Bug 1405028 - container-selinux-1.12.4-2.git1b5971a.fc25.x86_64 fails to load module, docker run does not work
Summary: container-selinux-1.12.4-2.git1b5971a.fc25.x86_64 fails to load module, docke...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: docker
Version: 25
Hardware: Unspecified
OS: Unspecified
urgent
unspecified
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-12-15 12:22 UTC by Jan Pazdziora (Red Hat)
Modified: 2016-12-16 00:27 UTC (History)
13 users (show)

Fixed In Version: docker-1.12.4-6.git1b5971a.fc25
Clone Of:
Environment:
Last Closed: 2016-12-16 00:27:41 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Jan Pazdziora (Red Hat) 2016-12-15 12:22:40 UTC 
Description of problem:

When installing docker-1.12.4-2.git1b5971a.fc25.x86_64 and its dependency container-selinux-1.12.4-2.git1b5971a.fc25.x86_64, there is semodule error

/var/lib/selinux/final/targeted/contexts/files/file_contexts: Multiple different specifications for /var/lib/containers(/.*)?  (system_u:object_r:gear_var_lib_t:s0 and system_u:object_r:container_var_lib_t:s0).
/var/lib/selinux/final/targeted/contexts/files/file_contexts: Invalid argument
libsemanage.semanage_validate_and_compile_fcontexts: setfiles returned error code 1.
/usr/sbin/semodule:  Failed!

shown and attempt to run container fails, with AVC denial.

Version-Release number of selected component (if applicable):

container-selinux-1.12.4-2.git1b5971a.fc25.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. dnf install -y docker
2. systemctl start docker
3. docker run --rm -ti fedora:25 cat /etc/fedora-release

Actual results:

  Installing  : policycoreutils-python-utils-2.5-19.fc25.x86_64           11/16 
  Installing  : container-selinux-2:1.12.4-2.git1b5971a.fc25.x86_64       12/16 
/var/lib/selinux/final/targeted/contexts/files/file_contexts: Multiple different specifications for /var/lib/containers(/.*)?  (system_u:object_r:gear_var_lib_t:s0 and system_u:object_r:container_var_lib_t:s0).
/var/lib/selinux/final/targeted/contexts/files/file_contexts: Invalid argument
libsemanage.semanage_validate_and_compile_fcontexts: setfiles returned error code 1.
/usr/sbin/semodule:  Failed!
  Installing  : docker-common-2:1.12.4-2.git1b5971a.fc25.x86_64           13/16 
  Installing  : docker-2:1.12.4-2.git1b5971a.fc25.x86_64                  14/16 
  Installing  : oci-systemd-hook-0.1.4-3.git41491a3.fc25.x86_64           15/16 
  Installing  : oci-register-machine-0-2.7.gitbb20b00.fc25.x86_64         16/16 

# docker run --rm -ti fedora:25 cat /etc/fedora-release
/usr/bin/docker-current: Error response from daemon: invalid header field value "oci runtime error: container_linux.go:247: starting container process caused \"process_linux.go:334: running prestart hook 1 caused \\\"error running hook: exit status 1, stdout: , stderr: \\\"\"\n".

Expected results:

No error during dnf install.

# docker run --rm -ti fedora:25 cat /etc/fedora-release
Fedora release 25 (Twenty Five)

Additional info:

type=AVC msg=audit(1481803735.800:265): avc:  denied  { search } for  pid=3776 comm="systemd-machine" name="8380" dev="proc" ino=46377 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir permissive=0
Comment 1 Fedora Update System 2016-12-15 12:28:57 UTC 
docker-1.12.4-6.git1b5971a.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-44ed3dd527
Comment 2 Fedora Update System 2016-12-16 00:27:41 UTC 
docker-1.12.4-6.git1b5971a.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.