1112748 – Selinux prevents docker-io from updating /etc/passwd within a container

Bug 1112748 - Selinux prevents docker-io from updating /etc/passwd within a container

Summary: Selinux prevents docker-io from updating /etc/passwd within a container

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	docker-io
Sub Component:
Version:	20
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Lokesh Mandvekar
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-06-24 15:40 UTC by Aurelien Marchand
Modified:	2014-07-22 17:41 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2014-07-22 17:41:38 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Aurelien Marchand 2014-06-24 15:40:03 UTC

Description of problem:
Running a certain docker command fails to run the container as expected since selinux intercept a call to update /etc/passwd within the container.


Version-Release number of selected component (if applicable):

Docker version 1.0.0, build 63fe64c/1.0.0
selinux policy version is 29


How reproducible: always


Steps to Reproduce:
1. # yum upgrade
2. # yum install docker-io
3. add username to the docker group and restart the daemon
4. verify 'getenforce' returns 'Enforcing'
5. docker run -t -i -p 80:80 -p 20022:22 oskarhane/docker-wordpress-nginx-ssh

Actual results:
140624 15:34:46 mysqld_safe Logging to syslog.
140624 15:34:46 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql
mysql root password: Yohraequ2eiB
wordpress password: ieHie5toi0zo
ssh password: se2Gai9eengu
usermod: failure while writing changes to /etc/passwd
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 58606  100 58606    0     0  60339      0 --:--:-- --:--:-- --:--:-- 62148
Archive:  nginx-helper.1.8.1.zip
nginx-helper.1.8.1 packaged
   creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/readme.txt  
   creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/admin.php  
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/install.php  
   creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/lib/
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/lib/nginx-sidebar.php  
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/lib/nginx-general.php  
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/lib/nginx-support.php  
   creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/
   creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/config.json  
   creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/nginx-fontello.eot  
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/nginx-fontello.svg  
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/nginx-fontello.ttf  
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/nginx-fontello.woff  
   creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/css/
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/css/nginx-fontello.css  
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx.js  
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/rtp-social-icons-32-32.png  
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/logo.png  
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/style.css  
 extracting: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-icon-32x32.png  
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/nginx-helper.php  
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/compatibility.php  
   creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/languages/
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/languages/nginx-helper.mo  
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/languages/nginx-helper.po  
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/purger.php  
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 38126  100 38126    0     0   151k      0 --:--:-- --:--:-- --:--:--  154k
Archive:  wp-ffpc.1.5.0.zip
wp-ffpc.1.5.0 packaged
   creating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/
  inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc-acache.php  
  inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc-class.php  
  inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc.php  
  inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc-nginx-sample.conf  
  inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/readme.txt  
  inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc-backend.php  
  inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/uninstall.php  
   creating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-common/
  inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-common/wp-admin.css  
  inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-common/wp-plugin-abstract.php  
  inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-common/wp-plugin-utilities.php  
sed: warning: failed to set default file creation context to system_u:object_r:svirt_sandbox_file_t:s0:c8,c525: Permission deniedStarting memcached: memcached.
140624 15:34:59 mysqld_safe mysqld from pid file /var/run/mysqld/mysqld.pid ended
/usr/local/lib/python2.7/dist-packages/supervisor-3.0-py2.7.egg/supervisor/options.py:295: UserWarning: Supervisord is running as root and it is searching for its configuration file in default locations (including its current working directory); you probably want to specify a "-c" argument specifying an absolute path to a configuration file for improved security.
  'Supervisord is running as root and it is searching '
2014-06-24 15:35:00,547 CRIT Supervisor running as root (no user in config file)
2014-06-24 15:35:00,646 INFO RPC interface 'supervisor' initialized
2014-06-24 15:35:00,646 CRIT Server 'unix_http_server' running without any HTTP authentication checking
2014-06-24 15:35:00,646 INFO supervisord started with pid 380
2014-06-24 15:35:01,648 INFO spawned: 'nginx' with pid 391
2014-06-24 15:35:01,650 INFO spawned: 'mysqld' with pid 392
2014-06-24 15:35:01,651 INFO spawned: 'php5-fpm' with pid 393
2014-06-24 15:35:01,652 INFO spawned: 'ssh' with pid 394
2014-06-24 15:35:02,756 INFO success: nginx entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2014-06-24 15:35:02,757 INFO success: mysqld entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2014-06-24 15:35:02,757 INFO success: php5-fpm entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2014-06-24 15:35:02,757 INFO success: ssh entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)


