Bug 1511855 - When using buildah for the first time the contents in /var/lib/containers/storage are mislabeled.
Summary: When using buildah for the first time the contents in /var/lib/containers/sto...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: container-selinux
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lokesh Mandvekar
QA Contact: atomic-bugs@redhat.com
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-10 10:09 UTC by Daniel Walsh
Modified: 2017-11-30 19:23 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-11-30 19:23:40 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:3366 normal SHIPPED_LIVE container-selinux bug fix and enhancement update 2017-12-01 00:23:06 UTC

Description Daniel Walsh 2017-11-10 10:09:42 UTC
Tools that use containers-storage (Buildah) run as the unconfined user rather then running as container_runtime_t.  When unconfined user creates content in /var/lib/containers/storage it does not transition to the correct label.

Comment 2 Daniel Walsh 2017-11-10 10:11:15 UTC
Fixed in containers-selinux-2.32

Comment 4 Daniel Walsh 2017-11-21 15:27:49 UTC
Best way to test this is to


rm -rf /var/lib/containers/storage

# setenforce 1
# ctr=$(buildah from fedora)
# buildah run $ctr echo hello

If this works, then the bug is fixed.

You could also run

restorecon -R -v /var/lib/containers/storage

And you should see no mislabeled files.

Comment 8 errata-xmlrpc 2017-11-30 19:23:40 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:3366


Note You need to log in before you can comment on or make changes to this bug.