1400333 – docker-current is prevented from running container by selinux after upgrading.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1400333 - docker-current is prevented from running container by selinux after upgrading.

Summary: docker-current is prevented from running container by selinux after upgrading.

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	docker
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Lokesh Mandvekar
QA Contact:	atomic-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:	1358819
Blocks:	1366991 1375561 1420851
TreeView+	depends on / blocked

Reported:	2016-11-30 22:46 UTC by Ryan Howe
Modified:	2020-03-11 15:26 UTC (History)
CC List:	28 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1358819
Environment:
Last Closed:	2017-06-30 15:20:11 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Comment 1 Ryan Howe 2016-11-30 22:48:44 UTC

The issue is with the context not set on both /usr/bin/docker-current and /usr/bin/docker-latest. The rpm postinstall script [1] in doing a restorecon and leaving out both /usr/bin/docker-current and /usr/bin/docker-latest, which the files end up keeping the default context for files in /usr/bin.

So to fix this bug we should run restorecon on /usr/bin/docker-current and /usr/bin/docker-latest. 



[1] 
[root@master-1 ~]# rpm -ql docker-selinux-1.10.3-57.el7.x86_64
/usr/share/selinux/packages/docker.pp.bz2

[root@master-1 ~]# rpm -qc docker-selinux-1.10.3-57.el7.x86_64  --scripts
postinstall scriptlet (using /bin/sh):
# Install all modules in a single transaction
export MODULES=""; for x in docker; do MODULES+=/usr/share/selinux/packages/$x.pp.bz2; MODULES+=" "; done;
/usr/sbin/semodule -n --priority=200 -s targeted -i $MODULES > /dev/null
if /usr/sbin/selinuxenabled ; then
    /usr/sbin/load_policy
    /usr/sbin/restorecon -R /usr/bin/docker /var/run/docker.sock /var/run/docker.pid /etc/docker /var/log/docker /var/log/lxc /var/lock/lxc /usr/lib/systemd/system/docker.service /etc/docker &> /dev/null || :
    if [ $1 -eq 1 ]; then
    restorecon -R /var/lib/docker &> /dev/null || :
    fi
fi
postuninstall scriptlet (using /bin/sh):
if [ $1 -eq 0 ]; then
/usr/sbin/semodule -n -r docker &> /dev/null || :
if /usr/sbin/selinuxenabled ; then
/usr/sbin/load_policy
/usr/sbin/restorecon -R /usr/bin/docker /var/run/docker.sock /var/run/docker.pid /etc/docker /var/log/docker /var/log/lxc /var/lock/lxc /usr/lib/systemd/system/docker.service /etc/docker &> /dev/null || :
fi
fi

Comment 3 Marko Myllynen 2017-01-12 08:50:54 UTC

Copying my comment from the original just in case:

I'm seeing OCP 3.3 installation on RHEL 7.3 with packages of 2017-01-12 failing due to this.

For some reason I can't reopen this BZ, this definitely should be reopened.

[root@infra01 ~]# yum reinstall docker-selinux
Loaded plugins: priorities, product-id, subscription-manager
Resolving Dependencies
--> Running transaction check
---> Package docker-selinux.x86_64 0:1.10.3-57.el7 will be reinstalled
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package            Arch       Version           Repository                Size
================================================================================
Reinstalling:
 docker-selinux     x86_64     1.10.3-57.el7     rhel-7-extras-rpms        79 k

Transaction Summary
================================================================================
Reinstall  1 Package

Total download size: 79 k
Installed size: 27 k
Is this ok [y/d/N]: y
Downloading packages:
docker-selinux-1.10.3-57.el7.x86_64.rpm                    |  79 kB   00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : docker-selinux-1.10.3-57.el7.x86_64                          1/1 
Re-declaration of type docker_t
Failed to create node
Bad type declaration at /etc/selinux/targeted/tmp/modules/200/docker/cil:1
/usr/sbin/semodule:  Failed!
  Verifying  : docker-selinux-1.10.3-57.el7.x86_64                          1/1 

