Bug 1419120
Summary: | Cannot create container with no-new-privileges | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Lukas Slebodnik <lslebodn> | ||||
Component: | docker | Assignee: | Daniel Walsh <dwalsh> | ||||
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | rawhide | CC: | adimania, admiller, amurdaca, dwalsh, ichavero, jcajka, jchaloup, lsm5, marianne, miminar, nalin, riek, vbatts | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-02-10 22:19:00 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Lukas Slebodnik
2017-02-03 15:51:22 UTC
Works for me. docker run -ti --security-opt=no-new-privileges --name test fedora:25 bash Unable to find image 'fedora:25' locally Trying to pull repository atomic-registry.usersys.redhat.com:500/fedora ... Trying to pull repository docker.io/library/fedora ... sha256:a99209cbb485b98d17b47be2bf990a7fbd63b4d3fa61395a313308d99a326930: Pulling from docker.io/library/fedora 0fc456f626d7: Pull complete Digest: sha256:a99209cbb485b98d17b47be2bf990a7fbd63b4d3fa61395a313308d99a326930 Status: Downloaded newer image for docker.io/fedora:25 [root@e7614e3c8bc8 /]# id uid=0(root) gid=0(root) groups=0(root) [root@e7614e3c8bc8 /]# id -Z id: --context (-Z) works only on an SELinux-enabled kernel [root@e7614e3c8bc8 /]# exit sh-4.4# getenforce Enforcing # rpm -q docker container-selinux selinux-policy docker-1.12.6-17.git037a2f5.fc26.x86_64 container-selinux-2.5-1.fc26.noarch selinux-policy-3.13.1-235.fc26.noarch ps -eZ | grep docker system_u:system_r:container_runtime_t:s0 1132 ? 00:00:00 docker-containe system_u:system_r:container_runtime_t:s0 21631 ? 00:00:05 dockerd-current Any AVCs? ausearch -m avc -ts recent (In reply to Daniel Walsh from comment #2) > Any AVCs? > > ausearch -m avc -ts recent NO, the same problem is in permissive mode. Created attachment 1247707 [details]
joutnald output
Attached is journald output related to creating container.
I enabled --debug for docker.service docker-containerd.service
Hope it helps
You are using a BTRFS back end which could be the problem. I doubt anyone has tested this with anything other then devicemapper or overlay2. Does it work if you run with --security-opt label:disable I am thinking this has something to do with SELinux labels trying to be assigned somewhere but not being allowed. But if everything works without --no-new-privs? (In reply to Daniel Walsh from comment #6) > Does it work if you run with --security-opt label:disable > It works. and it also works with SELinux type docker_t or container_runtime_t docker run -ti --security-opt=label:type:docker_t \ --security-opt=no-new-privileges --rm fedora:25 bash The only problem is with default container_t docker_t is a very privileged domain, container_t is a less privileged domain. I have build container-selinux-2.6-1.fc26 could you try this with that package. I will push it to replace the update. I think it will fix your issue. I saw following error when upgrading to 2.7-1 [root@host ~]# dnf update https://kojipkgs.fedoraproject.org//packages/container-selinux/2.7/1.fc26/noarch/container-selinux-2.7-1.fc26.noarch.rpm Last metadata expiration check: 1:49:34 ago on Tue Feb 07 16:40:10 2017 CET. Dependencies resolved. ================================================================================ Package Arch Version Repository Size ================================================================================ Upgrading: container-selinux noarch 2:2.7-1.fc26 @commandline 29 k Transaction Summary ================================================================================ Upgrade 1 Package Total size: 29 k Is this ok [y/N]: y Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Upgrading : container-selinux-2:2.7-1.fc26.noarch 1/2 Child type container_t exceeds bounds of parent container_runtime_t (allow container_t container_t (capability2 (mac_override mac_admin))) <root> booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2721 true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2722 allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2723 (allow container_t self (capability2 (mac_override mac_admin syslog wake_alarm block_suspend audit_read epolwakeup))) (allow container_t container_t (capability (sys_module))) <root> booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2721 true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2722 allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2724 (allow container_t self (capability (chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap))) Failed to generate binary /usr/sbin/semodule: Failed! Cleanup : container-selinux-2:2.5-1.fc26.noarch 2/2 Verifying : container-selinux-2:2.7-1.fc26.noarch 1/2 Verifying : container-selinux-2:2.5-1.fc26.noarch 2/2 Upgraded: container-selinux.noarch 2:2.7-1.fc26 Complete! So I am not sure that policy was applied. But it did not help. It was not applied. Modify expand-check in /etc/selinux/semanage.conf to expand-check=0 And then reinstall container-selinux This should stop that error. The problem is in selinux-policy package in Rawhide. I have opened a pull request to fix this. https://github.com/fedora-selinux/selinux-policy/pull/187 Works well with container-selinux-2:2.8-1.fc26.noarch. Thank you. |