On 05/21/2014 02:08 PM, Jim Perrin wrote: > > On 05/21/2014 12:32 PM, Daniel J Walsh wrote: >> People are reporting problems in Fedora about using centos rhel6 images. >> >> https://bugzilla.redhat.com/show_bug.cgi?id=1098120 >> >> The problem is the libselinux in the centos image is reporting that >> SELinux is enabled to processes running within the container. Tools >> like useradd and groupadd to attempt to write to /proc/self/attr/* files >> in order to setup proper labeling for SELinux. Since /proc is now >> mounted read/only within the docker containers, the writes are denied >> and useradd/groupadd fail. >> >> I wrote the attached patch for RHEL6 libselinux to get RHEL6 images to >> work properly. Basically the patched libselinux will report to processes >> that SELinux is disabled if the selinux file system is not mounted or >> mounted read/only. The fixed version of libselinux is already in Fedora >> and RHEL7 versions of libselinux. >> >> Red Hat will be shipping this new version of libselinux in rhel6.6. But >> we will also ship it as part of our rhel6.5 Base Image. >> >> Privileged containers and systems with SELInux disabled do not have this >> issue, however systemd with SELinux in permissive mode or enforcing have >> the problem. >> >> In permissive mode the problem will continue, since it is not SELinux >> denying access to /proc. It is actually the fact that /proc is mounted >> Read/Only. Previous versions of docker did not mount the /proc file >> system as read/only >> >> It would be a good idea if someone could get a patched version of >> libselinux into the centos 6 docker image. > > As I understand this, the patch only needs to be applied to the > libselinux package within the docker image, correct? > > KB / Johnny - > > If we were to pull this patch in how would we keep this package separate > from the base packages to ensure we're not polluting the core build, > while still enabling users access to the package? Something specific to > cloud.centos.org maybe? A one-off file/repo location? > > > What are the opinions of the cloud-sig folks? Yes that is what I would recommend, and is actually what we are doing with RHEL6. New libselinux will show up in RHEL6.6 update but for now only exists in rhel6.5 docker base image.