Wrong SELinux label for devmapper device

[atomic111]

Output of docker version:

Client:
 Version:      1.11.1
 API version:  1.23
 Go version:   go1.5.4
 Git commit:   5604cbe
 Built:        Wed Apr 27 00:34:42 2016
 OS/Arch:      linux/amd64

Server:
 Version:      1.11.1
 API version:  1.23
 Go version:   go1.5.4
 Git commit:   5604cbe
 Built:        Wed Apr 27 00:34:42 2016
 OS/Arch:      linux/amd64

Output of docker info:

Client:
 Version:      1.11.1
 API version:  1.23
 Go version:   go1.5.4
 Git commit:   5604cbe
 Built:        Wed Apr 27 00:34:42 2016
 OS/Arch:      linux/amd64

Server:
 Version:      1.11.1
 API version:  1.23
 Go version:   go1.5.4
 Git commit:   5604cbe
 Built:        Wed Apr 27 00:34:42 2016
 OS/Arch:      linux/amd64
[root@localhost log]# docker info
Containers: 7
 Running: 1
 Paused: 0
 Stopped: 6
Images: 3
Server Version: 1.11.1
Storage Driver: devicemapper
 Pool Name: docker-8:17-212993-pool
 Pool Blocksize: 65.54 kB
 Base Device Size: 10.74 GB
 Backing Filesystem: xfs
 Data file: /dev/loop0
 Metadata file: /dev/loop1
 Data Space Used: 217.8 MB
 Data Space Total: 107.4 GB
 Data Space Available: 4.92 GB
 Metadata Space Used: 1.237 MB
 Metadata Space Total: 2.147 GB
 Metadata Space Available: 2.146 GB
 Udev Sync Supported: true
 Deferred Removal Enabled: false
 Deferred Deletion Enabled: false
 Deferred Deleted Device Count: 0
 Data loop file: /var/lib/docker/devicemapper/devicemapper/data
 WARNING: Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning.
 Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
 Library Version: 1.02.107-RHEL7 (2015-12-01)
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins: 
 Volume: local
 Network: bridge null host
 Authorization: authz-broker
Kernel Version: 3.10.0-327.13.1.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 489 MiB
Name: localhost.localdomain
ID: TB3A:TMRR:CTKX:WELN:ARBF:NHOC:R5GI:QOWE:KGQK:VRI5:UG2H:UQLE
Docker Root Dir: /var/lib/docker
Debug mode (client): false
Debug mode (server): true
 File Descriptors: 21
 Goroutines: 51
 System Time: 2016-05-19T09:45:45.515288873-04:00
 EventsListeners: 0
Registry: https://index.docker.io/v1/

Additional environment details:

• VirtualBox/ vagrant
• Centos7 (https://github.com/holms/vagrant-centos7-box/releases/download/7.1.1503.001/CentOS-7.1.1503-x86_64-netboot.box)
• docker installation with curl -fsSL https://get.docker.com/ | sh
• daemon.json {"hosts":["tcp://0.0.0.0:2376","fd://"],"debug": true,"selinux-enabled": true,"disable-legacy-registry": true,"authorization-plugins": ["authz-broker"],"storage-opts": ["dm.basesize=10G"],"cgroup-parent": "docker","iptables": true,"icc":false,"insecure-registries": [],"storage-driver": "devicemapper","tls": true,"tlsverify": true,"tlscacert": "/etc/docker/ssl/ca.pem","tlscert": "/etc/docker/ssl/server_cert.pem","tlskey": "/etc/docker/ssl/server_key.pem","log-level":"info"}

Steps to reproduce the issue:

1. docker run -it --security-opt label=level:TopSecret ubuntu bash

Describe the results you received:
docker: Error response from daemon: devmapper: Error mounting '/dev/mapper/docker-8:17-212993-cbf82ed4025fe886a1d2347694826cb51e36c104e35905d137e06b6877cb71dd' on '/var/lib/docker/devicemapper/mnt/cbf82ed4025fe886a1d2347694826cb51e36c104e35905d137e06b6877cb71dd': invalid argument.

