Bug 1517690
| Summary: | `mv` in container tries to remove the MCS part of SELinux context | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Standa Laznicka <slaznick> |
| Component: | container-selinux | Assignee: | Lokesh Mandvekar <lsm5> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 26 | CC: | amurdaca, dwalsh, fkluknav, jchaloup, jlebon, jpazdziora, lsm5 |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | container-selinux-2.36-1.fc27 container-selinux-2.36-1.fc26 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-12-10 05:07:08 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This is strange, It looks like the system thinks SElinux is enabled within the container? If you run this same container but just launch and run a sh, does id -Z report that SELinux is disabled? `docker exec $CONTAINER_NAME id -Z` seems to correctly give: """ id: --context (-Z) works only on an SELinux-enabled kernel """ Ok does some code do a mv -Z from inside of the contaiener on top of /opt/ipa-darta-master? Is this content private to this container or do other containers need to use this data? -v /opt/ipa-data-master:/data:Z Would fix this issue if it is private to this container. And you could eliminate the chcon command from above. Ok I got it. Fixed in container-selinux-2.36 Thanks. For the record - the data in /opt/ipa-data-master are supposed to be persistent container storage and can be used in different containers so the :Z way is unfortunately not possible. We were allowing the relabel on files and directories, but not on link_file which is what you are seeing. I have updated container-selinux do allow it on all file types now. Thanks, tested the new package from koji and it seems to have fixed the problem for me. Ok I will push it into updates as tomorrow, since we have a container-selinux package update about to finish the updates process. Once I push, could you update karma. container-selinux-2.36-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-27cf1ada3a container-selinux-2.36-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-acc79c0e3e container-selinux-2.36-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-acc79c0e3e container-selinux-2.36-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-27cf1ada3a container-selinux-2.36-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. container-selinux-2.36-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: During an installation of FreeIPA in a container, most probably during the `pkispawn` time, there is a `mv` which tries to relabel two objects so that the MCS part of their context gets removed. Version-Release number of selected component (if applicable): Fedora 26 host, on Fedora 25 host this seems to work fine How reproducible: 100% Steps to Reproduce: 1. docker pull freeipa/freeipa-server:fedora-26 2. domain=IPA.TEST; docker run -t --name freeipa-popelnice -h $HOSTNAME \ --tmpfs /run --tmpfs /tmp \ -v /dev/urandom:/dev/random:ro -v /opt/ipa-data/master:/data \ -v /sys/fs/cgroup:/sys/fs/cgroup:ro --cap-add=SYS_TIME \ freeipa/freeipa-server:fedora-26 \ --hostname $HOSTNAME --domain $domain --realm ${domain^^} \ -p milan_je_buh123 -a milan_je_buh123 --setup-dns --auto-forwarders --no-reverse -U 3. ausearch -m avc Actual results: ---- time->Mon Nov 27 02:44:49 2017 type=AVC msg=audit(1511768689.168:475): avc: denied { relabelfrom } for pid=16032 comm="mv" name="logging.properties" dev="dm-0" ino=26096381 scontext=system_u:system_r:container_t:s0:c178,c726 tcontext=system_u:object_r:container_file_t:s0 tclass=lnk_file permissive=0 ---- time->Mon Nov 27 02:44:49 2017 type=AVC msg=audit(1511768689.176:476): avc: denied { relabelfrom } for pid=16032 comm="mv" name="CS.cfg.bak" dev="dm-0" ino=26096406 scontext=system_u:system_r:container_t:s0:c178,c726 tcontext=system_u:object_r:container_file_t:s0 tclass=lnk_file permissive=0 Fail: AVC messages found. Expected results: No AVCs Additional info: Running the container requires more workarounds, I will add an appropriate beaker job to this BZ.