Description of problem: I tried to debug some issues with recent changes in atomic utility and I found a problem in docker as part of finding a reproducer. It's not related to SElinux because the same problem is in permissive mode. Version-Release number of selected component (if applicable): sh4 rpm -q docker selinux-policy container-selinux docker-1.12.6-17.git037a2f5.fc26.x86_64 selinux-policy-3.13.1-236.fc26.ls.1486052064.noarch container-selinux-2.5-1.fc26.noarch How reproducible: Deterministic Steps to Reproduce: 1. docker run -ti --security-opt=no-new-privileges --name test fedora:25 bas Actual results: panic: standard_init_linux.go:178: exec user process caused "operation not permitted" [recovered] panic: standard_init_linux.go:178: exec user process caused "operation not permitted" goroutine 1 [running, locked to thread]: panic(0x6f3080, 0xc420153d50) /usr/lib/golang/src/runtime/panic.go:500 +0x1a1 github.com/urfave/cli.HandleAction.func1(0xc420089748) /builddir/build/BUILD/docker-037a2f5e5b7cf1f7663f1840f7e84328806c08ef/runc-81b254244390bc636b20c87c34a3d9e1a8645069/Godeps/_workspace/src/github.com/urfave/cli/app.go:478 +0x247 panic(0x6f3080, 0xc420153d50) /usr/lib/golang/src/runtime/panic.go:458 +0x243 github.com/opencontainers/runc/libcontainer.(*LinuxFactory).StartInitialization.func1(0xc420089198, 0xc420026078, 0xc420089238) /builddir/build/BUILD/docker-037a2f5e5b7cf1f7663f1840f7e84328806c08ef/runc-81b254244390bc636b20c87c34a3d9e1a8645069/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/factory_linux.go:259 +0x18f github.com/opencontainers/runc/libcontainer.(*LinuxFactory).StartInitialization(0xc420056690, 0xaac9c0, 0xc420153d50) /builddir/build/BUILD/docker-037a2f5e5b7cf1f7663f1840f7e84328806c08ef/runc-81b254244390bc636b20c87c34a3d9e1a8645069/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/factory_linux.go:277 +0x353 main.glob..func8(0xc42008c780, 0x0, 0x0) /builddir/build/BUILD/docker-037a2f5e5b7cf1f7663f1840f7e84328806c08ef/runc-81b254244390bc636b20c87c34a3d9e1a8645069/main_unix.go:26 +0x66 reflect.Value.call(0x6dde00, 0x769e68, 0x13, 0x73c329, 0x4, 0xc420089708, 0x1, 0x1, 0x4d17c8, 0x732160, ...) /usr/lib/golang/src/reflect/value.go:434 +0x5c8 reflect.Value.Call(0x6dde00, 0x769e68, 0x13, 0xc420089708, 0x1, 0x1, 0xac2720, 0xc4200896e8, 0x4da7a6) /usr/lib/golang/src/reflect/value.go:302 +0xa4 github.com/urfave/cli.HandleAction(0x6dde00, 0x769e68, 0xc42008c780, 0x0, 0x0) /builddir/build/BUILD/docker-037a2f5e5b7cf1f7663f1840f7e84328806c08ef/runc-81b254244390bc636b20c87c34a3d9e1a8645069/Godeps/_workspace/src/github.com/urfave/cli/app.go:487 +0x1e0 github.com/urfave/cli.Command.Run(0x73c4f5, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x74db3d, 0x51, 0x0, ...) /builddir/build/BUILD/docker-037a2f5e5b7cf1f7663f1840f7e84328806c08ef/runc-81b254244390bc636b20c87c34a3d9e1a8645069/Godeps/_workspace/src/github.com/urfave/cli/command.go:191 +0xc3b github.com/urfave/cli.(*App).Run(0xc4200f0000, 0xc42000c120, 0x2, 0x2, 0x0, 0x0) /builddir/build/BUILD/docker-037a2f5e5b7cf1f7663f1840f7e84328806c08ef/runc-81b254244390bc636b20c87c34a3d9e1a8645069/Godeps/_workspace/src/github.com/urfave/cli/app.go:240 +0x611 main.main() /builddir/build/BUILD/docker-037a2f5e5b7cf1f7663f1840f7e84328806c08ef/runc-81b254244390bc636b20c87c34a3d9e1a8645069/main.go:137 +0xbd6 Expected results: //Terminal is opened Additional info: The "test" container was created and here is a output of docker inspect [ { "Id": "3b7b0282d03b6a28098dcada109a86fed62e85a2e2a417c216de2018619c5bf8", "Created": "2017-02-03T15:48:45.751342327Z", "Path": "bash", "Args": [], "State": { "Status": "exited", "Running": false, "Paused": false, "Restarting": false, "OOMKilled": false, "Dead": false, "Pid": 0, "ExitCode": 