Describe the results you expected:

Docker container is running with the appropriate selinux label.

Additional information you deem important:

/var/log/messages output:

May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.270455114-04:00" level=debug msg="AuthZ request using plugin authz-broker"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.270487874-04:00" level=debug msg="authz-broker implements: authz"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.272761207-04:00" level=debug msg="Calling POST /v1.23/containers/create"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.272972987-04:00" level=debug msg="form data: {\"AttachStderr\":true,\"AttachStdin\":true,\"AttachStdout\":true,\"Cmd\":[\"bash\"],\"Domainname\":\"\",\"Entrypoint\":null,\"Env\":[],\"HostConfig\":{\"AutoRemove\":false,\"Binds\":null,\"BlkioBps\":0,\"BlkioDeviceReadBps\":null,\"BlkioDeviceReadIOps\":null,\"BlkioDeviceWriteBps\":null,\"BlkioDeviceWriteIOps\":null,\"BlkioIOps\":0,\"BlkioWeight\":0,\"BlkioWeightDevice\":null,\"CapAdd\":null,\"CapDrop\":null,\"Cgroup\":\"\",\"CgroupParent\":\"\",\"ConsoleSize\":[0,0],\"ContainerIDFile\":\"\",\"CpuCount\":0,\"CpuPercent\":0,\"CpuPeriod\":0,\"CpuQuota\":0,\"CpuShares\":0,\"CpusetCpus\":\"\",\"CpusetMems\":\"\",\"Devices\":[],\"DiskQuota\":0,\"Dns\":[],\"DnsOptions\":[],\"DnsSearch\":[],\"ExtraHosts\":null,\"GroupAdd\":null,\"IpcMode\":\"\",\"Isolation\":\"\",\"KernelMemory\":0,\"Links\":null,\"LogConfig\":{\"Config\":{},\"Type\":\"\"},\"Memory\":0,\"MemoryReservation\":0,\"MemorySwap\":0,\"MemorySwappiness\":-1,\"NetworkMode\":\"default\",\"OomKillDisable\":false,\"OomScoreAdj\":0,\"PidMode\":\"\",\"PidsLimit\":0,\"PortBindings\":{},\"Privileged\":false,\"PublishAllPorts\":false,\"ReadonlyRootfs\":false,\"RestartPolicy\":{\"MaximumRetryCount\":0,\"Name\":\"no\"},\"SandboxSize\":0,\"SecurityOpt\":[\"label=level:TopSecret\"],\"ShmSize\":0,\"StorageOpt\":null,\"UTSMode\":\"\",\"Ulimits\":null,\"UsernsMode\":\"\",\"VolumeDriver\":\"\",\"VolumesFrom\":null},\"Hostname\":\"\",\"Image\":\"ubuntu\",\"Labels\":{},\"NetworkingConfig\":{\"EndpointsConfig\":{}},\"OnBuild\":null,\"OpenStdin\":true,\"StdinOnce\":true,\"Tty\":true,\"User\":\"\",\"Volumes\":{},\"WorkingDir\":\"\"}"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.274297036-04:00" level=debug msg="devmapper: AddDevice(hash=1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9-init basehash=6ca08b8dbfb8456598f3a8ef63b12f205ded67df4d7b41d4b220bd281f38da68)"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.296200369-04:00" level=debug msg="devmapper: registerDevice(61, 1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9-init)"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.312993331-04:00" level=debug msg="devmapper: AddDevice(hash=1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9-init basehash=6ca08b8dbfb8456598f3a8ef63b12f205ded67df4d7b41d4b220bd281f38da68) END"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.313136319-04:00" level=debug msg="devmapper: activateDeviceIfNeeded(1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9-init)"
May 19 09:52:02 localhost systemd: Device dev-disk-by\x2duuid-c468921e\x2dc85e\x2d4de4\x2da273\x2d65a9f6a9ff19.device appeared twice with different sysfs paths /sys/devices/virtual/block/loop0 and /sys/devices/virtual/block/dm-6
May 19 09:52:02 localhost kernel: XFS (dm-6): Mounting V4 Filesystem
May 19 09:52:02 localhost kernel: XFS (dm-6): Ending clean mount
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.367149251-04:00" level=debug msg="devmapper: UnmountDevice(hash=1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9-init)"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.367186768-04:00" level=debug msg="devmapper: Unmount(/var/lib/docker/devicemapper/mnt/1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9-init)"
May 19 09:52:02 localhost kernel: XFS (dm-6): Unmounting Filesystem
