Bug 1262812 - selinux-policy-targeted overwrites policy from docker-selinux preventing docker to work properly
selinux-policy-targeted overwrites policy from docker-selinux preventing dock...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.2
x86_64 Linux
urgent Severity high
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks: 1261811
  Show dependency treegraph
 
Reported: 2015-09-14 08:10 EDT by Jarle Bjørgeengen
Modified: 2015-11-19 05:46 EST (History)
8 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-51.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-19 05:46:24 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jarle Bjørgeengen 2015-09-14 08:10:59 EDT
Description of problem:
The package docker-selinux contains necessary additionale rules for docker to work properly when running selinux in targeted mode. The docker-selinux does policy installation by loading a binary module from /usr/share/selinux/packages/ directly with semodule and load_policy. (By using rpm %{POSTIN} routine). This will make a new updated docker.pp in 

/etc/selinux/targeted/modules/active/modules/

However, this file is owned by:

    [root@yme test-nginx]# rpm -qf /etc/selinux/targeted/modules/active/modules/docker.pp 
    selinux-policy-targeted-3.13.1-23.el7_1.17.noarch
    [root@yme test-nginx]#
    Version-Release number of selected component (if applicable):


How reproducible:

Always.

Steps to Reproduce:
1. Upgrade selinux-policy-targeted
2. Run systemctl restart docker 
3.

Actual results:
restart of docker hangs, because now this is not allowed anymore:

allow docker_t firewalld_t:dbus send_msg;


Expected results:

systemctl restart docker returns with success. 

Additional info:

Workaround: 

 yum -y reinstall docker-selinux
Comment 2 Milos Malik 2015-09-15 07:39:27 EDT
# find /usr/share/selinux/devel/ -name docker.if
/usr/share/selinux/devel/include/contrib/docker.if
/usr/share/selinux/devel/include/services/docker.if
# rpm -qf /usr/share/selinux/devel/include/contrib/docker.if
selinux-policy-devel-3.13.1-48.el7.noarch
# rpm -qf /usr/share/selinux/devel/include/services/docker.if 
docker-selinux-1.7.1-108.el7.x86_64
#

The existence of 2 docker.if files causes following problems when compiling a local policy module:

# cat mypolicy.te 
policy_module(mypolicy,1.0)
# rm -rf tmp
# make -f /usr/share/selinux/devel/Makefile 
/usr/share/selinux/devel/include/contrib/docker.if:14: Error: duplicate definition of docker_domtrans(). Original definition on 14.
/usr/share/selinux/devel/include/contrib/docker.if:33: Error: duplicate definition of docker_exec(). Original definition on 33.
/usr/share/selinux/devel/include/contrib/docker.if:52: Error: duplicate definition of docker_search_lib(). Original definition on 52.
/usr/share/selinux/devel/include/contrib/docker.if:71: Error: duplicate definition of docker_exec_lib(). Original definition on 71.
/usr/share/selinux/devel/include/contrib/docker.if:90: Error: duplicate definition of docker_read_lib_files(). Original definition on 90.
/usr/share/selinux/devel/include/contrib/docker.if:109: Error: duplicate definition of docker_read_share_files(). Original definition on 109.
/usr/share/selinux/devel/include/contrib/docker.if:128: Error: duplicate definition of docker_manage_lib_files(). Original definition on 128.
/usr/share/selinux/devel/include/contrib/docker.if:148: Error: duplicate definition of docker_manage_lib_dirs(). Original definition on 148.
/usr/share/selinux/devel/include/contrib/docker.if:184: Error: duplicate definition of docker_lib_filetrans(). Original definition on 184.
/usr/share/selinux/devel/include/contrib/docker.if:202: Error: duplicate definition of docker_read_pid_files(). Original definition on 202.
/usr/share/selinux/devel/include/contrib/docker.if:221: Error: duplicate definition of docker_systemctl(). Original definition on 221.
/usr/share/selinux/devel/include/contrib/docker.if:246: Error: duplicate definition of docker_rw_sem(). Original definition on 246.
/usr/share/selinux/devel/include/contrib/docker.if:264: Error: duplicate definition of docker_use_ptys(). Original definition on 264.
/usr/share/selinux/devel/include/contrib/docker.if:282: Error: duplicate definition of docker_filetrans_named_content(). Original definition on 282.
/usr/share/selinux/devel/include/contrib/docker.if:315: Error: duplicate definition of docker_stream_connect(). Original definition on 315.
/usr/share/selinux/devel/include/contrib/docker.if:334: Error: duplicate definition of docker_spc_stream_connect(). Original definition on 334.
/usr/share/selinux/devel/include/contrib/docker.if:356: Error: duplicate definition of docker_admin(). Original definition on 356.
/usr/share/selinux/devel/include/kernel/kernel.if:3879: Error: duplicate definition of kernel_unlabeled_domtrans(). Original definition on 445.
/usr/share/selinux/devel/include/kernel/kernel.if:3900: Error: duplicate definition of kernel_unlabeled_entry_type(). Original definition on 438.
/usr/share/selinux/devel/include/kernel/files.if:7840: Error: duplicate definition of files_write_all_pid_sockets(). Original definition on 454.
/usr/share/selinux/devel/include/kernel/filesystem.if:4537: Error: duplicate definition of fs_dontaudit_remount_tmpfs(). Original definition on 424.
/usr/share/selinux/devel/include/kernel/devices.if:221: Error: duplicate definition of dev_dontaudit_list_all_dev_nodes(). Original definition on 431.
/usr/share/selinux/devel/include/kernel/devices.if:4499: Error: duplicate definition of dev_dontaudit_mounton_sysfs(). Original definition on 461.
Compiling targeted mypolicy module
/usr/bin/checkmodule:  loading policy configuration from tmp/mypolicy.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 17) to tmp/mypolicy.mod
Creating targeted mypolicy.pp policy package
rm tmp/mypolicy.mod.fc tmp/mypolicy.mod
#
Comment 3 Lukas Vrabec 2015-09-16 10:49:08 EDT
Hi, 
This looks that docker team ship docker selinux module and also selinux team ship docker module. 

Dan, Lokesh, 
Whats are the steps to fix this, Could you ship docker policy from rhel7.3?
Comment 4 Daniel Walsh 2015-09-16 13:04:42 EDT
selinux-policy package should no longer be shipping docker.pp.  It should only be shipped in docker-selinux package.
Comment 12 errata-xmlrpc 2015-11-19 05:46:24 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html

Note You need to log in before you can comment on or make changes to this bug.