Giter Site home page Giter Site logo

Comments (16)

thaJeztah avatar thaJeztah commented on August 17, 2024

ping @rhatdan ptal 🤗

from container-selinux.

rhatdan avatar rhatdan commented on August 17, 2024

This looks like the docker daemon or containerd is mislabeled.

It is not because of container selinux

yum -y update container-selinux
restorecon -R -v /usr/bin/docker* /usr/bin/containerd*
ls -lZ /usr/bin/docker* /usr/bin/containerd*
Should be labeled container_runtime_exec_t.

systemctl restart docker

ps -eZ | grep docker

Should be running as container_runtime_t

from container-selinux.

justincormack avatar justincormack commented on August 17, 2024

@rhatdan I opened a PR in #64 also needs spec file updates once that is merged.

from container-selinux.

rhatdan avatar rhatdan commented on August 17, 2024

Thanks, merged it. Will need to back port those changes into the branch that works on RHEL7.

from container-selinux.

thaJeztah avatar thaJeztah commented on August 17, 2024

@rhatdan do you know if the patch has been back ported to the correct RHEL7 branch? (which branch should it be back ported to? happy to open a backport PR)

from container-selinux.

rhatdan avatar rhatdan commented on August 17, 2024

@lsm5 @mrunalp PTAL

from container-selinux.

thaJeztah avatar thaJeztah commented on August 17, 2024

@lsm5 @mrunalp 👋 do you know what the status is on this one?

from container-selinux.

rhatdan avatar rhatdan commented on August 17, 2024

Should be in container-selinux-2.94. @lsm5 Did this make the cut yesterday?

from container-selinux.

lsm5 avatar lsm5 commented on August 17, 2024

2.94 ship date is about 3 weeks from now, so let's keep this open until then.

from container-selinux.

thaJeztah avatar thaJeztah commented on August 17, 2024

Thanks!

from container-selinux.

andrewhsu avatar andrewhsu commented on August 17, 2024

Looks like container-selinux-2.95-2.el7_6.noarch is available now, but not sure if this fix is in:

bash$ rpm -q --changelog container-selinux|head -6
* Tue Apr 02 2019 Frantisek Kluknavsky <[email protected]> - 2:2.95-2
- rebase

* Thu Feb 28 2019 Frantisek Kluknavsky <[email protected]> - 2:2.84-2
- rebase

from container-selinux.

andrewhsu avatar andrewhsu commented on August 17, 2024

I'm still able to exactly reproduce the error with container-selinux-2.95-2.el7_6.noarch and downgrade to container-selinux-2.74-1.el7 addresses the issue.

from container-selinux.

rhatdan avatar rhatdan commented on August 17, 2024

@andrewhsu Could you show me the AVCs you are seeing? Could you verify if docker and containerd are running as container_runtime_t?
ps -eZ | grep docker
ps -eZ | grep containerd

from container-selinux.

andrewhsu avatar andrewhsu commented on August 17, 2024

@rhatdan apologies for the delayed reply...

With CentOS7:

$ rpm -q container-selinux
container-selinux-2.95-2.el7_6.noarch
$ ps -eZ | grep docker
system_u:system_r:container_runtime_t:s0 14371 ? 00:00:01 dockerd
$ ps -eZ | grep containerd
system_u:system_r:unconfined_service_t:s0 13970 ? 00:00:00 containerd
$ docker run --rm busybox echo hi
standard_init_linux.go:211: exec user process caused "permission denied"
$ docker --version
Docker version 19.03.0-rc2, build 674d742

However, I noticed RHEL7 has a newer container-selinux which seems to have fixed the problem:

$ rpm -q container-selinux
container-selinux-2.99-1.el7_6.noarch
$ ps -eZ | grep docker
system_u:system_r:container_runtime_t:s0 14749 ? 00:00:03 dockerd
$ ps -eZ | grep containerd
system_u:system_r:container_runtime_t:s0 14261 ? 00:00:01 containerd
$ docker run --rm busybox echo hi
hi
$ docker --version
Docker version 19.03.0-rc2, build 674d742

When will container-selinux-2.99 be available for CentOS 7?

from container-selinux.

rhatdan avatar rhatdan commented on August 17, 2024

No idea on CentOS, usually they grab the latest available packages.

from container-selinux.

elvios avatar elvios commented on August 17, 2024

@andrewhsu
Version 2.99 is available through centos7-extras now.
But It does not fix the issue for me, though. Only when I install version 2.99 from the rhel-repo is the issue fixed.

from container-selinux.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.