add selinux policy for centos-7 on 1.12.x branch

[andrewhsu]

- What I did

Cherry picked commits from the PR #29081 which was originally applied to master and merged to 1.13.x branch. Had to resolve conflicts in commit bfe5cab.

- How I did it

$ git cherry-pick e0852be # add selinux policy for centos-7
$ git cherry-pick 09e68fd # add extra docker.te lines from rhel7.3 docker.spec
$ git cherry-pick bfe5cab # get rhel7.3 selinux-policy-devel pkg for centos-7

- How to verify it

Same way to verify PR #29081.

- Description for the changelog

Update selinux policy for distros based on RHEL7.3.

- A picture of a cute animal (not mandatory but encouraged)

🐴

[cpuguy83]

Ok, this one really isn't working :(

Using devmapper, selinux enabled.
Getting eperm starting any container.

[root@localhost centos-7]# rpm -qa | grep docker
docker-engine-1.12.3-0.0.20161202.223924.git97b6626.el7.centos.x86_64
docker-engine-selinux-1.12.3-0.0.20161202.223924.git97b6626.el7.centos.noarch

Containers: 0
 Running: 0
 Paused: 0
 Stopped: 0
Images: 2
Server Version: 1.12.3
Storage Driver: devicemapper
 Pool Name: docker-253:0-202507361-pool
 Pool Blocksize: 65.54 kB
 Base Device Size: 10.74 GB
 Backing Filesystem: xfs
 Data file: /dev/loop0
 Metadata file: /dev/loop1
 Data Space Used: 164.8 MB
 Data Space Total: 107.4 GB
 Data Space Available: 38.97 GB
 Metadata Space Used: 643.1 kB
 Metadata Space Total: 2.147 GB
 Metadata Space Available: 2.147 GB
 Thin Pool Minimum Free Space: 10.74 GB
 Udev Sync Supported: true
 Deferred Removal Enabled: false
 Deferred Deletion Enabled: false
 Deferred Deleted Device Count: 0
 Data loop file: /var/lib/docker/devicemapper/devicemapper/data
 WARNING: Usage of loopback devices is strongly discouraged for production use. Use `--storage-opt dm.thinpooldev` to specify a custom block storage device.
 Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
 Library Version: 1.02.107-RHEL7 (2016-06-09)
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: null host bridge overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: seccomp selinux
Kernel Version: 3.10.0-327.36.3.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 489 MiB
Name: localhost.localdomain
ID: REMP:63QW:5F5W:XFXM:IJQV:IHEO:AY5N:E2EH:PO6C:2VSX:Z2OJ:5Z7D
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
Insecure Registries:
 127.0.0.0/8

Client:
 Version:      1.12.3
 API version:  1.24
 Go version:   go1.6.3
 Git commit:   97b6626
 Built:        Tue Dec  6 19:57:55 2016
 OS/Arch:      linux/amd64

Server:
 Version:      1.12.3
 API version:  1.24
 Go version:   go1.6.3
 Git commit:   97b6626
 Built:        Tue Dec  6 19:57:55 2016
 OS/Arch:      linux/amd64

[root@localhost centos-7]# cat /etc/docker/daemon.json
{
	"selinux-enabled": true,
	"storage-driver": "devicemapper"
}

[andrewhsu]

Hmm...I'll have a look.

/cc @crosbymichael @runcom

[runcom]

if this is just for centos, can't you just Requires: docker-selinux?

[runcom]

@andrewhsu are you sure you're using the correct branch of container-selinux? 1.12 should work with this branch https://github.com/projectatomic/container-selinux/tree/RHEL-1.12

[andrewhsu]

@runcom This PR is using the policy files from lsm5/container-selinux@583a67f which is what's used to build the latest docker-selinux docker-selinux-1.10.3-57.el7 rpm for RHEL7.3 based on the spec file for that package.

Don't know why the lsm5 repo was used instead of projectatomic.

In any case, the diff between that lsm5 commit and the latest from branch RHEL-1.12 on projectatomic seems a bit different: lsm5/container-selinux@583a67f...projectatomic:RHEL-1.12

I may now have to seriously consider the route of Requires: docker-selinux at this point...still waiting for my RPM to finish building to test a few things.

[andrewhsu]

Abandoning this approach in favor of PR #29194 which will simply require docker-selinux in the RPM package deps.

[andrewhsu]

I've gone back to this to see if it can build and I was able to get it working (turns out I needed to clear out my bundles dir first).

On a RHEL7.3 instance of EC2 and selinux enabled in the /etc/docker/daemon.json file, I can see selinux labels applied properly (see svirt_sandbox_file_t label is set):

$ sudo docker run ubuntu ls -alZ /home
total 0
drwxr-xr-x.  2 root root system_u:object_r:svirt_sandbox_file_t:s0:c788,c895   6 Apr 12  2016 .
drwxr-xr-x. 21 root root system_u:object_r:svirt_sandbox_file_t:s0:c788,c895 242 Dec  7 01:18 ..

Whereas with selinux disabled (see unabeled_t):

$ sudo docker run ubuntu ls -alZ /home
total 4
drwxr-xr-x.  2 root root system_u:object_r:unlabeled_t:s0    6 Apr 12  2016 .
drwxr-xr-x. 21 root root system_u:object_r:unlabeled_t:s0 4096 Dec  7 01:22 ..

Which is all good and happening, but CentOS7.2 does not work with selinux enabled. The process bonks out when exited and goes defunct. With selinux disabled on CentOS7.2 stuff works.

[andrewhsu]

Lesser of two weevils.

[vieux]

Let's build RC1 with this patch.