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.386224091-04:00" level=debug msg="devmapper: Unmount done"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.386269765-04:00" level=debug msg="devmapper: deactivateDevice(1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9-init)"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.386337895-04:00" level=debug msg="devmapper: removeDevice START(docker-8:17-212993-1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9-init)"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.392216397-04:00" level=debug msg="devmapper: removeDevice END(docker-8:17-212993-1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9-init)"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.392253435-04:00" level=debug msg="devmapper: deactivateDevice END(1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9-init)"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.392269840-04:00" level=debug msg="devmapper: UnmountDevice(hash=1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9-init) END"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.392283025-04:00" level=debug msg="devmapper: AddDevice(hash=1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9 basehash=1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9-init)"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.413239051-04:00" level=debug msg="devmapper: registerDevice(62, 1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9)"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.430409206-04:00" level=debug msg="devmapper: AddDevice(hash=1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9 basehash=1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9-init) END"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.431072958-04:00" level=debug msg="devmapper: activateDeviceIfNeeded(1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9)"
May 19 09:52:02 localhost systemd: Device dev-disk-by\x2duuid-c468921e\x2dc85e\x2d4de4\x2da273\x2d65a9f6a9ff19.device appeared twice with different sysfs paths /sys/devices/virtual/block/loop0 and /sys/devices/virtual/block/dm-6
May 19 09:52:02 localhost kernel: XFS (dm-6): Mounting V4 Filesystem
May 19 09:52:02 localhost kernel: XFS (dm-6): Ending clean mount
May 19 09:52:02 localhost kernel: SELinux: security_context_to_sid(system_u:object_r:svirt_sandbox_file_t:TopSecret) failed for (dev dm-6, type xfs) errno=-22
May 19 09:52:02 localhost kernel: XFS (dm-6): Unmounting Filesystem
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.467641944-04:00" level=debug msg="devmapper: DeleteDevice(hash=1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9 syncDelete=false) START"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.467678727-04:00" level=debug msg="devmapper: issueDiscard(device: 1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9). START"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.467692834-04:00" level=debug msg="devmapper: activateDeviceIfNeeded(1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9)"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.550334006-04:00" level=debug msg="devmapper: Error discarding block on device: input/output error (ignoring)"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.550371424-04:00" level=debug msg="devmapper: issueDiscard(device: 1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9). END"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.550383571-04:00" level=debug msg="devmapper: deactivateDevice(1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9)"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.550468058-04:00" level=debug msg="devmapper: removeDevice START(docker-8:17-212993-1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9)"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.559451609-04:00" level=debug msg="devmapper: removeDevice END(docker-8:17-212993-1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9)"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.559502932-04:00" level=debug msg="devmapper: deactivateDevice END(1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9)"
