RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1225549 - docker relabel of volumes should use shared volumes by default
Summary: docker relabel of volumes should use shared volumes by default
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: docker
Version: 7.1
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Lokesh Mandvekar
QA Contact: Luwen Su
URL:
Whiteboard:
Depends On:
Blocks: 1211379 1225556
TreeView+ depends on / blocked
 
Reported: 2015-05-27 16:23 UTC by Laurent Rineau
Modified: 2019-03-06 02:36 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: docker was labeling shared volumes private by default. Consequence: Other containers could not use the content Fix: Fixed the code to label shared volumes correctly Result: Shared volumes now work with SELInux in enforcing mode.
Clone Of:
: 1225556 (view as bug list)
Environment:
Last Closed: 2015-06-23 09:29:56 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:1167 0 normal SHIPPED_LIVE docker bug fix update 2015-06-23 13:29:05 UTC

Description Laurent Rineau 2015-05-27 16:23:58 UTC 
Docker version 1.6.0-11.0.1.el7 has been pushed to RHEL 7.1 (I am actually using CentOS 7.1). That version contains the relabelling feature for volumes, and by default the volumes are private.

That breaks the compatibility with existing containers setups that share a volume. If the admin of the containers do not change the command lines to launch the containers, the first launched container will relabel the volume, and the following launched container will get AVC trying to use the volume.

I appreciate that RHEL/CentOS gets newer versions of Docker, but the backward compatibility should be respected:
  - the default should be "shared",
  - the default could be taken from a configuration option, set to "private" in the config file shipped with the RPM package, but still with "shared" as the default value if the config file does not say otherwise.
Comment 2 Daniel Walsh 2015-05-27 16:42:35 UTC 
Could you attach the docker command where you are seeing this behaviour? I agree the default should be shared for volume containers, and it should do nothing for bind mount volumes.
Comment 3 Laurent Rineau 2015-06-01 11:09:47 UTC 
The problematic docker version:

cgal ~/tmp/docker-test $ docker version
Client version: 1.6.0
Client API version: 1.18
Go version (client): go1.4.2
Git commit (client): 8aae715/1.6.0
OS/Arch (client): linux/amd64
Server version: 1.6.0
Server API version: 1.18
Go version (server): go1.4.2
Git commit (server): 8aae715/1.6.0
OS/Arch (server): linux/amd64

Here are the commands I run:

cgal ~/tmp/docker-test $ ls -lZd volume_dir   
drwxr-xr-x. lrineau geometryfactory system_u:object_r:svirt_sandbox_file_t:s0 volume_dir

cgal ~/tmp/docker-test $ docker run -v $PWD/volume_dir:/volume:ro fedora /bin/ls /volume 
cgal ~/tmp/docker-test $ ls -lZd volume_dir
drwxr-xr-x. lrineau geometryfactory system_u:object_r:svirt_sandbox_file_t:s0:c321,c330 volume_dir

You can see that the range of volume_dir has been changed to a private label.

If I setup the volume with ":z":

cgal ~/tmp/docker-test $ docker run -v $PWD/volume_dir:/volume:z fedora /bin/ls /volume
cgal ~/tmp/docker-test $ ls -lZd volume_dir                                            
drwxr-xr-x. lrineau geometryfactory system_u:object_r:svirt_sandbox_file_t:s0 volume_dir

If I setup the volume without any mode:

cgal ~/tmp/docker-test $ docker run -v $PWD/volume_dir:/volume fedora /bin/ls /volume 
cgal ~/tmp/docker-test $ ls -lZd volume_dir                                          
drwxr-xr-x. lrineau geometryfactory system_u:object_r:svirt_sandbox_file_t:s0 volume_dir

If neither Z nor z are added to the mode, it should be shared by default. But if the mode is "ro", then the volume is relabeled to a private label. And that is the bug.
Comment 4 Daniel Walsh 2015-06-01 12:52:28 UTC 
Lets check if this is fixed in docker-1.6.2.
Comment 6 Luwen Su 2015-06-15 04:35:23 UTC 
In docker-1.6.2-10.el7.x86_64,
1.Create a dir on host:
#mkdir label
# ls -aZ
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 label

# docker run -it -v label:/label-test rhel7 /bin/bash
[root@9fe47cee7961 /]# ls -aZ   
drwxr-xr-x. root root system_u:object_r:admin_home_t:s0 label-test

2.Mount with `ro`
# docker run -it -v /root/label:/label-test:ro rhel7 /bin/bash 
[root@05c2abb88a1c /]# ls -aZ
drwxr-xr-x. root root system_u:object_r:admin_home_t:s0 label-test

Move to verified
Comment 7 Luwen Su 2015-06-15 06:07:39 UTC 
Sorry for missing steps, make up the rest.
Without `z:Z` the volume label will not change:
Give a `z`:
# docker run -it -v /root/test/sites/test.conf:/etc/nginx/conf.d/default.conf:z nginx ls -aZ /etc/nginx/conf.d/default.conf 
system_u:object_r:svirt_sandbox_file_t:s0 /etc/nginx/conf.d/default.conf
# ls -aZ test.conf 
-rw-r--r--. root root system_u:object_r:svirt_sandbox_file_t:s0 test.conf

then is `ro`, no change:
# docker run -it -v /root/test/sites/test.conf:/etc/nginx/conf.d/default.conf:ro nginx ls -aZ /etc/nginx/conf.d/default.conf 
system_u:object_r:svirt_sandbox_file_t:s0 /etc/nginx/conf.d/default.conf
# ls -aZ test.conf 
-rw-r--r--. root root system_u:object_r:svirt_sandbox_file_t:s0 test.conf

with `Z`, change again:
# docker run -it -v /root/test/sites/test.conf:/etc/nginx/conf.d/default.conf:Z nginx ls -aZ /etc/nginx/conf.d/default.conf 
system_u:object_r:svirt_sandbox_file_t:s0:c519,c558 /etc/nginx/conf.d/default.conf
Comment 9 errata-xmlrpc 2015-06-23 09:29:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1167.html
Comment 10 Laurent Rineau 2015-06-28 16:04:27 UTC 
The new build is now officially on CentOS 7. Thanks a lot for the fix!
Note You need to log in before you can comment on or make changes to this bug.