https://bugzilla.redhat.com/show_bug.cgi?id=1096123
--- Comment #7 from Dominic Cleal <dcleal(a)redhat.com> ---
(In reply to Daniel Walsh from comment #5)
The problem is inside the container it sees SELinux as being enabled,
which
is the bug.
If you do id -Z, does it complain inside the container?
No, it runs and reports a context.
docker run --rm -t -i fedora sh
sh-4.2# id -Z
id: --context (-Z) works only on an SELinux-enabled kernel
sh-4.2# mount | grep /sys
sysfs on /sys type sysfs (ro,relatime,seclabel)
$ rpm -q docker-io
docker-io-0.9.1-1.fc20.x86_64
$ docker run -i -t centos /bin/bash
bash-4.1# id -Z
system_u:system_r:docker_t:s0
bash-4.1# mount | grep sys
sysfs on /sys type sysfs (rw,seclabel,nosuid,nodev,noexec,relatime)
$ rpm -q docker-io
docker-io-0.11.1-3.fc20.x86_64
$ docker run -i -t centos /bin/bash
bash-4.1# id -Z
system_u:system_r:svirt_lxc_net_t:s0:c231,c400
bash-4.1# mount | grep /sys
sysfs on /sys type sysfs (ro,seclabel,relatime)
SELinux sees the container as being disabled since /sys/fs/selinux
is
mounted as read/only, this will tell useradd NOT to try to do any SELinux
stuff while in the container.
/sys is correctly read-only as you expected, but it seems useradd's still doing
SELinux stuff then. These packages are installed inside the EL6 container:
libselinux-2.0.94-5.3.el6_4.1.x86_64
libselinux-utils-2.0.94-5.3.el6_4.1.x86_64
shadow-utils-4.1.4.2-13.el6.x86_64
Calling is_selinux_enabled() on Fedora is returning 0, while on EL6 it's
returning 1. Another difference - on Fedora, getenforce returns "Disabled" but
on EL6 it prints:
# getenforce
getenforce: getenforce() failedbash-4.1#
/selinux exists within the container, but nothing is actually mounted there.
It appears to be simply a directory on the root filesystem (/selinux/booleans
exists as an empty dir). No other SELinux mounts are visible.
Looking at libselinux-2.0.94, I think it's seeing selinuxfs listed in
/proc/filesystems and assuming SELinux is enabled because of this.
libselinux-2.2.1 on F20 doesn't seem to have this code.
libselinux-2.0.94/src/enabled.c:
/* Drop back to detecting it the long way. */
fp = fopen("/proc/filesystems", "r");
if (!fp)
return -1;
__fsetlocking(fp, FSETLOCKING_BYCALLER);
while ((num = getline(&buf, &len, fp)) != -1) {
if (strstr(buf, "selinuxfs")) {
enabled = 1;
break;
}
}
# grep selinux /proc/filesystems
nodev selinuxfs
(All the above was tested with docker-io-0.11.1-3.fc20)
--
You are receiving this mail because:
You are on the CC list for the bug.