[CentOS-devel] Docker problems with centos 6 image based on libselinux.

Wed May 21 19:55:50 UTC 2014
Daniel J Walsh <dwalsh at redhat.com>

On 05/21/2014 02:08 PM, Jim Perrin wrote:
>
> On 05/21/2014 12:32 PM, Daniel J Walsh wrote:
>> People are reporting problems in Fedora about using centos rhel6 images.
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1098120
>>
>> The problem is the libselinux in the centos image is reporting that
>> SELinux is enabled to processes running within the container.  Tools
>> like useradd and groupadd to attempt to write to /proc/self/attr/* files
>> in order to setup proper labeling for SELinux.  Since /proc is now
>> mounted read/only within the docker containers, the writes are denied
>> and useradd/groupadd fail.
>>
>> I wrote the attached patch for RHEL6 libselinux to get RHEL6 images to
>> work properly. Basically the patched libselinux will report to processes
>> that SELinux is disabled if the selinux file system is not mounted or
>> mounted read/only. The fixed version of libselinux is already in Fedora
>> and RHEL7 versions of libselinux.
>>
>> Red Hat will be shipping this new version of libselinux in rhel6.6.  But
>> we will also ship it as part of our rhel6.5 Base Image.
>>
>> Privileged containers and systems with SELInux disabled do not have this
>> issue, however systemd with SELinux in permissive mode or enforcing have
>> the problem.
>>
>> In permissive mode the problem will continue, since it is not SELinux
>> denying access to /proc.  It is actually the fact that /proc is mounted
>> Read/Only.  Previous versions of docker did not mount the /proc file
>> system as read/only
>>
>> It would be a good idea if someone could get a patched version of
>> libselinux into the centos 6 docker image.
>
> As I understand this, the patch only needs to be applied to the
> libselinux package within the docker image, correct?
>
> KB / Johnny -
>
> If we were to pull this patch in how would we keep this package separate
> from the base packages to ensure we're not polluting the core build,
> while still enabling users access to the package? Something specific to
> cloud.centos.org maybe? A one-off file/repo location?
>
>
> What are the opinions of the cloud-sig folks?
Yes that is what I would recommend, and is actually what we are doing
with RHEL6.  New libselinux will show up in RHEL6.6 update but for now
only exists in rhel6.5 docker base image.