Bug 1525589
Summary: | selinux-policy preventing 'rhel-push-plugin' from starting | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Micah Abbott <miabbott> |
Component: | container-selinux | Assignee: | Lokesh Mandvekar <lsm5> |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 27 | CC: | amurdaca, dwalsh, fkluknav, jchaloup, jlebon, lsm5, lvrabec, mgrepl, plautrba, pmoore, walters |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-01-02 20:12:42 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Micah Abbott
2017-12-13 16:01:57 UTC
This appears to be Atomic Host specific. I upgraded a Fedora 27 Cloud system to the latest in 'updates-testing' and then installed the offending 'selinux-policy' package, but did not observe any issues. # cat /etc/os-release NAME=Fedora VERSION="27 (Cloud Edition)" ID=fedora VERSION_ID=27 PRETTY_NAME="Fedora 27 (Cloud Edition)" ANSI_COLOR="0;34" CPE_NAME="cpe:/o:fedoraproject:fedora:27" HOME_URL="https://fedoraproject.org/" SUPPORT_URL="https://fedoraproject.org/wiki/Communicating_and_getting_help" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Fedora" REDHAT_BUGZILLA_PRODUCT_VERSION=27 REDHAT_SUPPORT_PRODUCT="Fedora" REDHAT_SUPPORT_PRODUCT_VERSION=27 PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy" VARIANT="Cloud Edition" VARIANT_ID=cloud # systemctl status rhel-push-plugin.socket ● rhel-push-plugin.socket - Docker Block RHEL push plugin Socket for the API Loaded: loaded (/usr/lib/systemd/system/rhel-push-plugin.socket; disabled; vendor preset: disabled) Active: active (running) since Wed 2017-12-13 16:24:12 UTC; 38s ago Docs: man:rhel-push-plugin(8) Listen: /run/docker/plugins/rhel-push-plugin.sock (Stream) Dec 13 16:24:12 micah-f27cloud-vm1213a.localdomain systemd[1]: Listening on Docker Block RHEL push plugin Socket for the API. # journalctl -b | grep 'avc: denied' # rpm -q docker docker-rhel-push-plugin selinux-policy selinux-policy-targeted docker-1.13.1-44.git584d391.fc27.x86_64 docker-rhel-push-plugin-1.13.1-44.git584d391.fc27.x86_64 selinux-policy-3.13.1-283.18.fc27.noarch selinux-policy-targeted-3.13.1-283.18.fc27.noarch Might be related to the 'rpm-ostree override replace' problem here - https://github.com/projectatomic/rpm-ostree/issues/1145 Dan, I have no idea what rhel-push-plugin is but it looks like it's connected to docker. We should label it somehow. Is it possible to do it in docker policy? Thanks, Lukas. ls -lZ /usr/libexec/docker/rhel-push-plugin |