[Bug 1112748] New: Selinux prevents docker-io from updating /etc/passwd within a container
https://bugzilla.redhat.com/show_bug.cgi?id=1112748
Bug ID: 1112748 Summary: Selinux prevents docker-io from updating /etc/passwd within a container Product: Fedora Version: 20 Component: docker-io Severity: high Assignee: lsm5@redhat.com Reporter: artaxerxes2@iname.com QA Contact: extras-qa@fedoraproject.org CC: admiller@redhat.com, golang@lists.fedoraproject.org, hushan.jia@gmail.com, lsm5@redhat.com, mattdm@redhat.com, mgoldman@redhat.com, s@shk.io, vbatts@redhat.com
Description of problem: Running a certain docker command fails to run the container as expected since selinux intercept a call to update /etc/passwd within the container.
Version-Release number of selected component (if applicable):
Docker version 1.0.0, build 63fe64c/1.0.0 selinux policy version is 29
How reproducible: always
Steps to Reproduce: 1. # yum upgrade 2. # yum install docker-io 3. add username to the docker group and restart the daemon 4. verify 'getenforce' returns 'Enforcing' 5. docker run -t -i -p 80:80 -p 20022:22 oskarhane/docker-wordpress-nginx-ssh
Actual results: 140624 15:34:46 mysqld_safe Logging to syslog. 140624 15:34:46 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql mysql root password: Yohraequ2eiB wordpress password: ieHie5toi0zo ssh password: se2Gai9eengu usermod: failure while writing changes to /etc/passwd % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 58606 100 58606 0 0 60339 0 --:--:-- --:--:-- --:--:-- 62148 Archive: nginx-helper.1.8.1.zip nginx-helper.1.8.1 packaged creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/ inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/readme.txt creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/ inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/admin.php inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/install.php creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/lib/ inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/lib/nginx-sidebar.php inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/lib/nginx-general.php inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/lib/nginx-support.php creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/ creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/ inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/config.json creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/ inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/nginx-fontello.eot inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/nginx-fontello.svg inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/nginx-fontello.ttf inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/nginx-fontello.woff creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/css/ inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/css/nginx-fontello.css inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx.js inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/rtp-social-icons-32-32.png inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/logo.png inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/style.css extracting: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-icon-32x32.png inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/nginx-helper.php inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/compatibility.php creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/languages/ inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/languages/nginx-helper.mo inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/languages/nginx-helper.po inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/purger.php % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 38126 100 38126 0 0 151k 0 --:--:-- --:--:-- --:--:-- 154k Archive: wp-ffpc.1.5.0.zip wp-ffpc.1.5.0 packaged creating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/ inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc-acache.php inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc-class.php inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc.php inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc-nginx-sample.conf inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/readme.txt inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc-backend.php inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/uninstall.php creating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-common/ inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-common/wp-admin.css inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-common/wp-plugin-abstract.php inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-common/wp-plugin-utilities.php sed: warning: failed to set default file creation context to system_u:object_r:svirt_sandbox_file_t:s0:c8,c525: Permission deniedStarting memcached: memcached. 140624 15:34:59 mysqld_safe mysqld from pid file /var/run/mysqld/mysqld.pid ended /usr/local/lib/python2.7/dist-packages/supervisor-3.0-py2.7.egg/supervisor/options.py:295: UserWarning: Supervisord is running as root and it is searching for its configuration file in default locations (including its current working directory); you probably want to specify a "-c" argument specifying an absolute path to a configuration file for improved security. 'Supervisord is running as root and it is searching ' 2014-06-24 15:35:00,547 CRIT Supervisor running as root (no user in config file) 2014-06-24 15:35:00,646 INFO RPC interface 'supervisor' initialized 2014-06-24 15:35:00,646 CRIT Server 'unix_http_server' running without any HTTP authentication checking 2014-06-24 15:35:00,646 INFO supervisord started with pid 380 2014-06-24 15:35:01,648 INFO spawned: 'nginx' with pid 391 2014-06-24 15:35:01,650 INFO spawned: 'mysqld' with pid 392 2014-06-24 15:35:01,651 INFO spawned: 'php5-fpm' with pid 393 2014-06-24 15:35:01,652 INFO spawned: 'ssh' with pid 394 2014-06-24 15:35:02,756 INFO success: nginx entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2014-06-24 15:35:02,757 INFO success: mysqld entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2014-06-24 15:35:02,757 INFO success: php5-fpm entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2014-06-24 15:35:02,757 INFO success: ssh entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
