1492113 – Docker: SELinux relabeling issue for a local nfs volume

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1492113 - Docker: SELinux relabeling issue for a local nfs volume

Summary: Docker: SELinux relabeling issue for a local nfs volume

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	docker
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Tom Sweeney
QA Contact:	atomic-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1186913 1697833 1720323
TreeView+	depends on / blocked

Reported:	2017-09-15 13:38 UTC by Sergio Lopez
Modified:	2021-03-11 15:47 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-02-28 20:35:05 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	projectatomic docker pull 343	0	'None'	closed	Ignore relabeling ENOSUP failure	2020-12-03 23:57:14 UTC
Red Hat Bugzilla	1461024	0	medium	CLOSED	Docker: SELinux relabeling issue for a local nfs volume	2021-08-30 12:14:19 UTC

Description Sergio Lopez 2017-09-15 13:38:16 UTC

Description of problem:

With the latest update of docker (rhel7 extra repo), we encounter a bug with nfs volumes (local driver).


Version-Release number of selected component (if applicable):
 docker-1.12.6-28.git1398f24.el7.x86_64
 

How reproducible:
Fully reproducable 

Steps to Reproduce:

1. docker volume create -d local --name xxx --opt type=nfs --opt o=addr=xxxx,rw,actimeo=0,sync --opt device=</path/to/dir> 

2. docker run --rm -ti -v xxx:xxx --name <container name> <image name> /bin/bash 


Actual results:

/usr/bin/docker-current: Error response from daemon: SELinux relabeling of /var/lib/docker/volumes/xxxx/_data is not allowed: "operation not supported".


Expected results:

Container should have been created with successful nfs mount.

Additional info:

There is a similar upstream issue which contains the workaround for the issue.
https://github.com/moby/moby/issues/31255

Workaround :

Run the 2nd command as 
docker run --rm -ti -v xxx:xxx:nocopy --name <container name> <image name> /bin/bash

Comment 2 Daniel Walsh 2017-09-15 13:40:23 UTC

Are you getting any AVC's with this.  I know there was a fix for this that we have back ported for SELinux putting labels on directories that do not support labeling, but I am not sure if that is the case here.

Comment 12 Daniel Walsh 2019-06-12 07:09:12 UTC

Attempting to fix with https://github.com/projectatomic/docker/pull/343

Comment 16 Daniel Walsh 2019-08-13 12:12:51 UTC

Tom I believe this is fixed in the master code could you test with latest docker to see if it is still an issue.

Comment 17 Tom Sweeney 2019-08-13 13:50:27 UTC

Unless I messed up the test, or don't have the latest version, I'm still seeing the error and no AVC's.  Lokesh can you verify I've the latest/greatest Docker bits please?

# cat /etc/*release
NAME="Red Hat Enterprise Linux Server"
VERSION="7.7 (Maipo)"
ID="rhel"
ID_LIKE="fedora"
 
# rpm -qa docker
docker-1.13.1-103.git7f2769b.el7.x86_64

# systemctl start docker

# docker volume create -d local --name nfstest --opt type=nfs --opt o=addr=derrick-nas.rhev.gsslab.rdu.redhat.com,rw,actimeo=0,sync --opt device=:/c/data1/docker
nfstest

# docker run --rm -ti -v nfstest:/mnt --name test rhel7 
Unable to find image 'rhel7:latest' locally
Trying to pull repository registry.access.redhat.com/rhel7 ... 
latest: Pulling from registry.access.redhat.com/rhel7
cd9779fb83c9: Pull complete 
0bc0fb725b14: Pull complete 
Digest: sha256:3e3d9c2a8bbbdf35c3ac6a9f57c2148d03888c6cc6a17da9570f0b0d6484c42b
Status: Downloaded newer image for registry.access.redhat.com/rhel7:latest
/usr/bin/docker-current: Error response from daemon: SELinux relabeling of /var/lib/docker/volumes/nfstest/_data is not allowed: "operation not supported".
See '/usr/bin/docker-current run --help'.

