1262812 – selinux-policy-targeted overwrites policy from docker-selinux preventing docker to work properly

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1262812 - selinux-policy-targeted overwrites policy from docker-selinux preventing docker to work properly

Summary: selinux-policy-targeted overwrites policy from docker-selinux preventing dock...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.2
Hardware:	x86_64
OS:	Linux
Priority:	urgent
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1261811
TreeView+	depends on / blocked

Reported:	2015-09-14 12:10 UTC by Jarle Bjørgeengen
Modified:	2019-08-15 05:24 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.13.1-51.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-11-19 10:46:24 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2300	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2015-11-19 09:55:26 UTC

Description Jarle Bjørgeengen 2015-09-14 12:10:59 UTC

Description of problem:
The package docker-selinux contains necessary additionale rules for docker to work properly when running selinux in targeted mode. The docker-selinux does policy installation by loading a binary module from /usr/share/selinux/packages/ directly with semodule and load_policy. (By using rpm %{POSTIN} routine). This will make a new updated docker.pp in 

/etc/selinux/targeted/modules/active/modules/

However, this file is owned by:

    [root@yme test-nginx]# rpm -qf /etc/selinux/targeted/modules/active/modules/docker.pp 
    selinux-policy-targeted-3.13.1-23.el7_1.17.noarch
    [root@yme test-nginx]#
    Version-Release number of selected component (if applicable):


How reproducible:

Always.

Steps to Reproduce:
1. Upgrade selinux-policy-targeted
2. Run systemctl restart docker 
3.

Actual results:
restart of docker hangs, because now this is not allowed anymore:

allow docker_t firewalld_t:dbus send_msg;


Expected results:

systemctl restart docker returns with success. 

Additional info:

Workaround: 

 yum -y reinstall docker-selinux

Comment 2 Milos Malik 2015-09-15 11:39:27 UTC

# find /usr/share/selinux/devel/ -name docker.if
/usr/share/selinux/devel/include/contrib/docker.if
/usr/share/selinux/devel/include/services/docker.if
# rpm -qf /usr/share/selinux/devel/include/contrib/docker.if
selinux-policy-devel-3.13.1-48.el7.noarch
# rpm -qf /usr/share/selinux/devel/include/services/docker.if 
docker-selinux-1.7.1-108.el7.x86_64
#

The existence of 2 docker.if files causes following problems when compiling a local policy module:

# cat mypolicy.te 
policy_module(mypolicy,1.0)
# rm -rf tmp
# make -f /usr/share/selinux/devel/Makefile 
/usr/share/selinux/devel/include/contrib/docker.if:14: Error: duplicate definition of docker_domtrans(). Original definition on 14.
/usr/share/selinux/devel/include/contrib/docker.if:33: Error: duplicate definition of docker_exec(). Original definition on 33.
/usr/share/selinux/devel/include/contrib/docker.if:52: Error: duplicate definition of docker_search_lib(). Original definition on 52.
/usr/share/selinux/devel/include/contrib/docker.if:71: Error: duplicate definition of docker_exec_lib(). Original definition on 71.
/usr/share/selinux/devel/include/contrib/docker.if:90: Error: duplicate definition of docker_read_lib_files(). Original definition on 90.
/usr/share/selinux/devel/include/contrib/docker.if:109: Error: duplicate definition of docker_read_share_files(). Original definition on 109.
/usr/share/selinux/devel/include/contrib/docker.if:128: Error: duplicate definition of docker_manage_lib_files(). Original definition on 128.
/usr/share/selinux/devel/include/contrib/docker.if:148: Error: duplicate definition of docker_manage_lib_dirs(). Original definition on 148.
/usr/share/selinux/devel/include/contrib/docker.if:184: Error: duplicate definition of docker_lib_filetrans(). Original definition on 184.
/usr/share/selinux/devel/include/contrib/docker.if:202: Error: duplicate definition of docker_read_pid_files(). Original definition on 202.
/usr/share/selinux/devel/include/contrib/docker.if:221: Error: duplicate definition of docker_systemctl(). Original definition on 221.
/usr/share/selinux/devel/include/contrib/docker.if:246: Error: duplicate definition of docker_rw_sem(). Original definition on 246.
/usr/share/selinux/devel/include/contrib/docker.if:264: Error: duplicate definition of docker_use_ptys(). Original definition on 264.
/usr/share/selinux/devel/include/contrib/docker.if:282: Error: duplicate definition of docker_filetrans_named_content(). Original definition on 282.
/usr/share/selinux/devel/include/contrib/docker.if:315: Error: duplicate definition of docker_stream_connect(). Original definition on 315.
/usr/share/selinux/devel/include/contrib/docker.if:334: Error: duplicate definition of docker_spc_stream_connect(). Original definition on 334.
/usr/share/selinux/devel/include/contrib/docker.if:356: Error: duplicate definition of docker_admin(). Original definition on 356.
/usr/share/selinux/devel/include/kernel/kernel.if:3879: Error: duplicate definition of kernel_unlabeled_domtrans(). Original definition on 445.
/usr/share/selinux/devel/include/kernel/kernel.if:3900: Error: duplicate definition of kernel_unlabeled_entry_type(). Original definition on 438.
/usr/share/selinux/devel/include/kernel/files.if:7840: Error: duplicate definition of files_write_all_pid_sockets(). Original definition on 454.
/usr/share/selinux/devel/include/kernel/filesystem.if:4537: Error: duplicate definition of fs_dontaudit_remount_tmpfs(). Original definition on 424.
/usr/share/selinux/devel/include/kernel/devices.if:221: Error: duplicate definition of dev_dontaudit_list_all_dev_nodes(). Original definition on 431.
/usr/share/selinux/devel/include/kernel/devices.if:4499: Error: duplicate definition of dev_dontaudit_mounton_sysfs(). Original definition on 461.
Compiling targeted mypolicy module
/usr/bin/checkmodule:  loading policy configuration from tmp/mypolicy.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 17) to tmp/mypolicy.mod
Creating targeted mypolicy.pp policy package
rm tmp/mypolicy.mod.fc tmp/mypolicy.mod
#

Comment 3 Lukas Vrabec 2015-09-16 14:49:08 UTC

Hi, 
This looks that docker team ship docker selinux module and also selinux team ship docker module. 

Dan, Lokesh, 
Whats are the steps to fix this, Could you ship docker policy from rhel7.3?

Comment 4 Daniel Walsh 2015-09-16 17:04:42 UTC

selinux-policy package should no longer be shipping docker.pp.  It should only be shipped in docker-selinux package.

Comment 12 errata-xmlrpc 2015-11-19 10:46:24 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html

Note You need to log in before you can comment on or make changes to this bug.