Bug 2026372

Summary: container-selinux version
Product: Red Hat Enterprise Linux 8 Reporter: Julie Pichon <jpichon>
Component: container-tools-2.0-moduleAssignee: Jindrich Novy <jnovy>
Status: CLOSED CURRENTRELEASE QA Contact: atomic-bugs <atomic-bugs>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.2CC: dornelas, dwalsh, jnovy, jpretori, tsweeney
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-03 21:28:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Julie Pichon 2021-11-24 13:53:21 UTC 
Description of problem:

A recent update to container-selinux in container-tools:3.0 broke OSP 16.2 on RHEL 8.4 (see bug 2020210). This is because the new package includes commit 7e5f3c [1] which added a new file context for a generic path name (/var/log/containers) that is also in use by OpenStack - with different label expectations.

OSP 16.1 runs on container-tools:2.0 which thankfully doesn't have this patch yet. Our fix for 16.2 doesn't apply cleanly because it assumes the newer container-selinux package is also present.

Ideally, the problematic patch [1] would not be backported to container-tools:2.0 to avoid breaking current OSP 16.1 customers.

However, I am not sure about the roadmap. Are there any plans to update container-selinux in the container-tools:2.0 module stream? If so, could this update be coordinated with OSP/openstack-selinux, as a heads-up would be useful to make sure we are also ready? Thank you.

[1] https://github.com/containers/container-selinux/commit/7e5f3cae10e2d805821fb84dff7418b9e3b0cc1f

Version-Release number of selected component (if applicable):
container-selinux-2.124.0-1.module+el8.2.0+11121+714aca16.src.rpm works fine with OSP on 8.2.
Comment 2 Daniel Walsh 2021-12-01 20:55:25 UTC 
I know of know plans to back port, but if so, yes we could coordinate and remove our label of /var/log/containers.
Comment 3 Jindrich Novy 2021-12-02 11:50:56 UTC 
Currently we have no plans to update container-selinux in 2.0-8.4.0. If I read the bugreport right - the label of /var/log/containers needs to be removed from 3.0-8.4.0?
Comment 4 Julie Pichon 2021-12-02 13:34:14 UTC 
Thank you for the replies! The new label is fine from container-tools:3.0 onward, there is no need to remove/revert it because we've already patched OSP 16.2+ to expect it now. This bug is only about the container-selinux version in the container-tools:2.0 stream which OSP 16.1 uses.
Comment 5 Daniel Walsh 2021-12-02 14:10:14 UTC 
I think this is only if we were to ship an update.
Comment 6 Tom Sweeney 2021-12-02 15:49:40 UTC 
Yes, I think the issue is set for now, but we have to be careful about updating selinux in container-tools:2.0 going forward.  We have no plans to do so, my fear is a CVE will come in 6 months from now and we will have forgotten this dependency.

I'm going to make a note to myself, Jindrich and Dan if you could do the same, hopefully, one of us will remember if the need arises.

Given that, Jesse, can we close this issue?
Comment 7 Julie Pichon 2021-12-02 17:31:53 UTC 
From my perspective, I'm happy for the issue to be closed. I wanted to raise awareness, as long as we can get some heads-up for container-tools:2.0 updates this should be fine. Thank you.