Description of problem: The --selinux-enabled option is not enabled in the systemd unit file, and there does not appear to be a "config" option in etc. Version-Release number of selected component (if applicable): moby-engine-18.06.0-1.ce.git0ffa825.fc29.x86_64 How reproducible: 100% Steps to Reproduce: 1. Install moby engine 2. Run bash in a container 3. Inspect the SELinux context of the bash process in the container Actual results: Terminal #1 ======================================================================= [root@fedora ~]# which docker /usr/bin/docker [root@fedora ~]# rpm -qf /usr/bin/docker moby-engine-18.06.0-1.ce.git0ffa825.fc29.x86_64 docker run -it fedora bash podman run -it fedora bash Terminal #1 ======================================================================= Docker Output [root@fedora ~]# ps -efZ | grep bash unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 root 27937 985 2 13:06 pts/0 00:00:00 docker run -it fedora bash system_u:system_r:spc_t:s0 root 27972 27954 1 13:06 pts/0 00:00:00 bash Podman Output [root@fedora ~]# ps -efZ | grep bash unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 root 28073 985 0 13:06 pts/0 00:00:00 podman run -it fedora bash system_u:system_r:container_t:s0:c326,c566 root 28160 28148 0 13:06 pts/0 00:00:00 bash Expected results: system_u:system_r:container_t:s0:c326,c566 root 28160 28148 0 13:06 pts/0 00:00:00 bash Additional info: Notice the bash ran under moby engine has this context: spc_t
More info here: https://www.openwall.com/lists/oss-security/2019/02/11/2 Also, I verified that you can add a --selinux-enabled to the systemd unit file like this, which protects the host: ExecStart=/usr/bin/dockerd --selinux-enabled
I think in the latest moby, you can set this flag in a file in /etc/. /etc/docker.json or /etc/config/docker.json or something like that. Would be better to allow uses to easily change the defaults.
Dan, You are dead on. I don't know the rules in Fedora, can we just rebase to master? I agree everything looks good in Master. If we can't rebase, it looks like The F29 branch doesn't have a docker.sysconfig nor a docker.service file, so I believe the spec file uses the upstream. The Master branch, on the other hand, has both and "should" start correctly (I haven't been able to build a package to test yet). Sadly, I "tried" to add the files to f29 branch, but I can't push files (can't figure out what password to use for the Fedora GitLab instance :-( ). That said, I "think" all that needs done is to copy these two files from the Master branch, to the F29 branch, and rebuild. I looked at the spec file between the two and didn't see anything different. I think the Fedora package just "overwrites" the original files in the upstream...
As noted, this was done for Fedora 30 a few months ago, but changing a default setting like enabling SELinux seems like it would be disruptive to existing users on a released version. Fedora 29 users that want SELinux can change the setting with the standard systemd methods, such as making a dropin with "systemctl edit docker" containing: [Service] ExecStart= ExecStart=/usr/bin/dockerd --selinux-enabled If the concern with this is CVE-2019-5736, the fix was pushed for testing when the embargo lifted on Monday: https://bodhi.fedoraproject.org/updates/FEDORA-2019-352d4b9cd8
(In reply to David Michael from comment #4) > As noted, this was done for Fedora 30 a few months ago, but changing a > default setting like enabling SELinux seems like it would be disruptive to > existing users on a released version. Fedora 29 users that want SELinux can > change the setting with the standard systemd methods, such as making a > dropin with "systemctl edit docker" containing: > > [Service] > ExecStart= > ExecStart=/usr/bin/dockerd --selinux-enabled > > If the concern with this is CVE-2019-5736, the fix was pushed for testing > when the embargo lifted on Monday: > https://bodhi.fedoraproject.org/updates/FEDORA-2019-352d4b9cd8 Kinda, it was more that defense in depth is good because that specific CVE likely won't be the last, and F29 is the latest version. I totally understand if you want to wait until F30 though. It looks good in master.
FYI i've tried adding {"selinux-enabled": true} in /etc/docker/daemon.json and that looks like it works, because if i add it to the ExecStart in the .service file as well then the service fails with "directives are specified both as a flag and in the configuration file: selinux-enabled: (from flag: true, from file: true)".
cje I tried it again on Fedora 29, and SELinux still doesn't seem enabled by default...
(In reply to Scott McCarty from comment #7) > cje I tried it again on Fedora 29, and SELinux still doesn't > seem enabled by default... Right. That is by design. David decided that it would be a breaking change to enable SELinux in the middle of a release (see comment#4) . I agree with him. We don't want users systems to just stop working overnight. They'll get the better security defaults in F30.
Couldn't they get it only when fresh install. Even in F30 we don't want to update a F29 system and have Moby broken in F30.
(In reply to Daniel Walsh from comment #9) > Couldn't they get it only when fresh install. Even in F30 we don't want to > update a F29 system and have Moby broken in F30. I defer to David or Lokesh (maintainers of the package) on this. They'd be able to say how much work it would be or if it would be worth doing it over waiting for f30.
This is fixed in F30 and rawhide while F29 was left as is for compatibility, so I think this can be closed.