1602825 – Can not create docker image with SELinux enabled

Bug 1602825 - Can not create docker image with SELinux enabled

Summary: Can not create docker image with SELinux enabled

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	docker
Sub Component:
Version:	28
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-07-18 15:05 UTC by Artyom
Modified:	2018-07-19 06:55 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-07-19 06:55:44 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Artyom 2018-07-18 15:05:08 UTC

Description of problem:
No matter what image I create I receive fails on RUN command under docker file

Dockerfile
=========================
FROM fedora:27
  
RUN dnf install -y make
=========================

docker build -t test .
Sending build context to Docker daemon 2.048 kB
Step 1/2 : FROM fedora:27
 ---> 9110ae7f579f
Step 2/2 : RUN dnf install -y make
 ---> Running in 3947619356d2
The command '/bin/sh -c dnf install -y make' returned a non-zero code: 139

Version-Release number of selected component (if applicable):
# rpm -qa | grep docker
docker-1.13.1-60.git9cb56fd.fc28.x86_64
docker-rhel-push-plugin-1.13.1-60.git9cb56fd.fc28.x86_64
docker-common-1.13.1-60.git9cb56fd.fc28.x86_64
# rpm -qa | grep container
container-selinux-2.65-1.gitbf5b26b.fc28.noarch
containers-common-0.1.31-5.git0144aa8.fc28.x86_64
systemd-container-238-8.git0e0aa59.fc28.x86_64
container-storage-setup-0.11.0-1.git42c9d9c.fc28.noarch
# rpm -qa | grep selinux
python3-libselinux-2.8-1.fc28.x86_64
container-selinux-2.65-1.gitbf5b26b.fc28.noarch
selinux-policy-3.14.1-32.fc28.noarch
rpm-plugin-selinux-4.14.1-9.fc28.x86_64
libselinux-utils-2.8-1.fc28.x86_64
dnfdaemon-selinux-0.3.18-6.fc28.noarch
selinux-policy-targeted-3.14.1-32.fc28.noarch
libselinux-2.8-1.fc28.x86_64

How reproducible:
Always

Steps to Reproduce:
1. run "docker build -t test ." on the above Dockerfile
2.
3.

Actual results:
Image creation fails

Expected results:
Image creation must succeed

Additional info:
ausearch -m avc --start recent
----
time->Wed Jul 18 18:04:35 2018
type=AVC msg=audit(1531926275.058:1879): avc:  denied  { map } for  pid=21558 comm="sh" path="/usr/bin/bash" dev="dm-2" ino=5771176 scontext=system_u:system_r:container_t:s0:c380,c528 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0

Comment 1 Daniel Walsh 2018-07-18 15:27:31 UTC

This looks like you have a labeling issue in /etc or /var/lib/docker

restorecon -R -v /etc /var/lib/docker

Did you modify the docker daemon to use content under your homedir?

Comment 2 Artyom 2018-07-19 06:55:44 UTC

Yes, you are right, I put the docker directory under home directory and created the symbolic link under /var/lib/docker, so looks like I need to set a correct label on it.

# semanage fcontext -a -t container_var_lib_t "/home/test/docker(/.*)?"
# semanage fcontext -a -t container_share_t "/home/test/docker/overlay2(/.*)?"
# restorecon -R -v /home/test/docker

Returns all back to normal.

Thanks for your help.

Note You need to log in before you can comment on or make changes to this bug.