Bug 1336857 – SELinux context not set properly when building vagrant box

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1336857 - SELinux context not set properly when building vagrant box [NEEDINFO]

Summary:	SELinux context not set properly when building vagrant box

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	docker (Show other bugs)
Sub Component:
Version:	7.2
Hardware:	Unspecified Unspecified

Priority	high Severity high
Target Milestone:	rc
Target Release:	---
Assigned To:	Lokesh Mandvekar
QA Contact:	atomic-bugs@redhat.com
Docs Contact:

URL:
Whiteboard:
Keywords:	Extras

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2016-05-17 11:13 EDT by Praveen Kumar
Modified:	2016-11-04 05:08 EDT (History)
CC List:	4 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2016-11-04 05:08:37 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Flags:	prkumar: needinfo? (lsm5)

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:2634	normal	SHIPPED_LIVE	Moderate: docker security and bug fix update	2016-11-03 16:51:48 EDT

Groups: None (edit)

Description Praveen Kumar 2016-05-17 11:13:43 EDT

Description of problem:
We are brewing a vagrant box for Container Development kit using kickstart file ( https://github.com/praveenkumar/adb-atomic-developer-bundle/blob/ose_32/build_tools/kickstarts/rhel-7-cdk-vagrant.ks) and we are not able to get required SELinux context for docker-current and docker-storage-setup binaries.


Version-Release number of selected component (if applicable):
# rpm -qa | grep docker
docker-forward-journald-1.9.1-40.el7.x86_64
docker-1.9.1-40.el7.x86_64
docker-common-1.9.1-40.el7.x86_64
docker-selinux-1.9.1-40.el7.x86_64

How reproducible:
Everytime when we brew vagrant box with specified kickstart file we are getting this issue.


Steps to Reproduce:
1. Use above kickstart file and brew a vagrant box
2. ssh to vagrant box
3. ls -Zl /usr/bin/docker*



Actual results:

-rwxr-xr-x. 1 system_u:object_r:docker_exec_t:s0 root root      532 May  3 16:01 /usr/bin/docker
-rwxr-xr-x. 1 system_u:object_r:s0 root root 38643559 May  3 16:04 /usr/bin/docker-current
-rwxr-xr-x. 1 system_u:object_r:s0 root root    26693 Apr 26 14:51 /usr/bin/docker-storage-setup


Expected results:
SELinux context should be set for docker-current and docker-storage-setup

Additional info:

I spent quite a lot time to put different stuff in kickstart to check if SELinux context can be updated but didn't work.

1. reinstall docker-selinux
# yum -y reinstall docker-selinux
# ls -Zl /usr/bin/docker*
-rwxr-xr-x. 1 system_u:object_r:docker_exec_t:s0 root root      532 May  3 16:01 /usr/bin/docker
-rwxr-xr-x. 1 system_u:object_r:bin_t:s0       root root 38643559 May  3 16:04 /usr/bin/docker-current
-rwxr-xr-x. 1 system_u:object_r:bin_t:s0       root root    26693 Apr 26 14:51 /usr/bin/docker-storage-setup

2. Manually changed SELinux context using chcon which make docker works as expected.

3 Reinstall docker and docker-selinux (which also set SELinux as expected)

# yum reinstall docker docker-selinux
# ls -Zl /usr/bin/docker*
-rwxr-xr-x. 1 system_u:object_r:docker_exec_t:s0 root root      532 May  3 16:01 /usr/bin/docker
-rwxr-xr-x. 1 system_u:object_r:docker_exec_t:s0 root root 38643559 May  3 16:04 /usr/bin/docker-current
-rwxr-xr-x. 1 system_u:object_r:docker_exec_t:s0 root root    26693 Apr 26 14:51 /usr/bin/docker-storage-setup

Anaconda logs from brewed box: https://paste.fedoraproject.org/367607/97971146/

Comment 2 Daniel Walsh 2016-05-17 14:52:53 EDT

Looks like docker-selinux did not update?

Comment 3 Praveen Kumar 2016-05-18 04:29:18 EDT

(In reply to Daniel Walsh from comment #2)
> Looks like docker-selinux did not update?

You mean in rpm package side or in the box (because in the box it updated to 1.9.1-40.el7.x86_64) ?

Comment 4 Daniel Walsh 2016-05-18 08:39:05 EDT

Could you do

yum reinstall docker-selinux
matchpathcon /usr/bin/docker*

Comment 5 Praveen Kumar 2016-05-18 11:44:24 EDT

(In reply to Daniel Walsh from comment #4)
> Could you do
> 
> yum reinstall docker-selinux
> matchpathcon /usr/bin/docker*

# matchpathcon /usr/bin/docker*
/usr/bin/docker	system_u:object_r:docker_exec_t:s0
/usr/bin/docker-current	system_u:object_r:docker_exec_t:s0
/usr/bin/docker-storage-setup	system_u:object_r:docker_exec_t:s0

Does that mean in their is something messy in the kickstart (https://github.com/praveenkumar/adb-atomic-developer-bundle/blob/ose_32/build_tools/kickstarts/rhel-7-cdk-vagrant.ks) ?

Comment 6 Daniel Walsh 2016-05-18 17:14:59 EDT

That looks good, what is the labels though
ls -lZ /usr/bin/docker*

Comment 7 Praveen Kumar 2016-05-18 21:17:09 EDT

(In reply to Daniel Walsh from comment #6)
> That looks good, what is the labels though
> ls -lZ /usr/bin/docker*

# ls -Zl /usr/bin/docker*
-rwxr-xr-x. 1 system_u:object_r:docker_exec_t:s0 root root      532 May  3 16:01 /usr/bin/docker
-rwxr-xr-x. 1 system_u:object_r:bin_t:s0       root root 38643559 May  3 16:04 /usr/bin/docker-current
-rwxr-xr-x. 1 system_u:object_r:bin_t:s0       root root    26693 Apr 26 14:51 /usr/bin/docker-storage-setup

Comment 8 Daniel Walsh 2016-05-19 10:18:37 EDT

restorecon -v /usr/bin/docker*

Should fix.

But it looks like we have a bug in the scripts that do not label these correctly on creation.

If docker-selinux was installed before docker and docker-latest, they would get labeled correctly.

Comment 9 Praveen Kumar 2016-05-19 23:01:18 EDT

(In reply to Daniel Walsh from comment #8)
> restorecon -v /usr/bin/docker*
> 
> Should fix.
> 
> But it looks like we have a bug in the scripts that do not label these
> correctly on creation.
> 
> If docker-selinux was installed before docker and docker-latest, they would
> get labeled correctly.

That's right even if I do reinstall of docker-selinux it doesn't get labeled correct. we have to use `restorecon` which if kind of bug and I think same issue we filled earlier (#1281805) and it was closed by saying that now ordering of docker-selinux and docker is fixed. I think we have to revisit and find out why it is happening.

Comment 10 Daniel Walsh 2016-05-20 08:47:04 EDT

The docker package and docker-latest packages need to require(pre) the docker-selinux package, to make sure it is fully installed before the contents of docker or docker-latest are layed down.

ALternatively docker-selinux should run restorecon on /usr/bin/docker* in its post install.

Comment 11 Praveen Kumar 2016-05-27 09:01:15 EDT

@lsm Any update on this bug?

Comment 13 Daniel Walsh 2016-08-19 16:04:03 EDT

Fixed in docker-1.10.

Comment 16 errata-xmlrpc 2016-11-04 05:08:37 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2634.html

Note You need to log in before you can comment on or make changes to this bug.