# rpm -q kernel container-selinux
kernel-3.10.0-957.12.2.el7.x86_64
kernel-3.10.0-957.21.2.el7.x86_64
kernel-3.10.0-1062.el7.x86_64
container-selinux-2.107-3.el7.noarch

# ausearch -m avc -ts recent
<no matches>

Comment 19 Daniel Walsh 2019-08-13 14:54:32 UTC

Basically wanted to make sure the version of docker had https://github.com/projectatomic/docker/pull/343

Comment 20 Daniel Walsh 2019-08-13 14:55:44 UTC

Tom could you look through the docker code and see if any other Relabel calls exists and maybe we add the ENOSUP errors>

Comment 21 Tom Sweeney 2019-08-13 15:44:47 UTC

We've a number of calls like:  

        label.Relabel(secretsPath, container.MountLabel, false)
  (Starting at: https://github.com/projectatomic/docker/blob/docker-1.13.1-rhel/container/container_unix.go#L114)

in container/container_unix.go (most called from NetworkMounts() one from SecretMountRHEL()) that don't do any error checking.  In the CopyImagePathContent() function in this same file we ignore the error if it rises:

        if err := label.Relabel(path, container.MountLabel, true); err != nil && err != unix.ENOTSUP {
                return err

    (https://github.com/projectatomic/docker/blob/docker-1.13.1-rhel/container/container_unix.go#L199)

in daemon/create_unix.go we recheck again

                if err := label.Relabel(v.Path(), container.MountLabel, true); err != nil && err != syscall.ENOTSUP {
                        return err
                }

     (https://github.com/projectatomic/docker/blob/docker-1.13.1-rhel/daemon/create_unix.go#L55  I think you fixed this one up recently)

and then finally in daemon/graphdriver/btrfs/btrfs.go it's the last thing we do in the Create() function and it has no check:

        return label.Relabel(path.Join(subvolumes, id), mountLabel, false)

     (https://github.com/projectatomic/docker/blob/docker-1.13.1-rhel/daemon/graphdriver/btrfs/btrfs.go#L440)

Comment 22 Daniel Walsh 2019-08-13 16:21:58 UTC

Well it is not in the btrfs one.

Comment 23 Tom Sweeney 2019-08-13 16:36:41 UTC

Yeah, I'm thinking maybe in container/container_unix.go for this one:

https://github.com/projectatomic/docker/blob/docker-1.13.1-rhel/container/container_unix.go#L487

I've just added error handling to it and am trying it.

Comment 24 Tom Sweeney 2019-08-13 16:46:52 UTC

Well that's the one that failing, but I'm not sure if adding error handling fixes the issue.  With it in place, I'm now seeing:

# docker run --rm -ti -v nfstest:/mnt --name test rhel7 
Unable to find image 'rhel7:latest' locally
Trying to pull repository registry.access.redhat.com/rhel7 ... 
latest: Pulling from registry.access.redhat.com/rhel7
cd9779fb83c9: Pull complete 
0bc0fb725b14: Pull complete 
Digest: sha256:3e3d9c2a8bbbdf35c3ac6a9f57c2148d03888c6cc6a17da9570f0b0d6484c42b
Status: Downloaded newer image for registry.access.redhat.com/rhel7:latest
docker: Error response from daemon: SELinux relabeling of /var/lib/docker/volumes/nfstest/_data is not allowed: "operation not supported".
See 'docker run --help'.

Comment 25 Tom Sweeney 2019-08-13 17:00:57 UTC

Nope, I take that back, same error.  Need to dig further.

Comment 28 Derrick Ornelas 2020-02-28 20:35:05 UTC

The Red Hat Enterprise Linux 7 life cycle has entered Maintenance Support 1 Phase, which means that only qualified Critical and Important Security errata advisories (RHSAs) and some Urgent Priority Bug Fix errata advisories (RHBAs) will be released as they become available.  Unfortunately, this issue was not selected to be included in Red Hat Enterprise Linux 7, because it is seen either as low or moderate impact to a small number of use-cases. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.

See the Red Hat Enterprise Linux Life Cycle for more details:
https://access.redhat.com/support/policy/updates/errata/#Maintenance_Support_1_Phase

Note You need to log in before you can comment on or make changes to this bug.