { entrypoint } for pid=25701 comm="exe" path="/bin/bash" dev="dm-20" ino=4194817 scontext=system_u:system_r:spc_t:s0:c567,c997 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c567,c997 tclass=file
Does it look like the issue? Any estimate on when the next container-selinux release will be out?
It was released last week with docker-1.12 Cool, thank you! Will there be a patch for 1.10? The updated container-selinux package should fix it for docker-1.10, but I am not sure you can install only this without updating docker. The current packages I see in the CentOS extras repo is: container-selinux-1.10.3-59.el7.centos.x86_64.rpm 15-Dec-2016 container-selinux-1.12.5-14.el7.centos.x86_64.rpm 23-Jan-2017 docker-1.10.3-59.el7.centos.x86_64.rpm 15-Dec-2016 docker-1.12.5-14.el7.centos.x86_64.rpm 23-Jan-2017 So I wonder if container-selinux-1.10.3 will have another release with this fix? Or do I have to go all the way to 1.12 to get it? I ask because the upgrade to 1.12 for us is rather disruptive and will take a few weeks of internal testing, but I can do the 1.10 upgrade much more easily. container-selinux should be agnostic to the docker release. We are splitting up the packages so that container-selinux will have a different life then docker. Bottom line, you should be able to run docker-1.10 with a container-selinux-1.12, unless the RPMs screw it up. I have a customer I believe may be hitting this, but is slightly inconsistent with what I've read in this bug. docker-1.10.3-59.el7.x86_64 They hit the issue even after installing container-selinux-1.12.5: yum swap -y -- install container-selinux-1.12.5 -- remove container-selinux-2.9 then we have rebooted the server but we still have the issue : [root@master2 ~]# dmesg -T|grep -i super [jeu. mars 23 08:48:44 2017] SELinux: Setting up existing superblocks. [jeu. mars 23 08:49:22 2017] SELinux: mount invalid. Same superblock, different security settings for (dev mqueue, type mqueue) [jeu. mars 23 08:49:23 2017] SELinux: mount invalid. Same superblock, different security settings for (dev mqueue, type mqueue) Am I hitting this bug or is this something different, do you think? Those are just warnings and can be ignored, eventually there will be an updated kernel with support for labeling on /dev/mqueue. Do the containers work in enforcing mode? In my case they do seem to work in enforcing mode. |