May 19 09:52:02 localhost systemd-udevd: inotify_add_watch(7, /dev/dm-6, 10) failed: No such file or directory
May 19 09:52:02 localhost systemd-udevd: error: /dev/dm-6: No such file or directory
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.571266626-04:00" level=debug msg="devmapper: unregisterDevice(62, 1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9)"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.572858586-04:00" level=debug msg="devmapper: DeleteDevice(hash=1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9 syncDelete=false) END"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.572942119-04:00" level=debug msg="devmapper: DeleteDevice(hash=1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9-init syncDelete=false) START"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.572958884-04:00" level=debug msg="devmapper: issueDiscard(device: 1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9-init). START"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.572970879-04:00" level=debug msg="devmapper: activateDeviceIfNeeded(1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9-init)"
May 19 09:52:02 localhost systemd: Device dev-disk-by\x2duuid-c468921e\x2dc85e\x2d4de4\x2da273\x2d65a9f6a9ff19.device appeared twice with different sysfs paths /sys/devices/virtual/block/loop0 and /sys/devices/virtual/block/dm-6
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.672418430-04:00" level=debug msg="devmapper: Error discarding block on device: input/output error (ignoring)"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.672457274-04:00" level=debug msg="devmapper: issueDiscard(device: 1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9-init). END"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.672470796-04:00" level=debug msg="devmapper: deactivateDevice(1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9-init)"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.672547083-04:00" level=debug msg="devmapper: removeDevice START(docker-8:17-212993-1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9-init)"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.681798254-04:00" level=debug msg="devmapper: removeDevice END(docker-8:17-212993-1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9-init)"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.681838110-04:00" level=debug msg="devmapper: deactivateDevice END(1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9-init)"
May 19 09:52:02 localhost systemd-udevd: inotify_add_watch(7, /dev/dm-6, 10) failed: No such file or directory
May 19 09:52:02 localhost systemd-udevd: error: /dev/dm-6: No such file or directory
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.693615535-04:00" level=debug msg="devmapper: unregisterDevice(61, 1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9-init)"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.695166252-04:00" level=debug msg="devmapper: DeleteDevice(hash=1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9-init syncDelete=false) END"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.695392009-04:00" level=error msg="Handler for POST /v1.23/containers/create returned error: devmapper: Error mounting '/dev/mapper/docker-8:17-212993-1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9' on '/var/lib/docker/devicemapper/mnt/1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9': invalid argument"
May 19 09:52:02 localhost docker: time="2016-05-19T09:52:02.695414040-04:00" level=error msg="Handler for POST /v1.23/containers/create returned error: devmapper: Error mounting '/dev/mapper/docker-8:17-212993-1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9' on '/var/lib/docker/devicemapper/mnt/1df8d9e516efd6869289f11bf55f023e4bfa174eda06c45de99becdfabab21f9': invalid argument"

