Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1542997

Summary: SELINUX_ERR generated when building docker images
Product: Red Hat Enterprise Linux 7 Reporter: Lukas Slebodnik <lslebodn>
Component: container-selinuxAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.5CC: amurdaca, ddarrah, dwalsh, jhonce, jpazdziora, lsm5, lvrabec
Target Milestone: rcKeywords: Extras, Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: container-selinux-2.51-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1548144 (view as bug list) Environment:
Last Closed: 2018-04-11 00:03:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukas Slebodnik 2018-02-07 14:35:50 UTC 
Description of problem:
I am filing this ticket to docker because container-selinux has not been changed for a while and I was not able to see such error with older version of docker (2:1.13.1-45.gitec9911e)

I can see SELINUX_ERR when building docker images on rhel7. But it is also reproducible with running yum with docker run.

Version-Release number of selected component (if applicable):
sh# rpm -qa docker\* selinux-policy\* container-selinux 
selinux-policy-3.13.1-188.el7.noarch
docker-client-1.13.1-50.gitec9911e.el7.x86_64
docker-common-1.13.1-50.gitec9911e.el7.x86_64
selinux-policy-targeted-3.13.1-188.el7.noarch
docker-1.13.1-50.gitec9911e.el7.x86_64
docker-rhel-push-plugin-1.13.1-50.gitec9911e.el7.x86_64
container-selinux-2.41-1.git126c1c0.el7.noarch

sh# uname -a
Linux host.example.com 3.10.0-845.el7.x86_64 #1 SMP Mon Feb 5 07:43:47 EST 2018 x86_64 x86_64 x86_64 GNU/Linux

How reproducible:
Deterministic

Steps to Reproduce:
1. // register with subscription-manager
2. // truncate audit.log
   > /var/log/audit/audit.log
3. // install something in container
   docker run --rm registry.access.redhat.com/rhel7 yum install --disablerepo='*-rpms' --enablerepo=rhel-7-server-rpms -y sssd-client
4. // check audit log for AVCs and SELINUX_ERRs


Actual results:
[root@host ~]#  > /var/log/audit/audit.log


[root@host ~]# docker run --rm registry.access.redhat.com/rhel7 yum install --disablerepo='*-rpms' --enablerepo=rhel-7-server-rpms -y sssd-client
Loaded plugins: ovl, product-id, search-disabled-repos, subscription-manager
Resolving Dependencies
--> Running transaction check
---> Package sssd-client.x86_64 0:1.15.2-50.el7_4.8 will be installed

//snip

Dependency Installed:
  libsss_idmap.x86_64 0:1.15.2-50.el7_4.8                                       
  libsss_nss_idmap.x86_64 0:1.15.2-50.el7_4.8                                   

Complete!

[root@host ~]# ausearch -m AVC,SELINUX_ERR -i
----
type=PROCTITLE msg=audit(02/07/2018 09:31:10.500:283) : proctitle=/usr/bin/python /usr/bin/yum install --disablerepo=*-rpms --enablerepo=rhel-7-server-rpms -y sssd-client 
type=SYSCALL msg=audit(02/07/2018 09:31:10.500:283) : arch=x86_64 syscall=open success=yes exit=3 a0=0x7fdd50800df0 a1=O_RDONLY|O_CLOEXEC a2=0x10000 a3=0x14 items=0 ppid=21995 pid=22008 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=yum exe=/usr/bin/python2.7 subj=system_u:system_r:container_t:s0:c181,c794 key=(null) 
type=SELINUX_ERR msg=audit(02/07/2018 09:31:10.500:283) : op=security_compute_av reason=bounds scontext=system_u:system_r:container_t:s0:c181,c794 tcontext=system_u:object_r:cpu_online_t:s0 tclass=file perms=entrypoint


