Bug 1602825

Summary: Can not create docker image with SELinux enabled
Product: [Fedora] Fedora Reporter: Artyom <alukiano>
Component: dockerAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 28CC: adimania, admiller, amurdaca, dwalsh, fkluknav, ichavero, jcajka, lsm5, marianne, nalin, santiago, vbatts
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-19 06:55:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Artyom 2018-07-18 15:05:08 UTC 
Description of problem:
No matter what image I create I receive fails on RUN command under docker file

Dockerfile
=========================
FROM fedora:27
  
RUN dnf install -y make
=========================

docker build -t test .
Sending build context to Docker daemon 2.048 kB
Step 1/2 : FROM fedora:27
 ---> 9110ae7f579f
Step 2/2 : RUN dnf install -y make
 ---> Running in 3947619356d2
The command '/bin/sh -c dnf install -y make' returned a non-zero code: 139

Version-Release number of selected component (if applicable):
# rpm -qa | grep docker
docker-1.13.1-60.git9cb56fd.fc28.x86_64
docker-rhel-push-plugin-1.13.1-60.git9cb56fd.fc28.x86_64
docker-common-1.13.1-60.git9cb56fd.fc28.x86_64
# rpm -qa | grep container
container-selinux-2.65-1.gitbf5b26b.fc28.noarch
containers-common-0.1.31-5.git0144aa8.fc28.x86_64
systemd-container-238-8.git0e0aa59.fc28.x86_64
container-storage-setup-0.11.0-1.git42c9d9c.fc28.noarch
# rpm -qa | grep selinux
python3-libselinux-2.8-1.fc28.x86_64
container-selinux-2.65-1.gitbf5b26b.fc28.noarch
selinux-policy-3.14.1-32.fc28.noarch
rpm-plugin-selinux-4.14.1-9.fc28.x86_64
libselinux-utils-2.8-1.fc28.x86_64
dnfdaemon-selinux-0.3.18-6.fc28.noarch
selinux-policy-targeted-3.14.1-32.fc28.noarch
libselinux-2.8-1.fc28.x86_64

How reproducible:
Always

Steps to Reproduce:
1. run "docker build -t test ." on the above Dockerfile
2.
3.

Actual results:
Image creation fails

Expected results:
Image creation must succeed

Additional info:
ausearch -m avc --start recent
----
time->Wed Jul 18 18:04:35 2018
type=AVC msg=audit(1531926275.058:1879): avc:  denied  { map } for  pid=21558 comm="sh" path="/usr/bin/bash" dev="dm-2" ino=5771176 scontext=system_u:system_r:container_t:s0:c380,c528 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0
Comment 1 Daniel Walsh 2018-07-18 15:27:31 UTC 
This looks like you have a labeling issue in /etc or /var/lib/docker

restorecon -R -v /etc /var/lib/docker

Did you modify the docker daemon to use content under your homedir?
Comment 2 Artyom 2018-07-19 06:55:44 UTC 
Yes, you are right, I put the docker directory under home directory and created the symbolic link under /var/lib/docker, so looks like I need to set a correct label on it.

# semanage fcontext -a -t container_var_lib_t "/home/test/docker(/.*)?"
# semanage fcontext -a -t container_share_t "/home/test/docker/overlay2(/.*)?"
# restorecon -R -v /home/test/docker

Returns all back to normal.

Thanks for your help.