Bug 1286602 - Operation not supported for chattr +C on volume
Operation not supported for chattr +C on volume
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: docker (Show other bugs)
7.2
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Daniel Walsh
atomic-bugs@redhat.com
: Extras
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-30 05:06 EST by Jan Pazdziora
Modified: 2015-11-30 16:52 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-30 16:52:20 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Pazdziora 2015-11-30 05:06:05 EST
Description of problem:

Running chattr +C fails on directory on bind-mounted volume. It does not fail on directory on root (in the container) filesystem.

Version-Release number of selected component (if applicable):

docker-1.8.2-8.el7.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. rm -rf /opt/data ; mkdir /opt/data
2. docker run -ti -v /opt/data:/data:Z rhel7 bash
   [root@2f67b2197251 /]# 
3. [root@2f67b2197251 /]# mkdir /data/test
4. [root@2f67b2197251 /]# yum install -y /usr/bin/chattr
5. [root@2f67b2197251 /]# chattr +C /data/test

Actual results:

chattr: Operation not supported while setting flags on /data/test

Expected results:

No error.

Additional info:

Note that

[root@4b1c4d00a2aa /]# mkdir /opt/data ; chattr +C /opt/data

passes.

This actually comes from latest Fedora images that define +C in tmpfiles.d for /var/log/journal.
Comment 1 Daniel Walsh 2015-11-30 10:01:05 EST
Does this happen in permissive mode?

Any AVC's ausearch -m avc -ts recent

If it still breaks in permissive mode, could you try it in --privileged

Works for me on Rawhide.

docker run -ti -v /opt/data:/data:Z fedora bash
[root@aa75c689dfbd /]# chattr -C /data/
[root@aa75c689dfbd /]#

In Enforcing mode.
Comment 2 Jan Pazdziora 2015-11-30 10:10:14 EST
(In reply to Daniel Walsh from comment #1)
> Does this happen in permissive mode?
> 
> Any AVC's ausearch -m avc -ts recent
> 
> If it still breaks in permissive mode, could you try it in --privileged
> 
> Works for me on Rawhide.
> 
> docker run -ti -v /opt/data:/data:Z fedora bash
> [root@aa75c689dfbd /]# chattr -C /data/
> [root@aa75c689dfbd /]#
> 
> In Enforcing mode.

On RHEL 7, this happens in permissive and with --privileged as well. No AVC denials are logged. chattr -C /data/ does not work either.
Comment 3 Jan Pazdziora 2015-11-30 10:12:17 EST
(In reply to Jan Pazdziora from comment #2)
> 
> chattr -C /data/ does not work either.

Actually: chattr -C works. It's chattr +C which does not work, no matter if on /data/test or /data/.
Comment 4 Daniel Walsh 2015-11-30 11:31:49 EST
Does it work if you run it on the host?
Comment 5 Daniel Walsh 2015-11-30 11:34:41 EST
chattr -C only works on COW file systems.

On rhel7 I execute

mkdir /opt/data
chattr -C /opt/data
chattr: Operation not supported while setting flags on /opt/data.

So this is an issue with rhel7 not docker.

Note You need to log in before you can comment on or make changes to this bug.