[CentOS-devel] Docker problems with centos 6 image based on libselinux.

Daniel J Walsh

dwalsh at redhat.com
Wed May 21 17:32:16 UTC 2014


People are reporting problems in Fedora about using centos rhel6 images.

https://bugzilla.redhat.com/show_bug.cgi?id=1098120

The problem is the libselinux in the centos image is reporting that
SELinux is enabled to processes running within the container.  Tools
like useradd and groupadd to attempt to write to /proc/self/attr/* files
in order to setup proper labeling for SELinux.  Since /proc is now
mounted read/only within the docker containers, the writes are denied
and useradd/groupadd fail.

I wrote the attached patch for RHEL6 libselinux to get RHEL6 images to
work properly. Basically the patched libselinux will report to processes
that SELinux is disabled if the selinux file system is not mounted or
mounted read/only. The fixed version of libselinux is already in Fedora
and RHEL7 versions of libselinux.

Red Hat will be shipping this new version of libselinux in rhel6.6.  But
we will also ship it as part of our rhel6.5 Base Image.

Privileged containers and systems with SELInux disabled do not have this
issue, however systemd with SELinux in permissive mode or enforcing have
the problem.

In permissive mode the problem will continue, since it is not SELinux
denying access to /proc.  It is actually the fact that /proc is mounted
Read/Only.  Previous versions of docker did not mount the /proc file
system as read/only

It would be a good idea if someone could get a patched version of
libselinux into the centos 6 docker image.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libselinux-2.0.94_enabled.patch
Type: text/x-patch
Size: 5924 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20140521/55bc173b/attachment-0002.bin>


More information about the CentOS-devel mailing list