The think the important line is May 19 09:52:02 localhost kernel: SELinux: security_context_to_sid(system_u:object_r:svirt_sandbox_file_t:TopSecret) failed for (dev dm-6, type xfs) errno=-22.

If i start the container with docker run -it --security-opt label=level:s0 ubuntu bash the selinux label for device look like this: brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-6.

It looks like the selinux label is not taken and it create devmapper device with the wrong selinux label.

[runcom]

ping @rhatdan

[rhatdan]

SELinux is broken in docker-1.11. Basic problem is in runc implementation. We are working on fixing this in docker-1.12. We will not be shipping docker-1.11 in Fedora or RHEL because of these breakage. Hopefully this will be fixed in docker-1.12.

Not sure mcs translations would work correctly. So docker is not smart enough to translate TopSecret into the appropriate MLS Label.

[thaJeztah]

@rhatdan is there an issue tracking this in the RunC issue tracker?

[rhatdan]

@thaJeztah runc has been fixed. There was no mount-label being passed to RunC, so it was not labeling tmpfs correctly.

[rhatdan]

opencontainers/runc#778

[thaJeztah]

@rhatdan that one is for libcontainer, so probably it should be this one; https://github.com/docker/docker/pull/22318/files, which is in docker 1.11.1. Do you perhaps have more information about what's broken (I hadn't heard of this issue)

[thaJeztah]

Actually, I just tried this on a Red Hat version of docker 1.9.1 on CentOS 7.2, and it looks like it gives the same issue;

docker run --security-opt label:level:TopSecret -dit ubuntu
Error response from daemon: Error getting container 182864e017500a137853254534a6a2775f274d0fe87e422e98cfd4980fc70163 from driver devicemapper: Error mounting '/dev/mapper/docker-253:1-392365-182864e017500a137853254534a6a2775f274d0fe87e422e98cfd4980fc70163' on '/var/lib/docker/devicemapper/mnt/182864e017500a137853254534a6a2775f274d0fe87e422e98cfd4980fc70163': invalid argument

Client:
 Version:         1.9.1
 API version:     1.21
 Package version: docker-common-1.9.1-40.el7.centos.x86_64
 Go version:      go1.4.2
 Git commit:      ab77bde/1.9.1
 Built:
 OS/Arch:         linux/amd64

Server:
 Version:         1.9.1
 API version:     1.21
 Package version: docker-common-1.9.1-40.el7.centos.x86_64
 Go version:      go1.4.2
 Git commit:      ab77bde/1.9.1
 Built:
 OS/Arch:         linux/amd64

Containers: 2
Images: 5
Server Version: 1.9.1
Storage Driver: devicemapper
 Pool Name: docker-253:1-392365-pool
 Pool Blocksize: 65.54 kB
 Base Device Size: 107.4 GB
 Backing Filesystem:
 Data file: /dev/loop0
 Metadata file: /dev/loop1
 Data Space Used: 219.9 MB
 Data Space Total: 107.4 GB
 Data Space Available: 40.78 GB
 Metadata Space Used: 905.2 kB
 Metadata Space Total: 2.147 GB
 Metadata Space Available: 2.147 GB
 Udev Sync Supported: true
 Deferred Removal Enabled: false
 Deferred Deletion Enabled: false
 Deferred Deleted Device Count: 0
 Data loop file: /var/lib/docker/devicemapper/devicemapper/data
 Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
 Library Version: 1.02.107-RHEL7 (2015-12-01)
Execution Driver: native-0.2
Logging Driver: json-file
Kernel Version: 3.10.0-327.18.2.el7.x86_64
Operating System: CentOS Linux 7 (Core)
CPUs: 2
Total Memory: 1.954 GiB
Name: centos-2gb-ams3-01
ID: DLQ4:PX6I:NPCU:TJQD:BP4K:GGWJ:L56I:BET7:3OSU:BR7X:UZKO:XEQW
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

So I suspect this is caused by;

Not sure mcs translations would work correctly. So docker is not smart enough to translate TopSecret into the appropriate MLS Label.

I didn't create the TopSecret label, so perhaps that's expected it that is not defined

@rhatdan can you give a quick example on how to create such a label (I was looking at https://selinuxproject.org/page/PolicyConfigurationFiles#setrans.conf_File, but perhaps you have a quick example on how to define a TopSecret label so that we can check if it's working)

[rhatdan]

docker run -ti --security-opt label:level:s0-s0:c1023 ...

Should work.

TopSecret requires a translation to something that looks like s0-s0:c1023. We did not implement the automatic translations if you are running a mcstransd daemon in the selinux golang bindings

[icecrime]

With the following setup:

• Freshly provisioned Fedora 23 node
• Docker 1.11.1 installed through curl -sSL https://get.docker.com | sh
• SELinux enabled

I can confirm the following:

• Running "trivial" containers works (e.g., docker run --rm -ti busybox true)
• The example in the original post fails indeed
• The last command that @rhatdan provided does work

So in my current understanding, is it fair to see this not as a bug but a feature request? I also don't see any behavior change from 1.10.x to 1.11.1.

[rhatdan]

I would say the tool used to launch the container via a script or the human should do the translation, unless we find enough demand in the MLS world.

[icecrime]

@atomic111 How does that sounds for you?