[Touch-packages] [Bug 1424795] Re: Old libselinux in Precise breaks things in Docker on SELinux-enabled host
Hmm, while the Trusty package *does* fix id -Z, useradd and cp -a, it breaks su (su user always fails with su: Authentication failure). However, I can report that the patch from CentOS 6 applies cleanly to the 2.1.0-4.1ubuntu1 libselinux .deb package; I built a modified package with this patch applied and everything works correctly for me. If you want to try it, it's at http://salilab.org/~ben/libselinux1_2.1.0-5.1ubuntu1_amd64.deb -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libselinux in Ubuntu. https://bugs.launchpad.net/bugs/1424795 Title: Old libselinux in Precise breaks things in Docker on SELinux-enabled host Status in libselinux package in Ubuntu: Confirmed Bug description: In a Docker container running on an SELinux capable kernel, the fact that /sys is mounted RO is supposed to signal to the container that SELinux is not supported on the inside, so it doesn't try to do things that won't work. The version of libselinux in Ubuntu 12.04 is too old to have the above check, breaking basic functionality like shadow- utils. RHEL 6 had the same problem; their fix was to update libselinux: https://bugzilla.redhat.com/show_bug.cgi?id=1112748 Previously reported downstream: https://github.com/tianon/docker-brew- ubuntu-core/issues/29 Release: Ubuntu 12.04.5 LTS Installed package version: 2.1.0-4.1ubuntu1 Expected results: # useradd test success # id -Z id: --context (-Z) works only on an SELinux-enabled kernel Actual results: root@b55e77ab9ef4:/# useradd test useradd: failure while writing changes to /etc/passwd root@b55e77ab9ef4:/# vipw vipw: setfscreatecon () failed: Permission denied vipw: /etc/passwd is unchanged root@b55e77ab9ef4:/# id -Z system_u:system_r:svirt_lxc_net_t:s0:c14,c127 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libselinux/+bug/1424795/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1424795] Re: Old libselinux in Precise breaks things in Docker on SELinux-enabled host
Same problem here (in my case the host is an x86_64 Fedora 22 box and the Docker container is running Precise); note that *anything* that tries to update SELinux context will fail due to the Docker-unaware libselinux. This includes a simple cp -a. Since cp -a appears to be used somewhere deep inside dh_install, this breaks package building in a Precise Docker container. Since that's what I use my Docker containers for, this is something of a deal breaker for me! Looks like the specific patch mentioned above is libselinux-2.0.94_enabled.patch from http://vault.centos.org/6.6/centosplus/Source/SPackages/libselinux-2.0.94-5.3.0.1.el6.centos.plus.src.rpm and something like that patch should probably work its way into the Precise package. (I tried to build a package with the patch to test this for myself but dh_install failed, see above ;) My temporary workaround in the meantime was to simply replace the Precise libselinux1 package with that from Trusty. Frankly I'm surprised that worked but it does appear to be binary compatible. i.e. my Precise Dockerfile includes the line RUN wget http://mirrors.kernel.org/ubuntu/pool/main/libs/libselinux/libselinux1_2.2.2-1_amd64.deb dpkg -i libselinux1_2.2.2-1_amd64.deb rm -f libselinux1_2.2.2-1_amd64.deb -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libselinux in Ubuntu. https://bugs.launchpad.net/bugs/1424795 Title: Old libselinux in Precise breaks things in Docker on SELinux-enabled host Status in libselinux package in Ubuntu: Confirmed Bug description: In a Docker container running on an SELinux capable kernel, the fact that /sys is mounted RO is supposed to signal to the container that SELinux is not supported on the inside, so it doesn't try to do things that won't work. The version of libselinux in Ubuntu 12.04 is too old to have the above check, breaking basic functionality like shadow- utils. RHEL 6 had the same problem; their fix was to update libselinux: https://bugzilla.redhat.com/show_bug.cgi?id=1112748 Previously reported downstream: https://github.com/tianon/docker-brew- ubuntu-core/issues/29 Release: Ubuntu 12.04.5 LTS Installed package version: 2.1.0-4.1ubuntu1 Expected results: # useradd test success # id -Z id: --context (-Z) works only on an SELinux-enabled kernel Actual results: root@b55e77ab9ef4:/# useradd test useradd: failure while writing changes to /etc/passwd root@b55e77ab9ef4:/# vipw vipw: setfscreatecon () failed: Permission denied vipw: /etc/passwd is unchanged root@b55e77ab9ef4:/# id -Z system_u:system_r:svirt_lxc_net_t:s0:c14,c127 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libselinux/+bug/1424795/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