Expected results:
No AVCs or SELINUX_ERRs

Additional info:
//Part of journald around 09:31:10

Feb 07 09:28:34 host.example dockerd-current[21594]: time="2018-02-07T09:28:34.973855895-05:00" level=warning msg="033bbae04358c012063b7ea06d469a76a8aa6f72dde7a578d4198de1b034f00c cleanup: failed to unmount secrets: invalid argument"
Feb 07 09:31:10 host.example kernel: docker0: port 1(veth0dfbbc2) entered blocking state
Feb 07 09:31:10 host.example kernel: docker0: port 1(veth0dfbbc2) entered disabled state
Feb 07 09:31:10 host.example kernel: device veth0dfbbc2 entered promiscuous mode
Feb 07 09:31:10 host.example kernel: IPv6: ADDRCONF(NETDEV_UP): veth0dfbbc2: link is not ready
Feb 07 09:31:10 host.example kernel: docker0: port 1(veth0dfbbc2) entered blocking state
Feb 07 09:31:10 host.example kernel: docker0: port 1(veth0dfbbc2) entered forwarding state
Feb 07 09:31:10 host.example kernel: docker0: port 1(veth0dfbbc2) entered disabled state
Feb 07 09:31:10 host.example NetworkManager[614]: <info>  [1518013870.1964] manager: (vetha3142eb): new Veth device (/org/freedesktop/NetworkManager/Devices/23)
Feb 07 09:31:10 host.example NetworkManager[614]: <info>  [1518013870.1982] manager: (veth0dfbbc2): new Veth device (/org/freedesktop/NetworkManager/Devices/24)
Feb 07 09:31:10 host.example systemd[1]: Started libcontainer container b35cff16f52a7c426db270182d5c9e4f1d4630482c7e9b407f7fe69cabff735d.
Feb 07 09:31:10 host.example systemd[1]: Starting libcontainer container b35cff16f52a7c426db270182d5c9e4f1d4630482c7e9b407f7fe69cabff735d.
Feb 07 09:31:10 host.example kernel: SELinux: mount invalid.  Same superblock, different security settings for (dev mqueue, type mqueue)
Feb 07 09:31:10 host.example kernel: IPv6: ADDRCONF(NETDEV_CHANGE): veth0dfbbc2: link becomes ready
Feb 07 09:31:10 host.example kernel: docker0: port 1(veth0dfbbc2) entered blocking state
Feb 07 09:31:10 host.example kernel: docker0: port 1(veth0dfbbc2) entered forwarding state
Feb 07 09:31:10 host.example NetworkManager[614]: <info>  [1518013870.3086] device (veth0dfbbc2): carrier: link connected
Feb 07 09:31:10 host.example NetworkManager[614]: <info>  [1518013870.3088] device (docker0): carrier: link connected
Feb 07 09:31:10 host.example oci-systemd-hook[22022]: systemdhook <debug>: b35cff16f52a: Skipping as container command is yum, not init or systemd
Feb 07 09:31:10 host.example oci-umount[22023]: umounthook <debug>: prestart container_id:b35cff16f52a rootfs:/var/lib/docker/overlay2/0ab28ec1c51f263f549f67268053bc339fb39872cb7f3c343570440f35a32477/merged
Feb 07 09:31:10 host.example dockerd-current[21594]: Loaded plugins: ovl, product-id, search-disabled-repos, subscription-manager
Feb 07 09:31:52 host.example dockerd-current[21594]: Resolving Dependencies
Feb 07 09:31:52 host.example dockerd-current[21594]: --> Running transaction check
Comment 2 Daniel Walsh 2018-02-07 15:06:18 UTC 
Did anything actually break or did you just see this entrypoint SELINUX_ERR?
Comment 3 Daniel Walsh 2018-02-07 15:08:01 UTC 
The AVC you are reporting also seems strange, since container_t does not exist in RHEL 7 yet, only in Fedora.  RHEL runs containers with svirt_lxc_net_t?
Comment 4 Daniel Walsh 2018-02-07 15:09:16 UTC 
Bounds checking will be removed in RHEL7.5 I am hoping.
Comment 5 Lukas Slebodnik 2018-02-07 15:47:51 UTC 
(In reply to Daniel Walsh from comment #3)
> The AVC you are reporting also seems strange, since container_t does not
> exist in RHEL 7 yet, only in Fedora.  RHEL runs containers with
> svirt_lxc_net_t?