Installed:
  docker-selinux.x86_64 0:1.10.3-57.el7                                         

Complete!
[root@infra01 ~]# rpm -q docker-selinux selinux-policy
docker-selinux-1.10.3-57.el7.x86_64
selinux-policy-3.13.1-102.el7_3.7.noarch
[root@infra01 ~]# restorecon -v /usr/bin/docker-current
[root@infra01 ~]# matchpathcon /usr/bin/docker-current 
/usr/bin/docker-current	system_u:object_r:bin_t:s0
[root@infra01 ~]# ls -lZ /usr/bin/docker-current
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/docker-current
[root@infra01 ~]# docker run -it test
docker: Error response from daemon: Cannot start container 8f3718c4e282e36ce234749adbea8c2ed2054267a8775f663019cd84cfd0ff68: [9] System error: exit status 1.
[root@infra01 ~]# 

Thanks.

Comment 4 Marko Myllynen 2017-01-12 09:02:41 UTC

On an OpenShift infra node I also see:

[root@infra01 ~]# yum remove docker\*
Loaded plugins: priorities, product-id, subscription-manager
Resolving Dependencies
--> Running transaction check
---> Package docker.x86_64 2:1.10.3-59.el7 will be erased
---> Package docker-common.x86_64 2:1.10.3-59.el7 will be erased
---> Package docker-rhel-push-plugin.x86_64 2:1.10.3-59.el7 will be erased
---> Package docker-selinux.x86_64 0:1.10.3-57.el7 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package                  Arch    Version          Repository              Size
================================================================================
Removing:
 docker                   x86_64  2:1.10.3-59.el7  @rhel-7-extras-rpms     55 M
 docker-common            x86_64  2:1.10.3-59.el7  @rhel-7-extras-rpms    3.0 k
 docker-rhel-push-plugin  x86_64  2:1.10.3-59.el7  @rhel-7-extras-rpms    9.6 M
 docker-selinux           x86_64  1.10.3-57.el7    @rhel-7-extras-rpms     27 k

Transaction Summary
================================================================================
Remove  4 Packages

Installed size: 64 M
Is this ok [y/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Erasing    : 2:docker-1.10.3-59.el7.x86_64                                1/4 
  Erasing    : 2:docker-common-1.10.3-59.el7.x86_64                         2/4 
  Erasing    : docker-selinux-1.10.3-57.el7.x86_64                          3/4 
  Erasing    : 2:docker-rhel-push-plugin-1.10.3-59.el7.x86_64               4/4 
  Verifying  : 2:docker-1.10.3-59.el7.x86_64                                1/4 
  Verifying  : 2:docker-common-1.10.3-59.el7.x86_64                         2/4 
  Verifying  : docker-selinux-1.10.3-57.el7.x86_64                          3/4 
  Verifying  : 2:docker-rhel-push-plugin-1.10.3-59.el7.x86_64               4/4 

Removed:
  docker.x86_64 2:1.10.3-59.el7                                                 
  docker-common.x86_64 2:1.10.3-59.el7                                          
  docker-rhel-push-plugin.x86_64 2:1.10.3-59.el7                                
  docker-selinux.x86_64 0:1.10.3-57.el7                                         

Complete!
[root@infra01 ~]# restorecon -R / > /dev/null 2>&1
[root@infra01 ~]# yum install docker docker-selinux
Loaded plugins: priorities, product-id, subscription-manager
Resolving Dependencies
--> Running transaction check
---> Package docker.x86_64 2:1.10.3-59.el7 will be installed
--> Processing Dependency: docker-common = 2:1.10.3-59.el7 for package: 2:docker-1.10.3-59.el7.x86_64
--> Processing Dependency: docker-rhel-push-plugin = 2:1.10.3-59.el7 for package: 2:docker-1.10.3-59.el7.x86_64
---> Package docker-selinux.x86_64 0:1.10.3-57.el7 will be installed
--> Running transaction check
---> Package docker-common.x86_64 2:1.10.3-59.el7 will be installed
---> Package docker-rhel-push-plugin.x86_64 2:1.10.3-59.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package                  Arch    Version           Repository             Size
================================================================================
Installing:
 docker                   x86_64  2:1.10.3-59.el7   rhel-7-extras-rpms     12 M
 docker-selinux           x86_64  1.10.3-57.el7     rhel-7-extras-rpms     79 k
Installing for dependencies:
 docker-common            x86_64  2:1.10.3-59.el7   rhel-7-extras-rpms     63 k
 docker-rhel-push-plugin  x86_64  2:1.10.3-59.el7   rhel-7-extras-rpms    2.3 M

