Bug 1416896
| Summary: | container-selinux not properly setting labels on /usr/bin/docker* | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jake Hunsaker <jhunsaker> | ||||
| Component: | docker | Assignee: | Lokesh Mandvekar <lsm5> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | atomic-bugs <atomic-bugs> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 7.3 | CC: | agross, amurdaca, bbreard, brubisch, dwalsh, jamills, lfriedma, lsm5 | ||||
| Target Milestone: | rc | Keywords: | Extras | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2017-05-31 15:36:25 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1186913, 1399379, 1422984 | ||||||
| Attachments: |
|
||||||
What error are you seeing when you install the container-selinux package? I asked the customer for a bit of clarification on that point, here's what they said: ------8<----------- Basically, I am creating a file system in a partition on a second disk, bind mounting in /proc, /dev/, /sys, and /sys/fs/selinux and then installing rpms into it using --root. When it gets to docker-common, I get errors: error: unpacking of archive failed: cpio: lsetfilecon failed - Invalid argument error: docker-common-2:1.12.5-14.el7.x86_64: install failed and on docker-client: error: unpacking of archive failed on file /usr/bin/docker-current;588a4135: cpio: lsetfilecon failed - Invalid argument error: docker-client-2:1.12.5-14.el7.x86_64: install failed This is what I have been calling symptom #2, so that still exists. Note that the machine I am installing from has the same versions of container-selinux (1.12.5-14.el7) and selinux-policy-targeted (3.13.1-102.el7_3.13) installed as I am trying to install inside the --root. I have container-selinux listed in the same rpm -i command as the docker packages, but because docker-common and docker-client do not declare that they require it, the rpm command choose to install it after them. If I explicitly force container-selinux to be installed first, by doing a separate rpm -i command just for it, then the lsetfilecon errors go away. So that implies to me that those two package have some subtle interaction or dependency on the container-selinux command which is not declared, and only shows up during a --root style installation. ------8<----------- Yes this looks like docker-client does not require container-selinux to be installed first. It should have container-selinux in its pre, Probably happened with the break out of docker-client from docker. Created attachment 1245352 [details]
Patch to fix installation order of container selinux packages.
Yes this should be fixed. container-selinux-2.9-4.el7 |
Description of problem: CEE-SD now has two reports of container-selinux not properly setting the selinux labels for docker. In the first, trying to run a container results in the following ------8<----------- panic: standard_init_linux.go:178: exec user process caused "permission denied" [recovered] panic: standard_init_linux.go:178: exec user process caused "permission denied" ------8<----------- In the second, the customer reports two items: ------8<----------- 1. I installed Linux into a partition using --root option on the rpm command. When I subsequently booted on that image, when I tried to log in, it would say No shell -- permission denied. If I omitted the container-selinux package (and the docker package that requires it) then I was able to log in with no issues. 2. If I try to install docker-client and docker-common packages without first installing container-selinux, the installation would report errors from SELinux. If the container-selinux package was installed first, then the errors would go away. So that implies that the docker-client and docker-common packages have a dependency on container-selinux which is not properly declared. ------8<----------- Version-Release number of selected component (if applicable): RHEL 7.3 with container-selinux-1.12.5-14.el7.x86_64 and docker-1.12.5-14.el7.x86_64 How reproducible: Always on a fresh installation Steps to Reproduce: 1.Install docker-1.12.5 (or docker-latest) with container-selinux 2. 3. Actual results: User gets permission denied when trying to run a container Expected results: container-selinux should set the correct labels on installation so that containers can be run normally Additional info: Manually setting either docker_exec_t or container_runtime_exec_t on /usr/bin/docker* resolves this