2, "Error": "", "StartedAt": "2017-02-03T15:48:46.895469087Z", "FinishedAt": "2017-02-03T15:48:47.0361698Z" }, "Image": "sha256:a1e614f0f30eb9823d71882f3165e33b15ec30226d08a6a328be2209dd4e1175", "ResolvConfPath": "/var/lib/docker/containers/3b7b0282d03b6a28098dcada109a86fed62e85a2e2a417c216de2018619c5bf8/resolv.conf", "HostnamePath": "/var/lib/docker/containers/3b7b0282d03b6a28098dcada109a86fed62e85a2e2a417c216de2018619c5bf8/hostname", "HostsPath": "/var/lib/docker/containers/3b7b0282d03b6a28098dcada109a86fed62e85a2e2a417c216de2018619c5bf8/hosts", "LogPath": "", "Name": "/test", "RestartCount": 0, "Driver": "btrfs", "MountLabel": "system_u:object_r:container_file_t:s0:c308,c642", "ProcessLabel": "system_u:system_r:container_t:s0:c308,c642", "AppArmorProfile": "", "ExecIDs": null, "HostConfig": { "Binds": null, "ContainerIDFile": "", "LogConfig": { "Type": "journald", "Config": {} }, "NetworkMode": "default", "PortBindings": {}, "RestartPolicy": { "Name": "no", "MaximumRetryCount": 0 }, "AutoRemove": false, "VolumeDriver": "", "VolumesFrom": null, "CapAdd": null, "CapDrop": null, "Dns": [], "DnsOptions": [], "DnsSearch": [], "ExtraHosts": null, "GroupAdd": null, "IpcMode": "", "Cgroup": "", "Links": null, "OomScoreAdj": 0, "PidMode": "", "Privileged": false, "PublishAllPorts": false, "ReadonlyRootfs": false, "SecurityOpt": [ "no-new-privileges" ], "UTSMode": "", "UsernsMode": "", "ShmSize": 67108864, "Runtime": "oci", "ConsoleSize": [ 0, 0 ], "Isolation": "", "CpuShares": 0, "Memory": 0, "CgroupParent": "", "BlkioWeight": 0, "BlkioWeightDevice": null, "BlkioDeviceReadBps": null, "BlkioDeviceWriteBps": null, "BlkioDeviceReadIOps": null, "BlkioDeviceWriteIOps": null, "CpuPeriod": 0, "CpuQuota": 0, "CpusetCpus": "", "CpusetMems": "", "Devices": [], "DiskQuota": 0, "KernelMemory": 0, "MemoryReservation": 0, "MemorySwap": 0, "MemorySwappiness": -1, "OomKillDisable": false, "PidsLimit": 0, "Ulimits": null, "CpuCount": 0, "CpuPercent": 0, "IOMaximumIOps": 0, "IOMaximumBandwidth": 0 }, "GraphDriver": { "Name": "btrfs", "Data": null }, "Mounts": [], "Config": { "Hostname": "3b7b0282d03b", "Domainname": "", "User": "", "AttachStdin": true, "AttachStdout": true, "AttachStderr": true, "Tty": true, "OpenStdin": true, "StdinOnce": true, "Env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "DISTTAG=f25docker", "FGC=f25" ], "Cmd": [ "bash" ], "Image": "fedora:25", "Volumes": null, "WorkingDir": "", "Entrypoint": null, "OnBuild": null, "Labels": {} }, "NetworkSettings": { "Bridge": "", "SandboxID": "16f12375ff3bd721a3aa8df791e7c3b10273cb6d088b28ee3d023e3758ed20f4", "HairpinMode": false, "LinkLocalIPv6Address": "", "LinkLocalIPv6PrefixLen": 0, "Ports": null, "SandboxKey": "/var/run/docker/netns/16f12375ff3b", "SecondaryIPAddresses": null, "SecondaryIPv6Addresses": null, "EndpointID": "", "Gateway": "", "GlobalIPv6Address": "", "GlobalIPv6PrefixLen": 0, "IPAddress": "", "IPPrefixLen": 0, "IPv6Gateway": "", "MacAddress": "", "Networks": { "bridge": { "IPAMConfig": null, "Links": null, "Aliases": null, "NetworkID": "19150271848bcedb265df956a0d44506d1cb4a8626cc6f5942d0aa68e2aebe97", "EndpointID": "", "Gateway": "", "IPAddress": "", "IPPrefixLen": 0, "IPv6Gateway": "", "GlobalIPv6Address": "", "GlobalIPv6PrefixLen": 0, "MacAddress": "" } } } } ]
Works for me. docker run -ti --security-opt=no-new-privileges --name test fedora:25 bash Unable to find image 'fedora:25' locally Trying to pull repository atomic-registry.usersys.redhat.com:500/fedora ... Trying to pull repository docker.io/library/fedora ... sha256:a99209cbb485b98d17b47be2bf990a7fbd63b4d3fa61395a313308d99a326930: Pulling from docker.io/library/fedora 0fc456f626d7: Pull complete Digest: sha256:a99209cbb485b98d17b47be2bf990a7fbd63b4d3fa61395a313308d99a326930 Status: Downloaded newer image for docker.io/fedora:25 [root@e7614e3c8bc8 /]# id uid=0(root) gid=0(root) groups=0(root) [root@e7614e3c8bc8 /]# id -Z id: --context (-Z) works only on an SELinux-enabled kernel [root@e7614e3c8bc8 /]# exit sh-4.4# getenforce Enforcing # rpm -q docker container-selinux selinux-policy docker-1.12.6-17.git037a2f5.fc26.x86_64 container-selinux-2.5-1.fc26.noarch selinux-policy-3.13.1-235.fc26.noarch ps -eZ | grep docker system_u:system_r:container_runtime_t:s0 1132 ? 00:00:00 docker-containe system_u:system_r:container_runtime_t:s0 21631 ? 00:00:05 dockerd-current
