Bug 1492113
Summary: | Docker: SELinux relabeling issue for a local nfs volume | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Sergio Lopez <slopezpa> |
Component: | docker | Assignee: | Tom Sweeney <tsweeney> |
Status: | CLOSED WONTFIX | QA Contact: | atomic-bugs <atomic-bugs> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.4 | CC: | ajia, amurdaca, dornelas, dwalsh, lfriedma, lsm5, pasik, rhowe, slopezpa |
Target Milestone: | rc | Keywords: | Extras, Regression |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-02-28 20:35:05 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1186913, 1697833, 1720323 |
Description
Sergio Lopez
2017-09-15 13:38:16 UTC
Are you getting any AVC's with this. I know there was a fix for this that we have back ported for SELinux putting labels on directories that do not support labeling, but I am not sure if that is the case here. Attempting to fix with https://github.com/projectatomic/docker/pull/343 Tom I believe this is fixed in the master code could you test with latest docker to see if it is still an issue. Unless I messed up the test, or don't have the latest version, I'm still seeing the error and no AVC's. Lokesh can you verify I've the latest/greatest Docker bits please? # cat /etc/*release NAME="Red Hat Enterprise Linux Server" VERSION="7.7 (Maipo)" ID="rhel" ID_LIKE="fedora" # rpm -qa docker docker-1.13.1-103.git7f2769b.el7.x86_64 # systemctl start docker # docker volume create -d local --name nfstest --opt type=nfs --opt o=addr=derrick-nas.rhev.gsslab.rdu.redhat.com,rw,actimeo=0,sync --opt device=:/c/data1/docker nfstest # docker run --rm -ti -v nfstest:/mnt --name test rhel7 Unable to find image 'rhel7:latest' locally Trying to pull repository registry.access.redhat.com/rhel7 ... latest: Pulling from registry.access.redhat.com/rhel7 cd9779fb83c9: Pull complete 0bc0fb725b14: Pull complete Digest: sha256:3e3d9c2a8bbbdf35c3ac6a9f57c2148d03888c6cc6a17da9570f0b0d6484c42b Status: Downloaded newer image for registry.access.redhat.com/rhel7:latest /usr/bin/docker-current: Error response from daemon: SELinux relabeling of /var/lib/docker/volumes/nfstest/_data is not allowed: "operation not supported". See '/usr/bin/docker-current run --help'. # rpm -q kernel container-selinux kernel-3.10.0-957.12.2.el7.x86_64 kernel-3.10.0-957.21.2.el7.x86_64 kernel-3.10.0-1062.el7.x86_64 container-selinux-2.107-3.el7.noarch # ausearch -m avc -ts recent <no matches> Basically wanted to make sure the version of docker had https://github.com/projectatomic/docker/pull/343 Tom could you look through the docker code and see if any other Relabel calls exists and maybe we add the ENOSUP errors> We've a number of calls like: label.Relabel(secretsPath, container.MountLabel, false) (Starting at: https://github.com/projectatomic/docker/blob/docker-1.13.1-rhel/container/container_unix.go#L114) in container/container_unix.go (most called from NetworkMounts() one from SecretMountRHEL()) that don't do any error checking. In the CopyImagePathContent() function in this same file we ignore the error if it rises: if err := label.Relabel(path, container.MountLabel, true); err != nil && err != unix.ENOTSUP { return err (https://github.com/projectatomic/docker/blob/docker-1.13.1-rhel/container/container_unix.go#L199) in daemon/create_unix.go we recheck again if err := label.Relabel(v.Path(), container.MountLabel, true); err != nil && err != syscall.ENOTSUP { return err } (https://github.com/projectatomic/docker/blob/docker-1.13.1-rhel/daemon/create_unix.go#L55 I think you fixed this one up recently) and then finally in daemon/graphdriver/btrfs/btrfs.go it's the last thing we do in the Create() function and it has no check: return label.Relabel(path.Join(subvolumes, id), mountLabel, false) (https://github.com/projectatomic/docker/blob/docker-1.13.1-rhel/daemon/graphdriver/btrfs/btrfs.go#L440) Well it is not in the btrfs one. Yeah, I'm thinking maybe in container/container_unix.go for this one: https://github.com/projectatomic/docker/blob/docker-1.13.1-rhel/container/container_unix.go#L487 I've just added error handling to it and am trying it. Well that's the one that failing, but I'm not sure if adding error handling fixes the issue. With it in place, I'm now seeing: # docker run --rm -ti -v nfstest:/mnt --name test rhel7 Unable to find image 'rhel7:latest' locally Trying to pull repository registry.access.redhat.com/rhel7 ... latest: Pulling from registry.access.redhat.com/rhel7 cd9779fb83c9: Pull complete 0bc0fb725b14: Pull complete Digest: sha256:3e3d9c2a8bbbdf35c3ac6a9f57c2148d03888c6cc6a17da9570f0b0d6484c42b Status: Downloaded newer image for registry.access.redhat.com/rhel7:latest docker: Error response from daemon: SELinux relabeling of /var/lib/docker/volumes/nfstest/_data is not allowed: "operation not supported". See 'docker run --help'. Nope, I take that back, same error. Need to dig further. The Red Hat Enterprise Linux 7 life cycle has entered Maintenance Support 1 Phase, which means that only qualified Critical and Important Security errata advisories (RHSAs) and some Urgent Priority Bug Fix errata advisories (RHBAs) will be released as they become available. Unfortunately, this issue was not selected to be included in Red Hat Enterprise Linux 7, because it is seen either as low or moderate impact to a small number of use-cases. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable. See the Red Hat Enterprise Linux Life Cycle for more details: https://access.redhat.com/support/policy/updates/errata/#Maintenance_Support_1_Phase |