I am not sure how it is possible I can see svirt_lxc_net_t on different machine.
And I also thought it is somehow related to subscription manager but I can reproduce even with fedora image

[root@host ~]# > /var/log/audit/audit.log 
[root@host ~]# subscription-manager status
+-------------------------------------------+
   System Status Details
+-------------------------------------------+
Overall Status: Unknown

[root@host ~]# docker run --rm docker.io/fedora yum install -e0 -d0 -y lftp ; ausearch -m AVC,SELINUX_ERR -i
----
type=PROCTITLE msg=audit(02/07/2018 10:45:33.086:790) : proctitle=/usr/bin/python3 /usr/bin/yum install -e0 -d0 -y lftp 
type=SYSCALL msg=audit(02/07/2018 10:45:33.086:790) : arch=x86_64 syscall=open success=yes exit=3 a0=0x7f79993e7868 a1=O_RDONLY|O_CLOEXEC a2=0x7ffc398e9ed0 a3=0x3 items=0 ppid=25771 pid=25787 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=yum exe=/usr/bin/python3.6 subj=system_u:system_r:svirt_lxc_net_t:s0:c389,c569 key=(null) 
type=SELINUX_ERR msg=audit(02/07/2018 10:45:33.086:790) : op=security_compute_av reason=bounds scontext=system_u:system_r:svirt_lxc_net_t:s0:c389,c569 tcontext=system_u:object_r:cpu_online_t:s0 tclass=file perms=entrypoint
Comment 6 Daniel Walsh 2018-02-07 15:54:18 UTC 
Are you running a RHEL7.5 package on that machine?
Comment 7 Lukas Slebodnik 2018-02-07 15:58:01 UTC 
(In reply to Daniel Walsh from comment #6)
> Are you running a RHEL7.5 package on that machine?

Yes.

description of ticket contains latest packages from brew.

But here are packages from different machine (used in Comment 5)

[root@host]# rpm -qa docker\* selinux-policy\* container-selinux | sort
container-selinux-2.41-1.git126c1c0.el7.noarch
docker-1.13.1-49.gitec9911e.el7.x86_64
docker-client-1.13.1-49.gitec9911e.el7.x86_64
docker-common-1.13.1-49.gitec9911e.el7.x86_64
docker-rhel-push-plugin-1.13.1-49.gitec9911e.el7.x86_64
selinux-policy-3.13.1-187.el7.noarch
selinux-policy-targeted-3.13.1-187.el7.noarch
Comment 9 Lukas Slebodnik 2018-02-07 15:59:54 UTC 
BTW it might be the same issue as in BZ1467601 and BZ1461893
Comment 10 Lukas Slebodnik 2018-02-07 20:40:29 UTC 
(In reply to Daniel Walsh from comment #3)
> The AVC you are reporting also seems strange, since container_t does not
> exist in RHEL 7 yet, only in Fedora.  RHEL runs containers with
> svirt_lxc_net_t?

That's explained by selinux-policy-3.13.1-188.el7.noarch
Comment 11 Lukas Slebodnik 2018-02-07 20:40:59 UTC 
Is there any workaround?
Comment 12 Daniel Walsh 2018-02-08 14:07:31 UTC 
Ok so those types are in RHEL7.5.  These should not be a problem other then noice.
Comment 13 Daniel Walsh 2018-02-08 14:09:31 UTC 
Lukas if we have nnp_transition in RHEL7.5 we can remove the type bounds stuff.
Comment 15 Daniel Walsh 2018-02-12 15:50:06 UTC 
container-selinux
Comment 25 errata-xmlrpc 2018-04-11 00:03:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1073