Bug 1492113

Summary: Docker: SELinux relabeling issue for a local nfs volume
Product: Red Hat Enterprise Linux 7 Reporter: Sergio Lopez <slopezpa>
Component: dockerAssignee: Tom Sweeney <tsweeney>
Status: CLOSED WONTFIX QA Contact: atomic-bugs <atomic-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.4CC: ajia, amurdaca, dornelas, dwalsh, lfriedma, lsm5, pasik, rhowe, slopezpa
Target Milestone: rcKeywords: Extras, Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-28 20:35:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1186913, 1697833, 1720323    

Description Sergio Lopez 2017-09-15 13:38:16 UTC 
Description of problem:

With the latest update of docker (rhel7 extra repo), we encounter a bug with nfs volumes (local driver).


Version-Release number of selected component (if applicable):
 docker-1.12.6-28.git1398f24.el7.x86_64
 

How reproducible:
Fully reproducable 

Steps to Reproduce:

1. docker volume create -d local --name xxx --opt type=nfs --opt o=addr=xxxx,rw,actimeo=0,sync --opt device=</path/to/dir> 

2. docker run --rm -ti -v xxx:xxx --name <container name> <image name> /bin/bash 


Actual results:

/usr/bin/docker-current: Error response from daemon: SELinux relabeling of /var/lib/docker/volumes/xxxx/_data is not allowed: "operation not supported".


Expected results:

Container should have been created with successful nfs mount.

Additional info:

There is a similar upstream issue which contains the workaround for the issue.
https://github.com/moby/moby/issues/31255

Workaround :

Run the 2nd command as 
docker run --rm -ti -v xxx:xxx:nocopy --name <container name> <image name> /bin/bash
Comment 2 Daniel Walsh 2017-09-15 13:40:23 UTC 
Are you getting any AVC's with this.  I know there was a fix for this that we have back ported for SELinux putting labels on directories that do not support labeling, but I am not sure if that is the case here.
Comment 12 Daniel Walsh 2019-06-12 07:09:12 UTC 
Attempting to fix with https://github.com/projectatomic/docker/pull/343
Comment 16 Daniel Walsh 2019-08-13 12:12:51 UTC 
Tom I believe this is fixed in the master code could you test with latest docker to see if it is still an issue.
Comment 17 Tom Sweeney 2019-08-13 13:50:27 UTC 
Unless I messed up the test, or don't have the latest version, I'm still seeing the error and no AVC's.  Lokesh can you verify I've the latest/greatest Docker bits please?

# cat /etc/*release
NAME="Red Hat Enterprise Linux Server"
VERSION="7.7 (Maipo)"
ID="rhel"
ID_LIKE="fedora"
 
# rpm -qa docker
docker-1.13.1-103.git7f2769b.el7.x86_64

# systemctl start docker

# docker volume create -d local --name nfstest --opt type=nfs --opt o=addr=derrick-nas.rhev.gsslab.rdu.redhat.com,rw,actimeo=0,sync --opt device=:/c/data1/docker
nfstest

# docker run --rm -ti -v nfstest:/mnt --name test rhel7 
Unable to find image 'rhel7:latest' locally
Trying to pull repository registry.access.redhat.com/rhel7 ... 
latest: Pulling from registry.access.redhat.com/rhel7
cd9779fb83c9: Pull complete 
0bc0fb725b14: Pull complete 
Digest: sha256:3e3d9c2a8bbbdf35c3ac6a9f57c2148d03888c6cc6a17da9570f0b0d6484c42b
Status: Downloaded newer image for registry.access.redhat.com/rhel7:latest
/usr/bin/docker-current: Error response from daemon: SELinux relabeling of /var/lib/docker/volumes/nfstest/_data is not allowed: "operation not supported".
See '/usr/bin/docker-current run --help'.