Expected results:
140624 15:36:48 mysqld_safe Logging to syslog.
140624 15:36:48 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql
mysql root password: Eehujoh3ooyo
wordpress password: nana8aiTh6ju
ssh password: Eengoo2liMie
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 58606  100 58606    0     0  38969      0  0:00:01  0:00:01 --:--:-- 39412
Archive:  nginx-helper.1.8.1.zip
nginx-helper.1.8.1 packaged
   creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/
   creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/install.php  
   creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/lib/
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/lib/nginx-general.php  
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/lib/nginx-sidebar.php  
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/lib/nginx-support.php  
   creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/logo.png  
 extracting: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-icon-32x32.png  
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/rtp-social-icons-32-32.png  
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx.js  
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/style.css  
   creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/
   creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/nginx-fontello.ttf  
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/nginx-fontello.woff  
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/nginx-fontello.svg  
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/nginx-fontello.eot  
   creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/css/
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/css/nginx-fontello.css  
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/config.json  
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/admin.php  
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/nginx-helper.php  
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/readme.txt  
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/compatibility.php  
   creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/languages/
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/languages/nginx-helper.mo  
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/languages/nginx-helper.po  
  inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/purger.php  
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 38126  100 38126    0     0  49638      0 --:--:-- --:--:-- --:--:-- 49903
Archive:  wp-ffpc.1.5.0.zip
wp-ffpc.1.5.0 packaged
   creating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/
  inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc-nginx-sample.conf  
  inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc-class.php  
   creating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-common/
  inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-common/wp-admin.css  
  inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-common/wp-plugin-abstract.php  
  inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-common/wp-plugin-utilities.php  
  inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/uninstall.php  
  inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc.php  
  inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/readme.txt  
  inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc-acache.php  
  inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc-backend.php  
Starting memcached: memcached.
/usr/local/lib/python2.7/dist-packages/supervisor-3.0-py2.7.egg/supervisor/options.py:295: UserWarning: Supervisord is running as root and it is searching for its configuration file in default locations (including its current working directory); you probably want to specify a "-c" argument specifying an absolute path to a configuration file for improved security.
  'Supervisord is running as root and it is searching '
2014-06-24 15:37:02,595 CRIT Supervisor running as root (no user in config file)
2014-06-24 15:37:02,603 INFO RPC interface 'supervisor' initialized
2014-06-24 15:37:02,603 CRIT Server 'unix_http_server' running without any HTTP authentication checking
2014-06-24 15:37:02,603 INFO supervisord started with pid 385
140624 15:37:03 mysqld_safe mysqld from pid file /var/run/mysqld/mysqld.pid ended
2014-06-24 15:37:03,606 INFO spawned: 'nginx' with pid 396
2014-06-24 15:37:03,607 INFO spawned: 'mysqld' with pid 397
2014-06-24 15:37:03,608 INFO spawned: 'php5-fpm' with pid 398
2014-06-24 15:37:03,609 INFO spawned: 'ssh' with pid 399
2014-06-24 15:37:04,716 INFO success: nginx entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2014-06-24 15:37:04,716 INFO success: mysqld entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2014-06-24 15:37:04,716 INFO success: php5-fpm entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2014-06-24 15:37:04,716 INFO success: ssh entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)



Additional info:
If selinux is set to non-enforcing (setenforce 0), then the problem disappears.

Looking at the audit.log file there is nothing related to failed update around the time of the usermod command is launched.

I tried the exact same steps on CentOS 6.5 and had no issue at all, even in Enforcing mode.

Comment 1 Aurelien Marchand 2014-06-24 15:43:53 UTC

one more details, I opened this bug based on the exchange I had with Daniel Walsh for Bug 1096123. See comment #35 and onward (https://bugzilla.redhat.com/show_bug.cgi?id=1096123#c35).

Comment 2 Daniel Walsh 2014-06-24 17:31:52 UTC

What does

docker run -t -i -p 80:80 -p 20022:22 oskarhane/docker-wordpress-nginx-ssh id -Z

Return?

Comment 3 Aurelien Marchand 2014-06-25 13:34:35 UTC

$ docker run --rm -t -i -p 80:80 -p 20042:22 oskarhane/docker-wordpress-nginx-ssh id -Z
system_u:system_r:svirt_lxc_net_t:s0:c62,c983

Comment 4 Daniel Walsh 2014-06-25 15:35:50 UTC

That indicates to me that you are running with an image that does not handle SELinux properly.

docker run -ti -v /tmp:/tmp fedora /bin/id -Z
/bin/id: --context (-Z) works only on an SELinux-enabled kernel

Meaning that the image does nont have an updated libselinux in it.  libselinux in rhel6 and Centos6 report to programs that SELinux is enabled, when run within a container.  In Fedora and RHEL7 they report that SELinux is disabled.  When apps try to do SELinux stuff within a container, they are blocked and fail.  This is why I am pushing to get an updated libselinux into Centos 6 and RHEL6 container images.

Comment 5 Jim Perrin 2014-06-30 13:50:46 UTC

The CentOS docker image has the patch that was posted to the centos-devel mailing list included. 

We pushed it into centosplus and specifically install it in the docker image. I believe this image was pushed to the docker index around June 9th.

Note You need to log in before you can comment on or make changes to this bug.