Fix additional typebounds
Major fix here is support of running --no-new-priv container and SELinux at the same time.
Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
sudo dnf upgrade --refresh --advisory=FEDORA-2017-14678690da
Please login to add feedback.
This update has been submitted for testing by dwalsh.
This update has obsoleted container-selinux-2.4-1.fc25, and has inherited its bugs and notes.
This update has been pushed to testing.
works for me
tested with kube cluster
This update has been submitted for stable by bodhi.
Works for me.
This update has been pushed to stable.
Since installing this update, my docker-compose apps can no longer run programs that are bind-mounted from /usr/local/src.
That last comment by "anonymous" was me, in case you need to get back to me. I also missed to mark the build correctly.
Please open a bugzilla for this. I see no reason for container-selinux to cause this issue.
Actually looking at this more closely it looks like you are bind mounting a file from /usr into the container, and then executing it?
If you chcon -t bin_t the executable, I would think the tool will work. Or if you mounted it in using :Z
Yes, I bind-mount using this line:
I found it hard to decide where to put stuff with docker and SELinux, there's almost no documentation where files should be put such that SELinux allows access to them without having to fiddle with the policy. (See my comment on http://www.projectatomic.io/blog/2016/03/selinux-and-docker-part-2/)
I tried lowercase
:ro,z
today and it barked at me that relabeling is not permitted.What I tried now:
->
panic: standard_init_linux.go:178: exec user process caused "permission denied" [recovered]
and a note in the journal aboutaudit: SELINUX_ERR op=security_compute_av reason=bounds ...
->
ERROR: for etherpad Cannot start service etherpad: SELinux relabeling of /usr/local/src/wait-for-it/wait-for-it.sh is not allowed: "Relabeling content in /usr is not allowed."
Is this a bug or am I doing something wrong, despite it being able to run under
container-selinux-2.2-2.fc25.noarch.rpm
.Please open a Bugzilla or ping me on IRC to talk about this. But this should not block the package, since you would have this problem with out this update.
https://bugzilla.redhat.com/show_bug.cgi?id=1419288