Bug 1416896 - container-selinux not properly setting labels on /usr/bin/docker*
Summary: container-selinux not properly setting labels on /usr/bin/docker*
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: docker
Version: 7.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Lokesh Mandvekar
QA Contact: atomic-bugs@redhat.com
Depends On:
Blocks: 1186913 1399379 1422984
TreeView+ depends on / blocked
Reported: 2017-01-26 17:44 UTC by Jake Hunsaker
Modified: 2020-09-10 10:09 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-05-31 15:36:25 UTC
Target Upstream Version:

Attachments (Terms of Use)
Patch to fix installation order of container selinux packages. (1.46 KB, patch)
2017-01-28 09:13 UTC, Daniel Walsh
no flags Details | Diff

Description Jake Hunsaker 2017-01-26 17:44:33 UTC
Description of problem:

CEE-SD now has two reports of container-selinux not properly setting the selinux labels for docker. 

In the first, trying to run a container results in the following

panic: standard_init_linux.go:178: exec user process caused "permission denied" [recovered]
        panic: standard_init_linux.go:178: exec user process caused "permission denied"

In the second, the customer reports two items:

1. I installed Linux into a partition using --root option on the rpm command. When I subsequently booted on that image, when I tried to log in, it would say No shell -- permission denied. If I omitted the container-selinux package (and the docker package that requires it) then I was able to log in with no issues.

2. If I try to install docker-client and docker-common packages without first installing container-selinux, the installation would report errors from SELinux. If the container-selinux package was installed first, then the errors would go away. So that implies that the docker-client and docker-common packages have a dependency on container-selinux which is not properly declared.

Version-Release number of selected component (if applicable):
RHEL 7.3 with container-selinux-1.12.5-14.el7.x86_64 and docker-1.12.5-14.el7.x86_64 

How reproducible:
Always on a fresh installation

Steps to Reproduce:
1.Install docker-1.12.5 (or docker-latest) with container-selinux

Actual results:
User gets permission denied when trying to run a container

Expected results:
container-selinux should set the correct labels on installation so that containers can be run normally

Additional info:
Manually setting either docker_exec_t or container_runtime_exec_t on /usr/bin/docker* resolves this

Comment 1 Daniel Walsh 2017-01-26 20:48:33 UTC
What error are you seeing when  you install the container-selinux package?

Comment 2 Jake Hunsaker 2017-01-26 21:10:00 UTC
I asked the customer for a bit of clarification on that point, here's what they said:


Basically, I am creating a file system in a  partition on a second disk, bind mounting in /proc, /dev/, /sys, and /sys/fs/selinux and then installing rpms into it using  --root. When it gets to docker-common, I get errors:

  error: unpacking of archive failed: cpio: lsetfilecon failed - Invalid argument
  error: docker-common-2:1.12.5-14.el7.x86_64: install failed
and on docker-client:
   error: unpacking of archive failed on file /usr/bin/docker-current;588a4135: cpio: lsetfilecon failed - Invalid argument
   error: docker-client-2:1.12.5-14.el7.x86_64: install failed

This is what I have been calling symptom #2, so that still exists. Note that the machine I am installing from has the same versions of container-selinux (1.12.5-14.el7) and selinux-policy-targeted (3.13.1-102.el7_3.13) installed as I am trying to install inside the --root. I have container-selinux listed in the same rpm -i command as the docker packages, but because docker-common and docker-client do not declare that they require it, the rpm command choose to install it after them. If I explicitly force container-selinux to be installed first, by doing a separate rpm -i command just for it, then the lsetfilecon errors go away. So that implies to me that those two package have some subtle interaction or dependency on the container-selinux command which is not declared, and only shows up during a --root style installation.


Comment 4 Daniel Walsh 2017-01-28 09:12:16 UTC
Yes this looks like docker-client does not require container-selinux to be installed first.

It should have container-selinux in its pre,  Probably happened with the break out of docker-client from docker.

Comment 5 Daniel Walsh 2017-01-28 09:13:03 UTC
Created attachment 1245352 [details]
Patch to fix installation order of container selinux packages.

Comment 7 Daniel Walsh 2017-03-06 13:05:25 UTC
Yes this should be fixed.


Note You need to log in before you can comment on or make changes to this bug.