Bug 1573002
Summary: | SELinux is preventing runc:[2:INIT] from 'entrypoint' accesses on the file /bin/echo. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Daniel Stiner <danstiner> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 28 | CC: | danstiner, dwalsh, lvrabec, mgrepl, plautrba, pmoore |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:85bf48f176a859c46527bb57405834f6da7aace22b4d727493144505506437d1;VARIANT_ID=workstation; | ||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-05-01 16:17:16 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Daniel Stiner
2018-04-29 16:16:28 UTC
Previously worked under Fedora 27, broken after clean upgrade to Fedora 28 Beta. $ dnf info docker Installed Packages Name : docker Epoch : 2 Version : 1.13.1 Release : 51.git4032bd5.fc28 Arch : x86_64 Size : 67 M Source : docker-1.13.1-51.git4032bd5.fc28.src.rpm Repo : @System From repo : fedora Summary : Automates deployment of containerized applications URL : https://github.com/projectatomic/docker Did you switch to a Overlay2 back end? Does restorecon -R -v /var/lib/docker Change the labels in /var/lib/docker/overlay2 And solve this problem? I did not manually change the back-end, but it appears I am using overlay2. Running restorecon did fix the issue, thanks for that! Is there a chance other people will run into this? I'm happy to try and reproduce the upgrade in a VM or whatever else may be useful. $ docker info ...Storage Driver: overlay2... $ restorecon -R -v /var/lib/docker ... Relabeled /var/lib/docker/tmp/docker-builder601697712/<file> from system_u:object_r:var_lib_t:s0 to system_u:object_r:container_var_lib_t:s0 ... I am not sure how this can happen. If you were to rm -rf /var/lib/docker, I think everything would get labeled correctly. For some reason during the update you either had an overlay2 directory prexisting, and we did not catch it, or somehow it got mislabeled. I'm not sure either. I have tried applied custom SELinux policy on this machine before, but nothing Docker related. Unless someone else runs in to this, I'd say this can be closed. Thanks for your help! Random asides: - Based on create date of /var/lib/docker/overlay2/ I installed docker in Feb of 2017, would have been running Fedora 25 back then - Just for kicks I did a clean F27 install and upgraded it, docker worked as expected before and after the upgrade. |