1323549 – docker-selinux module error messages

Bug 1323549 - docker-selinux module error messages

Summary: docker-selinux module error messages

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	docker
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lokesh Mandvekar
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-04-04 03:01 UTC by Lokesh Mandvekar
Modified:	2016-06-03 12:26 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-06-03 12:26:30 UTC
Type:	Bug
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Lokesh Mandvekar 2016-04-04 03:01:29 UTC

Description of problem:

$ sudo dnf install docker
Last metadata expiration check: 0:08:07 ago on Mon Apr  4 02:42:43 2016.
Dependencies resolved.
=================================================================================================================================================================
 Package                                Arch                           Version                                             Repository                       Size
=================================================================================================================================================================
Installing:
 docker                                 x86_64                         2:1.10.3-4.gitf8a9a2a.fc25                          rawhide                         6.7 M
 docker-selinux                         x86_64                         2:1.10.3-4.gitf8a9a2a.fc25                          rawhide                          66 k

Transaction Summary
=================================================================================================================================================================
Install  2 Packages

Total download size: 6.8 M
Installed size: 28 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): docker-selinux-1.10.3-4.gitf8a9a2a.fc25.x86_64.rpm                                                                        161 kB/s |  66 kB     00:00    
(2/2): docker-1.10.3-4.gitf8a9a2a.fc25.x86_64.rpm                                                                                4.7 MB/s | 6.7 MB     00:01    
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                            3.8 MB/s | 6.8 MB     00:01     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Installing  : docker-selinux-2:1.10.3-4.gitf8a9a2a.fc25.x86_64                                                                                             1/2 
neverallow check failed at line 8831 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
  (neverallow base_typeattr_12 unlabeled_t (file (entrypoint)))
    <root>
    allow at line 546 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
      (allow spc_t unlabeled_t (file (entrypoint)))
    <root>
    allow at line 828 of /var/lib/selinux/targeted/tmp/modules/100/sandboxX/cil
      (allow sandbox_x_domain exec_type (file (entrypoint)))
    <root>
    allow at line 1591 of /var/lib/selinux/targeted/tmp/modules/100/virt/cil
      (allow virtd_lxc_t exec_type (file (entrypoint)))
    <root>
    allow at line 1968 of /var/lib/selinux/targeted/tmp/modules/100/virt/cil
      (allow svirt_sandbox_domain exec_type (file (entrypoint)))

Failed to generate binary
/usr/sbin/semodule:  Failed!
  Installing  : docker-2:1.10.3-4.gitf8a9a2a.fc25.x86_64                                                                                                     2/2 
  Verifying   : docker-2:1.10.3-4.gitf8a9a2a.fc25.x86_64                                                                                                     1/2 
  Verifying   : docker-selinux-2:1.10.3-4.gitf8a9a2a.fc25.x86_64                                                                                             2/2 

Installed:
  docker.x86_64 2:1.10.3-4.gitf8a9a2a.fc25                                    docker-selinux.x86_64 2:1.10.3-4.gitf8a9a2a.fc25                                   



Version-Release number of selected component (if applicable):
docker-1.10.3-4.gitf8a9a2a.fc25.x86_64
docker-selinux-1.10.3-4.gitf8a9a2a.fc25.x86_64

How reproducible: consistent


Steps to Reproduce:
1. dnf install docker

Comment 1 Daniel Walsh 2016-04-04 13:10:58 UTC

This is a bug in docker-selinux and selinux-policy-targeted.

unlabeled_t should not have the attribute exec_type.  Which will get rid of most of the errors.  We can remove the transition from docker_t @unlabeled_t -> spc_t, but we need to fix docker to label devicemapper content by default as something other then unlabeled_t when SELinux is disabled inside the container.

Comment 2 Daniel Walsh 2016-06-03 12:26:30 UTC

Should be fixed in rawhide via changes to selinux-policy.

Note You need to log in before you can comment on or make changes to this bug.