docker run with container-selinux-2.77-1.el7_6.noarch does not work

[andrewhsu]

On a rhel7 system with container-selinux-2.77-1.el7_6.noarch:

# getenforce
Enforcing
# docker run --rm busybox echo hi
standard_init_linux.go:207: exec user process caused "permission denied"

The corresponding denied message in selinux log file /var/log/audit/audit.log is:

type=AVC msg=audit(1549491386.801:666): avc: denied { transition } for pid=4022 comm="runc:[2:INIT]" path="/bin/echo" dev="xvda2" ino=8534597 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:container_t:s0:c397,c807 tclass=process

Is it perhaps related to this change? 99e2cfd...5133af6

I'm able to workaround the problem on rhel7 for now by downgrading:

$ sudo yum downgrade container-selinux-2.74-1.el7

Btw, this "permission denied" problem does not exist on centos7, I believe because container-selinux only goes up to version 2.74

[thaJeztah]

ping @rhatdan ptal 🤗

[rhatdan]

This looks like the docker daemon or containerd is mislabeled.

It is not because of container selinux

yum -y update container-selinux
restorecon -R -v /usr/bin/docker* /usr/bin/containerd*
ls -lZ /usr/bin/docker* /usr/bin/containerd*
Should be labeled container_runtime_exec_t.

systemctl restart docker

ps -eZ | grep docker

Should be running as container_runtime_t

[justincormack]

@rhatdan I opened a PR in #64 also needs spec file updates once that is merged.

[rhatdan]

Thanks, merged it. Will need to back port those changes into the branch that works on RHEL7.

[thaJeztah]

@rhatdan do you know if the patch has been back ported to the correct RHEL7 branch? (which branch should it be back ported to? happy to open a backport PR)

[rhatdan]

@lsm5 @mrunalp PTAL

[thaJeztah]

@lsm5 @mrunalp 👋 do you know what the status is on this one?

[rhatdan]

Should be in container-selinux-2.94. @lsm5 Did this make the cut yesterday?

[lsm5]

2.94 ship date is about 3 weeks from now, so let's keep this open until then.

[thaJeztah]

Thanks!

[andrewhsu]

Looks like container-selinux-2.95-2.el7_6.noarch is available now, but not sure if this fix is in:

bash$ rpm -q --changelog container-selinux|head -6
* Tue Apr 02 2019 Frantisek Kluknavsky <fkluknav@redhat.com> - 2:2.95-2
- rebase

* Thu Feb 28 2019 Frantisek Kluknavsky <fkluknav@redhat.com> - 2:2.84-2
- rebase

[andrewhsu]

I'm still able to exactly reproduce the error with container-selinux-2.95-2.el7_6.noarch and downgrade to container-selinux-2.74-1.el7 addresses the issue.

[rhatdan]

@andrewhsu Could you show me the AVCs you are seeing? Could you verify if docker and containerd are running as container_runtime_t?
ps -eZ | grep docker
ps -eZ | grep containerd

[andrewhsu]

@rhatdan apologies for the delayed reply...

With CentOS7:

$ rpm -q container-selinux
container-selinux-2.95-2.el7_6.noarch
$ ps -eZ | grep docker
system_u:system_r:container_runtime_t:s0 14371 ? 00:00:01 dockerd
$ ps -eZ | grep containerd
system_u:system_r:unconfined_service_t:s0 13970 ? 00:00:00 containerd
$ docker run --rm busybox echo hi
standard_init_linux.go:211: exec user process caused "permission denied"
$ docker --version
Docker version 19.03.0-rc2, build 674d742

However, I noticed RHEL7 has a newer container-selinux which seems to have fixed the problem:

$ rpm -q container-selinux
container-selinux-2.99-1.el7_6.noarch
$ ps -eZ | grep docker
system_u:system_r:container_runtime_t:s0 14749 ? 00:00:03 dockerd
$ ps -eZ | grep containerd
system_u:system_r:container_runtime_t:s0 14261 ? 00:00:01 containerd
$ docker run --rm busybox echo hi
hi
$ docker --version
Docker version 19.03.0-rc2, build 674d742

When will container-selinux-2.99 be available for CentOS 7?

[rhatdan]

No idea on CentOS, usually they grab the latest available packages.

[elvios]

@andrewhsu
Version 2.99 is available through centos7-extras now.
But It does not fix the issue for me, though. Only when I install version 2.99 from the rhel-repo is the issue fixed.