1416896 – container-selinux not properly setting labels on /usr/bin/docker*

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1416896 - container-selinux not properly setting labels on /usr/bin/docker*

Summary: container-selinux not properly setting labels on /usr/bin/docker*

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	docker
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lokesh Mandvekar
QA Contact:	atomic-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1186913 1399379 1422984
TreeView+	depends on / blocked

Reported:	2017-01-26 17:44 UTC by Jake Hunsaker
Modified:	2020-09-10 10:09 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-05-31 15:36:25 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Patch to fix installation order of container selinux packages. (1.46 KB, patch) 2017-01-28 09:13 UTC, Daniel Walsh	no flags	Details \| Diff
View All

Description Jake Hunsaker 2017-01-26 17:44:33 UTC

Description of problem:

CEE-SD now has two reports of container-selinux not properly setting the selinux labels for docker. 

In the first, trying to run a container results in the following

------8<-----------
panic: standard_init_linux.go:178: exec user process caused "permission denied" [recovered]
        panic: standard_init_linux.go:178: exec user process caused "permission denied"
------8<-----------



In the second, the customer reports two items:

------8<-----------
1. I installed Linux into a partition using --root option on the rpm command. When I subsequently booted on that image, when I tried to log in, it would say No shell -- permission denied. If I omitted the container-selinux package (and the docker package that requires it) then I was able to log in with no issues.

2. If I try to install docker-client and docker-common packages without first installing container-selinux, the installation would report errors from SELinux. If the container-selinux package was installed first, then the errors would go away. So that implies that the docker-client and docker-common packages have a dependency on container-selinux which is not properly declared.
------8<-----------



Version-Release number of selected component (if applicable):
RHEL 7.3 with container-selinux-1.12.5-14.el7.x86_64 and docker-1.12.5-14.el7.x86_64 

How reproducible:
Always on a fresh installation

Steps to Reproduce:
1.Install docker-1.12.5 (or docker-latest) with container-selinux
2.
3.

Actual results:
User gets permission denied when trying to run a container

Expected results:
container-selinux should set the correct labels on installation so that containers can be run normally

Additional info:
Manually setting either docker_exec_t or container_runtime_exec_t on /usr/bin/docker* resolves this

Comment 1 Daniel Walsh 2017-01-26 20:48:33 UTC

What error are you seeing when  you install the container-selinux package?

Comment 2 Jake Hunsaker 2017-01-26 21:10:00 UTC

I asked the customer for a bit of clarification on that point, here's what they said:

------8<-----------

Basically, I am creating a file system in a  partition on a second disk, bind mounting in /proc, /dev/, /sys, and /sys/fs/selinux and then installing rpms into it using  --root. When it gets to docker-common, I get errors:

  error: unpacking of archive failed: cpio: lsetfilecon failed - Invalid argument
  error: docker-common-2:1.12.5-14.el7.x86_64: install failed
and on docker-client:
   error: unpacking of archive failed on file /usr/bin/docker-current;588a4135: cpio: lsetfilecon failed - Invalid argument
   error: docker-client-2:1.12.5-14.el7.x86_64: install failed

This is what I have been calling symptom #2, so that still exists. Note that the machine I am installing from has the same versions of container-selinux (1.12.5-14.el7) and selinux-policy-targeted (3.13.1-102.el7_3.13) installed as I am trying to install inside the --root. I have container-selinux listed in the same rpm -i command as the docker packages, but because docker-common and docker-client do not declare that they require it, the rpm command choose to install it after them. If I explicitly force container-selinux to be installed first, by doing a separate rpm -i command just for it, then the lsetfilecon errors go away. So that implies to me that those two package have some subtle interaction or dependency on the container-selinux command which is not declared, and only shows up during a --root style installation.

------8<-----------

Comment 4 Daniel Walsh 2017-01-28 09:12:16 UTC

Yes this looks like docker-client does not require container-selinux to be installed first.

It should have container-selinux in its pre,  Probably happened with the break out of docker-client from docker.

Comment 5 Daniel Walsh 2017-01-28 09:13:03 UTC

Created attachment 1245352 [details]
Patch to fix installation order of container selinux packages.

Comment 7 Daniel Walsh 2017-03-06 13:05:25 UTC

Yes this should be fixed.

container-selinux-2.9-4.el7

Note You need to log in before you can comment on or make changes to this bug.