[CentOS-devel] Docker problems with centos 6 image based on libselinux.
Daniel J Walsh
dwalsh at redhat.com
Wed May 21 19:55:50 UTC 2014
On 05/21/2014 02:08 PM, Jim Perrin wrote:
>
> On 05/21/2014 12:32 PM, Daniel J Walsh wrote:
>> People are reporting problems in Fedora about using centos rhel6 images.
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1098120
>>
>> The problem is the libselinux in the centos image is reporting that
>> SELinux is enabled to processes running within the container. Tools
>> like useradd and groupadd to attempt to write to /proc/self/attr/* files
>> in order to setup proper labeling for SELinux. Since /proc is now
>> mounted read/only within the docker containers, the writes are denied
>> and useradd/groupadd fail.
>>
>> I wrote the attached patch for RHEL6 libselinux to get RHEL6 images to
>> work properly. Basically the patched libselinux will report to processes
>> that SELinux is disabled if the selinux file system is not mounted or
>> mounted read/only. The fixed version of libselinux is already in Fedora
>> and RHEL7 versions of libselinux.
>>
>> Red Hat will be shipping this new version of libselinux in rhel6.6. But
>> we will also ship it as part of our rhel6.5 Base Image.
>>
>> Privileged containers and systems with SELInux disabled do not have this
>> issue, however systemd with SELinux in permissive mode or enforcing have
>> the problem.
>>
>> In permissive mode the problem will continue, since it is not SELinux
>> denying access to /proc. It is actually the fact that /proc is mounted
>> Read/Only. Previous versions of docker did not mount the /proc file
>> system as read/only
>>
>> It would be a good idea if someone could get a patched version of
>> libselinux into the centos 6 docker image.
>
> As I understand this, the patch only needs to be applied to the
> libselinux package within the docker image, correct?
>
> KB / Johnny -
>
> If we were to pull this patch in how would we keep this package separate
> from the base packages to ensure we're not polluting the core build,
> while still enabling users access to the package? Something specific to
> cloud.centos.org maybe? A one-off file/repo location?
>
>
> What are the opinions of the cloud-sig folks?
Yes that is what I would recommend, and is actually what we are doing
with RHEL6. New libselinux will show up in RHEL6.6 update but for now
only exists in rhel6.5 docker base image.
More information about the CentOS-devel
mailing list