https://bugzilla.redhat.com/show_bug.cgi?id=1096123
--- Comment #7 from Dominic Cleal <[email protected]> --- (In reply to Daniel Walsh from comment #5) > The problem is inside the container it sees SELinux as being enabled, which > is the bug. > > If you do id -Z, does it complain inside the container? No, it runs and reports a context. > docker run --rm -t -i fedora sh > sh-4.2# id -Z > id: --context (-Z) works only on an SELinux-enabled kernel > sh-4.2# mount | grep /sys > sysfs on /sys type sysfs (ro,relatime,seclabel) $ rpm -q docker-io docker-io-0.9.1-1.fc20.x86_64 $ docker run -i -t centos /bin/bash bash-4.1# id -Z system_u:system_r:docker_t:s0 bash-4.1# mount | grep sys sysfs on /sys type sysfs (rw,seclabel,nosuid,nodev,noexec,relatime) $ rpm -q docker-io docker-io-0.11.1-3.fc20.x86_64 $ docker run -i -t centos /bin/bash bash-4.1# id -Z system_u:system_r:svirt_lxc_net_t:s0:c231,c400 bash-4.1# mount | grep /sys sysfs on /sys type sysfs (ro,seclabel,relatime) > SELinux sees the container as being disabled since /sys/fs/selinux is > mounted as read/only, this will tell useradd NOT to try to do any SELinux > stuff while in the container. /sys is correctly read-only as you expected, but it seems useradd's still doing SELinux stuff then. These packages are installed inside the EL6 container: libselinux-2.0.94-5.3.el6_4.1.x86_64 libselinux-utils-2.0.94-5.3.el6_4.1.x86_64 shadow-utils-4.1.4.2-13.el6.x86_64 Calling is_selinux_enabled() on Fedora is returning 0, while on EL6 it's returning 1. Another difference - on Fedora, getenforce returns "Disabled" but on EL6 it prints: # getenforce getenforce: getenforce() failedbash-4.1# /selinux exists within the container, but nothing is actually mounted there. It appears to be simply a directory on the root filesystem (/selinux/booleans exists as an empty dir). No other SELinux mounts are visible. Looking at libselinux-2.0.94, I think it's seeing selinuxfs listed in /proc/filesystems and assuming SELinux is enabled because of this. libselinux-2.2.1 on F20 doesn't seem to have this code. libselinux-2.0.94/src/enabled.c: /* Drop back to detecting it the long way. */ fp = fopen("/proc/filesystems", "r"); if (!fp) return -1; __fsetlocking(fp, FSETLOCKING_BYCALLER); while ((num = getline(&buf, &len, fp)) != -1) { if (strstr(buf, "selinuxfs")) { enabled = 1; break; } } # grep selinux /proc/filesystems nodev selinuxfs (All the above was tested with docker-io-0.11.1-3.fc20) -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ golang mailing list [email protected] https://lists.fedoraproject.org/mailman/listinfo/golang
