Bug 1370935 – docker-selinux broken in 7.3

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1370935 - docker-selinux broken in 7.3

Summary:	docker-selinux broken in 7.3

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	docker (Show other bugs)
Sub Component:
Version:	7.3
Hardware:	All Linux

Priority	urgent Severity urgent
Target Milestone:	rc
Target Release:	---
Assigned To:	Lokesh Mandvekar
QA Contact:	atomic-bugs@redhat.com
Docs Contact:

URL:
Whiteboard:
Keywords:	Extras

Depends On:
Blocks:	1375561
	Show dependency tree / graph

Reported:	2016-08-28 11:36 EDT by Jeremy Eder
Modified:	2016-11-04 05:09 EDT (History)
CC List:	12 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2016-11-04 05:09:13 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:2634	normal	SHIPPED_LIVE	Moderate: docker security and bug fix update	2016-11-03 16:51:48 EDT

Groups: None (edit)

Comment 2 Daniel Walsh 2016-08-29 05:36:13 EDT

The problem is the docker-selinux package did not install properly.  There are build differences between 7.3 and 7.2.7 selinux-policy package that is causing docker-selinux to blow up.

Comment 5 Colin Walters 2016-09-01 15:25:11 EDT

Reportedly fixed by https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=11693024

See also: https://atomic-e2e-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/rhelah-autobrew-7.3-treecompose/

Comment 8 Daniel Walsh 2016-09-03 05:28:02 EDT

I agree this is a blocker.

The latest docker-selinux should have /usr/bin/docker* labeled as docker_exec_t.

yum reinstall docker-selinux
restorecon -v /usr/bin/docker*
ls -lZ /usr/bin/docker*

If they are all labeled docker_exec_t, then you should be able to 

systemctl restart docker Or docker-latest

Now check the label on the docker process.

ps -eZ | grep docker

They should all be labeled docker_t.

Comment 9 Colin Walters 2016-09-03 06:20:52 EDT

That only applies to non-AH.  For AH we want Docker to work by default.

If you look at https://atomic-e2e-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/rhelah-autobrew-7.3-treecompose/

The error is:
02:02:16 Failed to resolve typeattributeset statement at /etc/selinux/targeted/tmp/modules/200/docker/cil:168
02:02:16 /usr/sbin/semodule:  Failed!

Comment 10 Daniel Walsh 2016-09-03 07:05:54 EDT

Is /etc/selinux/targeted/tmp/modules/200/docker/cil still available?

The question is what typeattribute is it blowing up over.

Comment 12 Daniel Walsh 2016-09-06 12:21:27 EDT

The issue was on selinux-policy

Comment 13 Daniel Walsh 2016-09-06 12:26:34 EDT

Should be fixed in selinux-policy-3.13.1-97.el7

Comment 14 Daniel Walsh 2016-09-06 12:26:58 EDT

Docker package should be a requires on this patch.

Comment 18 Sebastian Jug 2016-09-06 16:27:48 EDT

@Colin,

Indeed you're right, after docker reinstall issue resolved.

Comment 20 Daniel Walsh 2016-09-06 17:08:05 EDT

Yes I just checked in a fix for this in docker-selinux.

edbbfc9001fbf949e4fb98392c647cdd820f06fe fixes this issue.

Seems selinux policy in RHEL now has a domain for k8s which defines this path.
This policy is not present in Rawhide though.

Comment 22 Colin Walters 2016-09-07 10:05:15 EDT

*** Bug 1373952 has been marked as a duplicate of this bug. ***

Comment 24 Daniel Walsh 2016-09-07 12:23:44 EDT

C#19 is this bug. I would say.

Comment 25 Daniel Walsh 2016-09-07 12:29:39 EDT

c#21 is somewhat covered here.
https://bugzilla.redhat.com/show_bug.cgi?id=1373648

Comment 26 Colin Walters 2016-09-08 08:52:40 EDT

Ok, works with:

# atomic host status
State: idle
Deployments:
● rhelah-autobuild:rhel-atomic-host/7.3/x86_64/autobrew/buildmaster
       Version: 7.3.internal.0.27 (2016-09-08 12:49:40)
        Commit: ff03b46032f9e12b033b322b4f2e0841543f04178d955963a08a1b7e71412413
        OSName: rhel-atomic-host
# rpm -q docker selinux-policy
docker-1.10.3-53.el7.x86_64
selinux-policy-3.13.1-97.el7.noarch

Comment 27 Daniel Walsh 2016-09-08 09:08:28 EDT

Woohoo Finally.

Comment 29 Matus Marhefka 2016-09-21 06:15:53 EDT

VERIFIED with these versions:

docker-1.10.3-53.el7.x86_64
docker-selinux-1.10.3-53.el7.x86_64
selinux-policy-3.13.1-98.el7.noarch

Beaker job which works with atomic/docker executables:
https://beaker.engineering.redhat.com/recipes/3085819#tasks

Comment 33 errata-xmlrpc 2016-11-04 05:09:13 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2634.html

Note You need to log in before you can comment on or make changes to this bug.