stable

container-selinux-2.5-1.fc25

FEDORA-2017-14678690da created by dwalsh 7 years ago for Fedora 25

Fix additional typebounds


Major fix here is support of running --no-new-priv container and SELinux at the same time.

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2017-14678690da

This update has been submitted for testing by dwalsh.

7 years ago

This update has obsoleted container-selinux-2.4-1.fc25, and has inherited its bugs and notes.

7 years ago

This update has been pushed to testing.

7 years ago
User Icon cserpentis commented & provided feedback 7 years ago
karma

works for me

User Icon jasonbrooks commented & provided feedback 7 years ago
karma

tested with kube cluster

This update has been submitted for stable by bodhi.

7 years ago
User Icon mhayden commented & provided feedback 7 years ago
karma

Works for me.

This update has been pushed to stable.

7 years ago

Since installing this update, my docker-compose apps can no longer run programs that are bind-mounted from /usr/local/src.

audit: SELINUX_ERR op=security_compute_av reason=bounds scontext=system_u:system_r:container_t:s0:c259,c558 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file 
perms=entrypoint
$ # ls -laZ /usr/local/src/wait-for-it/wait-for-it.sh
-rwxr-xr-x. 1 root root unconfined_u:object_r:usr_t:s0 3658 Aug 25 20:25 /usr/local/src/wait-for-it/wait-for-it.sh
$ cat /etc/systemd/system/etherpad.yml
...
etherpad:
  # Wait for MariaDB to be up.
  entrypoint: /wait-for-it.sh --strict --timeout=90 mariadb:3306 -- /entrypoint.sh
  command: bin/run.sh --root

  volumes:
    - /usr/local/src/wait-for-it/wait-for-it.sh:/wait-for-it.sh:ro
User Icon agross commented & provided feedback 7 years ago
karma

That last comment by "anonymous" was me, in case you need to get back to me. I also missed to mark the build correctly.

Please open a bugzilla for this. I see no reason for container-selinux to cause this issue.

Actually looking at this more closely it looks like you are bind mounting a file from /usr into the container, and then executing it?

If you chcon -t bin_t the executable, I would think the tool will work. Or if you mounted it in using :Z

Yes, I bind-mount using this line:

/usr/local/src/wait-for-it/wait-for-it.sh:/wait-for-it.sh:ro

I found it hard to decide where to put stuff with docker and SELinux, there's almost no documentation where files should be put such that SELinux allows access to them without having to fiddle with the policy. (See my comment on http://www.projectatomic.io/blog/2016/03/selinux-and-docker-part-2/)

I tried lowercase :ro,z today and it barked at me that relabeling is not permitted.

What I tried now:

$ chcon -t bin_t /usr/local/src/wait-for-it/wait-for-it.sh
$ ls -laZ /usr/local/src/wait-for-it/wait-for-it.sh
-rwxr-xr-x. 1 root root unconfined_u:object_r:bin_t:s0 3658 Aug 25 20:25 /usr/local/src/wait-for-it/wait-for-it.sh
# Restart container

-> panic: standard_init_linux.go:178: exec user process caused "permission denied" [recovered] and a note in the journal about audit: SELINUX_ERR op=security_compute_av reason=bounds ...

$ restorecon /usr/local/src/wait-for-it/wait-for-it.sh
$ ls -laZ /usr/local/src/wait-for-it/wait-for-it.sh
-rwxr-xr-x. 1 root root unconfined_u:object_r:usr_t:s0 3658 Aug 25 20:25 /usr/local/src/wait-for-it/wait-for-it.sh
# Changed mount to /usr/local/src/wait-for-it/wait-for-it.sh:/wait-for-it.sh:ro,Z
# Restart container

-> ERROR: for etherpad Cannot start service etherpad: SELinux relabeling of /usr/local/src/wait-for-it/wait-for-it.sh is not allowed: "Relabeling content in /usr is not allowed."

Is this a bug or am I doing something wrong, despite it being able to run under container-selinux-2.2-2.fc25.noarch.rpm.

Please open a Bugzilla or ping me on IRC to talk about this. But this should not block the package, since you would have this problem with out this update.


Please login to add feedback.

Metadata
Type
enhancement
Karma
2
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
disabled
Dates
submitted
7 years ago
in testing
7 years ago
in stable
7 years ago

Automated Test Results