Transaction Summary
================================================================================
Install  2 Packages (+2 Dependent packages)

Total download size: 14 M
Installed size: 64 M
Is this ok [y/d/N]: y
Downloading packages:
(1/4): docker-common-1.10.3-59.el7.x86_64.rpm              |  63 kB   00:00     
(2/4): docker-rhel-push-plugin-1.10.3-59.el7.x86_64.rpm    | 2.3 MB   00:02     
(3/4): docker-selinux-1.10.3-57.el7.x86_64.rpm             |  79 kB   00:00     
(4/4): docker-1.10.3-59.el7.x86_64.rpm                     |  12 MB   00:13     
--------------------------------------------------------------------------------
Total                                              1.0 MB/s |  14 MB  00:13     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : 2:docker-rhel-push-plugin-1.10.3-59.el7.x86_64               1/4 
  Installing : 2:docker-common-1.10.3-59.el7.x86_64                         2/4 
  Installing : 2:docker-1.10.3-59.el7.x86_64                                3/4 
  Installing : docker-selinux-1.10.3-57.el7.x86_64                          4/4 
Re-declaration of type docker_t
Failed to create node
Bad type declaration at /etc/selinux/targeted/tmp/modules/200/docker/cil:1
/usr/sbin/semodule:  Failed!
  Verifying  : 2:docker-1.10.3-59.el7.x86_64                                1/4 
  Verifying  : 2:docker-common-1.10.3-59.el7.x86_64                         2/4 
  Verifying  : docker-selinux-1.10.3-57.el7.x86_64                          3/4 
  Verifying  : 2:docker-rhel-push-plugin-1.10.3-59.el7.x86_64               4/4 

Installed:
  docker.x86_64 2:1.10.3-59.el7      docker-selinux.x86_64 0:1.10.3-57.el7     

Dependency Installed:
  docker-common.x86_64 2:1.10.3-59.el7                                          
  docker-rhel-push-plugin.x86_64 2:1.10.3-59.el7                                

Complete!
[root@infra01 ~]# 

Thanks.

Comment 5 Marko Myllynen 2017-01-12 20:31:53 UTC

Please disregard comment 4.

As discussed over bug 1358819, docker-selinux should not be used anymore, container-selinux is the new package. However, with it there is still at least one problem which is being tracked in:

https://bugzilla.redhat.com/show_bug.cgi?id=1412803

Thanks.

Comment 6 Marko Myllynen 2017-04-07 12:20:28 UTC

FWIW, I'm not seeing any related issues with latest OCP 3.4 containerized installation using:

container-selinux-2.9-4.el7.noarch
docker-1.12.6-11.el7.x86_64
selinux-policy-3.13.1-102.el7_3.16.noarch

Thanks.

Comment 7 Daniel Walsh 2017-06-30 15:20:11 UTC

This is fixed in the current release.

Note You need to log in before you can comment on or make changes to this bug.

amurdaca
atomic-bugs
bbreard
dornelas
dwalsh
ebenes
gergely
ghuang
gouyang
jneedle
jscotka
lsm5
lvrabec
mgrepl
mhaicman
mmalik
mmarhefk
mpreisle
myllynen
pasik
pasteur
plautrba
pvrabec
rhowe
ssekidde
stefw
tcapek
xtian