# rpm -q kernel container-selinux
kernel-3.10.0-957.12.2.el7.x86_64
kernel-3.10.0-957.21.2.el7.x86_64
kernel-3.10.0-1062.el7.x86_64
container-selinux-2.107-3.el7.noarch

# ausearch -m avc -ts recent
<no matches>
Comment 19 Daniel Walsh 2019-08-13 14:54:32 UTC 
Basically wanted to make sure the version of docker had https://github.com/projectatomic/docker/pull/343
Comment 20 Daniel Walsh 2019-08-13 14:55:44 UTC 
Tom could you look through the docker code and see if any other Relabel calls exists and maybe we add the ENOSUP errors>
Comment 21 Tom Sweeney 2019-08-13 15:44:47 UTC 
We've a number of calls like:  

        label.Relabel(secretsPath, container.MountLabel, false)
  (Starting at: https://github.com/projectatomic/docker/blob/docker-1.13.1-rhel/container/container_unix.go#L114)

in container/container_unix.go (most called from NetworkMounts() one from SecretMountRHEL()) that don't do any error checking.  In the CopyImagePathContent() function in this same file we ignore the error if it rises:

        if err := label.Relabel(path, container.MountLabel, true); err != nil && err != unix.ENOTSUP {
                return err

    (https://github.com/projectatomic/docker/blob/docker-1.13.1-rhel/container/container_unix.go#L199)

in daemon/create_unix.go we recheck again

                if err := label.Relabel(v.Path(), container.MountLabel, true); err != nil && err != syscall.ENOTSUP {
                        return err
                }

     (https://github.com/projectatomic/docker/blob/docker-1.13.1-rhel/daemon/create_unix.go#L55  I think you fixed this one up recently)

and then finally in daemon/graphdriver/btrfs/btrfs.go it's the last thing we do in the Create() function and it has no check:

        return label.Relabel(path.Join(subvolumes, id), mountLabel, false)

     (https://github.com/projectatomic/docker/blob/docker-1.13.1-rhel/daemon/graphdriver/btrfs/btrfs.go#L440)
Comment 22 Daniel Walsh 2019-08-13 16:21:58 UTC 
Well it is not in the btrfs one.
Comment 23 Tom Sweeney 2019-08-13 16:36:41 UTC 
Yeah, I'm thinking maybe in container/container_unix.go for this one:

https://github.com/projectatomic/docker/blob/docker-1.13.1-rhel/container/container_unix.go#L487

I've just added error handling to it and am trying it.
Comment 24 Tom Sweeney 2019-08-13 16:46:52 UTC 
Well that's the one that failing, but I'm not sure if adding error handling fixes the issue.  With it in place, I'm now seeing:

# docker run --rm -ti -v nfstest:/mnt --name test rhel7 
Unable to find image 'rhel7:latest' locally
Trying to pull repository registry.access.redhat.com/rhel7 ... 
latest: Pulling from registry.access.redhat.com/rhel7
cd9779fb83c9: Pull complete 
0bc0fb725b14: Pull complete 
Digest: sha256:3e3d9c2a8bbbdf35c3ac6a9f57c2148d03888c6cc6a17da9570f0b0d6484c42b
Status: Downloaded newer image for registry.access.redhat.com/rhel7:latest
docker: Error response from daemon: SELinux relabeling of /var/lib/docker/volumes/nfstest/_data is not allowed: "operation not supported".
See 'docker run --help'.
Comment 25 Tom Sweeney 2019-08-13 17:00:57 UTC 
Nope, I take that back, same error.  Need to dig further.
Comment 28 Derrick Ornelas 2020-02-28 20:35:05 UTC 
The Red Hat Enterprise Linux 7 life cycle has entered Maintenance Support 1 Phase, which means that only qualified Critical and Important Security errata advisories (RHSAs) and some Urgent Priority Bug Fix errata advisories (RHBAs) will be released as they become available.  Unfortunately, this issue was not selected to be included in Red Hat Enterprise Linux 7, because it is seen either as low or moderate impact to a small number of use-cases. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.

See the Red Hat Enterprise Linux Life Cycle for more details:
https://access.redhat.com/support/policy/updates/errata/#Maintenance_Support_1_Phase