1317928 – nspawn does not set SELinux label correctly (/dev/console)

Bug 1317928 - nspawn does not set SELinux label correctly (/dev/console)

Summary: nspawn does not set SELinux label correctly (/dev/console)

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	systemd
Sub Component:
Version:	24
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	systemd-maint
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-03-15 14:29 UTC by Alban Crequy
Modified:	2016-06-01 19:54 UTC (History)
CC List:	8 users (show)
Fixed In Version:	systemd-229-8.fc24
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-06-01 19:54:15 UTC
Type:	Bug
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Alban Crequy 2016-03-15 14:29:57 UTC

Description of problem:
- systemd-nspawn-v229 does not set SELinux label correctly (/dev/console)
- Fixed in https://github.com/systemd/systemd/pull/2816 but the patch is not backported in Fedora-rawhide.
- systemd-v230 is not going to get released soon. It would be nice to have the fix in Fedora before the next upstream release.

Version-Release number of selected component (if applicable):
systemd < v230 (still unreleased)

How reproducible:
Cannot start rkt with the default nspawn-based stage1 when SELinux is enabled.

Steps to Reproduce:
1. start a rkt container with the default nspawn-based stage1

Actual results:
- Fails with SELinux

Expected results:
- Works without SELinux errors

Additional info:
- See related issues:
- https://github.com/coreos/rkt/issues/1727
- https://github.com/coreos/rkt/issues/2264
- https://github.com/fedora-selinux/selinux-policy/pull/108

Comment 1 Zbigniew Jędrzejewski-Szmek 2016-03-16 12:58:17 UTC

I presume this should be fixed in F24 too. Should be easy enough to backport once the freeze is over.

Comment 2 Daniel Walsh 2016-03-17 20:32:03 UTC

Yes if people want rkt to work...

Comment 3 Mike McCune 2016-03-28 23:38:32 UTC

This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions

Comment 4 Fedora Update System 2016-05-30 05:37:52 UTC

systemd-229-8.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-5f8a34340d

Comment 5 Fedora Update System 2016-05-31 03:54:08 UTC

systemd-229-8.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-5f8a34340d

Comment 6 Fedora Update System 2016-06-01 19:53:55 UTC

systemd-229-8.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.