Expected results: 140624 15:36:48 mysqld_safe Logging to syslog. 140624 15:36:48 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql mysql root password: Eehujoh3ooyo wordpress password: nana8aiTh6ju ssh password: Eengoo2liMie % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 58606 100 58606 0 0 38969 0 0:00:01 0:00:01 --:--:-- 39412 Archive: nginx-helper.1.8.1.zip nginx-helper.1.8.1 packaged creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/ creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/ inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/install.php creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/lib/ inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/lib/nginx-general.php inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/lib/nginx-sidebar.php inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/lib/nginx-support.php creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/ inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/logo.png extracting: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-icon-32x32.png inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/rtp-social-icons-32-32.png inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx.js inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/style.css creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/ creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/ inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/nginx-fontello.ttf inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/nginx-fontello.woff inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/nginx-fontello.svg inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/font/nginx-fontello.eot creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/css/ inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/css/nginx-fontello.css inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/assets/nginx-helper-icons/config.json inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/admin/admin.php inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/nginx-helper.php inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/readme.txt inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/compatibility.php creating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/languages/ inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/languages/nginx-helper.mo inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/languages/nginx-helper.po inflating: /usr/share/nginx/www/wp-content/plugins/nginx-helper/purger.php % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 38126 100 38126 0 0 49638 0 --:--:-- --:--:-- --:--:-- 49903 Archive: wp-ffpc.1.5.0.zip wp-ffpc.1.5.0 packaged creating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/ inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc-nginx-sample.conf inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc-class.php creating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-common/ inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-common/wp-admin.css inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-common/wp-plugin-abstract.php inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-common/wp-plugin-utilities.php inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/uninstall.php inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc.php inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/readme.txt inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc-acache.php inflating: /usr/share/nginx/www/wp-content/plugins/wp-ffpc/wp-ffpc-backend.php Starting memcached: memcached. /usr/local/lib/python2.7/dist-packages/supervisor-3.0-py2.7.egg/supervisor/options.py:295: UserWarning: Supervisord is running as root and it is searching for its configuration file in default locations (including its current working directory); you probably want to specify a "-c" argument specifying an absolute path to a configuration file for improved security. 'Supervisord is running as root and it is searching ' 2014-06-24 15:37:02,595 CRIT Supervisor running as root (no user in config file) 2014-06-24 15:37:02,603 INFO RPC interface 'supervisor' initialized 2014-06-24 15:37:02,603 CRIT Server 'unix_http_server' running without any HTTP authentication checking 2014-06-24 15:37:02,603 INFO supervisord started with pid 385 140624 15:37:03 mysqld_safe mysqld from pid file /var/run/mysqld/mysqld.pid ended 2014-06-24 15:37:03,606 INFO spawned: 'nginx' with pid 396 2014-06-24 15:37:03,607 INFO spawned: 'mysqld' with pid 397 2014-06-24 15:37:03,608 INFO spawned: 'php5-fpm' with pid 398 2014-06-24 15:37:03,609 INFO spawned: 'ssh' with pid 399 2014-06-24 15:37:04,716 INFO success: nginx entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2014-06-24 15:37:04,716 INFO success: mysqld entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2014-06-24 15:37:04,716 INFO success: php5-fpm entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2014-06-24 15:37:04,716 INFO success: ssh entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
Additional info: If selinux is set to non-enforcing (setenforce 0), then the problem disappears.
Looking at the audit.log file there is nothing related to failed update around the time of the usermod command is launched.
I tried the exact same steps on CentOS 6.5 and had no issue at all, even in Enforcing mode.
https://bugzilla.redhat.com/show_bug.cgi?id=1112748
--- Comment #1 from Aurelien Marchand artaxerxes2@iname.com --- one more details, I opened this bug based on the exchange I had with Daniel Walsh for Bug 1096123. See comment #35 and onward (https://bugzilla.redhat.com/show_bug.cgi?id=1096123#c35).
https://bugzilla.redhat.com/show_bug.cgi?id=1112748
Daniel Walsh dwalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |dwalsh@redhat.com
--- Comment #2 from Daniel Walsh dwalsh@redhat.com --- What does
docker run -t -i -p 80:80 -p 20022:22 oskarhane/docker-wordpress-nginx-ssh id -Z
Return?
https://bugzilla.redhat.com/show_bug.cgi?id=1112748
Lokesh Mandvekar lsm5@switzerlandmail.ch changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |lsm5@switzerlandmail.ch Assignee|lsm5@redhat.com |lsm5@switzerlandmail.ch
https://bugzilla.redhat.com/show_bug.cgi?id=1112748
--- Comment #3 from Aurelien Marchand artaxerxes2@iname.com --- $ docker run --rm -t -i -p 80:80 -p 20042:22 oskarhane/docker-wordpress-nginx-ssh id -Z system_u:system_r:svirt_lxc_net_t:s0:c62,c983
https://bugzilla.redhat.com/show_bug.cgi?id=1112748
--- Comment #4 from Daniel Walsh dwalsh@redhat.com --- That indicates to me that you are running with an image that does not handle SELinux properly.
docker run -ti -v /tmp:/tmp fedora /bin/id -Z /bin/id: --context (-Z) works only on an SELinux-enabled kernel
Meaning that the image does nont have an updated libselinux in it. libselinux in rhel6 and Centos6 report to programs that SELinux is enabled, when run within a container. In Fedora and RHEL7 they report that SELinux is disabled. When apps try to do SELinux stuff within a container, they are blocked and fail. This is why I am pushing to get an updated libselinux into Centos 6 and RHEL6 container images.
https://bugzilla.redhat.com/show_bug.cgi?id=1112748
Jim Perrin jperrin@centos.org changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jperrin@centos.org
--- Comment #5 from Jim Perrin jperrin@centos.org --- The CentOS docker image has the patch that was posted to the centos-devel mailing list included.
We pushed it into centosplus and specifically install it in the docker image. I believe this image was pushed to the docker index around June 9th.
https://bugzilla.redhat.com/show_bug.cgi?id=1112748
Daniel Walsh dwalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |CURRENTRELEASE Last Closed| |2014-07-22 13:41:38
golang@lists.fedoraproject.org
-
Red Hat Bugzilla