[1.12.x] depend on docker-selinux for centos-7.3+

[andrewhsu]

- What I did

Changed the dependency in the docker-engine RPM built for CentOS to depend on docker-selinux.

- How I did it

Added a conditional Requires in the spec file. Also refactored the hack/make/build-rpm to only build a docker-engine-selinux package if there exists a specific selinux policy directory in the contrib dir. In doing so, found that the contrib/selinux policy dir is only used by fedora-23 so renamed that policy dir.

Note: this changes the default behaviour of building RPMs from using a generic selinux policy to only using one for the specificy distro version.

- How to verify it

Build a docker-engine centos-7 RPM package and install on centos 7.3 with selinux enabled:

$ make DOCKER_BUILD_PKGS=centos-7 rpm

- Description for the changelog

Use the selinux policy provided by docker-selinux on CentOS.

- A picture of a cute animal (not mandatory but encouraged)

🐁

[andrewhsu]

Now that centos 7.3 has been released, this PR is ready for a second chance.

I've successfully built this RPM and installed it on a centos 7 AMI on EC2. Yum install history show that the package pulled in docker-selinux as a dependency:

$ sudo yum history info 1
Loaded plugins: fastestmirror
Transaction ID : 1
Begin time     : Wed Dec 14 04:33:08 2016
Begin rpmdb    : 303:d60692e8a1ae78937021ba328dcd4adecf722466
End time       :            04:33:25 2016 (17 seconds)
End rpmdb      : 307:acc941c602419b2b47bf62a96b0a5e6b95cea880
User           : Cloud User <centos>
Return-Code    : Success
Command Line   : install docker-engine-1.12.4-0.0.20161204.222219.gitf9bc320.el7.centos.x86_64.rpm
Transaction performed with:
    Installed     rpm-4.11.3-17.el7.x86_64                      installed
    Installed     yum-3.4.3-132.el7.centos.0.1.noarch           installed
    Installed     yum-plugin-fastestmirror-1.1.31-34.el7.noarch installed
Packages Altered:
    Install     docker-engine-1.12.4-0.0.20161204.222219.gitf9bc320.el7.centos.x86_64 @/docker-engine-1.12.4-0.0.20161204.222219.gitf9bc320.el7.centos.x86_64
    Dep-Install docker-selinux-1.10.3-46.el7.centos.14.x86_64                         @extras
    Dep-Install libseccomp-2.3.1-2.el7.x86_64                                         @base
    Dep-Install libtool-ltdl-2.4.2-21.el7_2.x86_64                                    @base
history info

Configured docker daemon to run with selinux by setting /etc/docker/daemon.json:

{
  "selinux-enabled": true
}

See that the svirt_sandbox_file_t label is set which means docker is doing the right thing with selinux enabled:

$ sudo docker run --rm ubuntu ls -alZ /home
total 4
drwxr-xr-x.  2 root root system_u:object_r:svirt_sandbox_file_t:s0:c407,c628    6 Apr 12  2016 .
drwxr-xr-x. 21 root root system_u:object_r:svirt_sandbox_file_t:s0:c407,c628 4096 Dec 14 04:49 ..

[andrewhsu]

/cc @vieux @thaJeztah @crosbymichael @lsm5 @cpuguy83

[vieux]

LGTM

[tiborvass]

LGTM

Without selinux:

$ docker run --rm ubuntu ls -alZ /home
total 4
drwxr-xr-x.  2 root root unconfined_u:object_r:unlabeled_t:s0    6 Apr 12  2016 .
drwxr-xr-x. 21 root root unconfined_u:object_r:unlabeled_t:s0 4096 Dec 14 06:23 ..

With selinux setting set in daemon.json:

total 4
drwxr-xr-x.  2 root root system_u:object_r:svirt_sandbox_file_t:s0:c715,c876    6 Apr 12  2016 .
drwxr-xr-x. 21 root root system_u:object_r:svirt_sandbox_file_t:s0:c715,c876 4096 Dec 14 06:24 ..