Any AVCs? ausearch -m avc -ts recent
(In reply to Daniel Walsh from comment #2) > Any AVCs? > > ausearch -m avc -ts recent NO, the same problem is in permissive mode.
Created attachment 1247707 [details] joutnald output Attached is journald output related to creating container. I enabled --debug for docker.service docker-containerd.service Hope it helps
You are using a BTRFS back end which could be the problem. I doubt anyone has tested this with anything other then devicemapper or overlay2.
Does it work if you run with --security-opt label:disable I am thinking this has something to do with SELinux labels trying to be assigned somewhere but not being allowed. But if everything works without --no-new-privs?
(In reply to Daniel Walsh from comment #6) > Does it work if you run with --security-opt label:disable > It works. and it also works with SELinux type docker_t or container_runtime_t docker run -ti --security-opt=label:type:docker_t \ --security-opt=no-new-privileges --rm fedora:25 bash The only problem is with default container_t
docker_t is a very privileged domain, container_t is a less privileged domain. I have build container-selinux-2.6-1.fc26 could you try this with that package. I will push it to replace the update. I think it will fix your issue.
I saw following error when upgrading to 2.7-1 [root@host ~]# dnf update https://kojipkgs.fedoraproject.org//packages/container-selinux/2.7/1.fc26/noarch/container-selinux-2.7-1.fc26.noarch.rpm Last metadata expiration check: 1:49:34 ago on Tue Feb 07 16:40:10 2017 CET. Dependencies resolved. ================================================================================ Package Arch Version Repository Size ================================================================================ Upgrading: container-selinux noarch 2:2.7-1.fc26 @commandline 29 k Transaction Summary ================================================================================ Upgrade 1 Package Total size: 29 k Is this ok [y/N]: y Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Upgrading : container-selinux-2:2.7-1.fc26.noarch 1/2 Child type container_t exceeds bounds of parent container_runtime_t (allow container_t container_t (capability2 (mac_override mac_admin))) <root> booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2721 true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2722 allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2723 (allow container_t self (capability2 (mac_override mac_admin syslog wake_alarm block_suspend audit_read epolwakeup))) (allow container_t container_t (capability (sys_module))) <root> booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2721 true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2722 allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2724 (allow container_t self (capability (chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap))) Failed to generate binary /usr/sbin/semodule: Failed! Cleanup : container-selinux-2:2.5-1.fc26.noarch 2/2 Verifying : container-selinux-2:2.7-1.fc26.noarch 1/2 Verifying : container-selinux-2:2.5-1.fc26.noarch 2/2 Upgraded: container-selinux.noarch 2:2.7-1.fc26 Complete!
So I am not sure that policy was applied. But it did not help.
It was not applied. Modify expand-check in /etc/selinux/semanage.conf to expand-check=0 And then reinstall container-selinux This should stop that error. The problem is in selinux-policy package in Rawhide. I have opened a pull request to fix this. https://github.com/fedora-selinux/selinux-policy/pull/187
Works well with container-selinux-2:2.8-1.fc26.noarch. Thank you.