New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

daemon: relabel config files. #34732

Merged
merged 1 commit into from Sep 19, 2017

Conversation

Projects
None yet
7 participants
@vizv
Contributor

vizv commented Sep 5, 2017

- What I did

Similar to #32529, without relabel these files, SELinux-enabled containers will show
"permission denied" errors for configuration files mounted with
docker service create ... --config ... ....

- How I did it

Relabel the config files when they are created.

They may be relabelled just before they mounted, but I follow the same logic as #32529 did.
I may also relabel the directory when config directory gets setup, however only config files in the directory are mounted to the containers, thus relabelling the directory is not necessary. Moreover, other files may (?) add to the config directory in the future. So that's why I choose this implementation.

- How to verify it

I compiled CentOS 7 version of rpm for docker-17.07.1-ce, and installed on my server.
The "permission denied" issue is gone, and no more AVC in audit.log.

- Description for the changelog

Relabel config files.

Signed-off-by: Wenxuan Zhao viz@linux.com

Relabel config files.
Without relabel these files, SELinux-enabled containers will show
"permission denied" errors for configuration files mounted with
`docker server create ... --config ... ...`.

Signed-off-by: Wenxuan Zhao <viz@linux.com>
@allencloud

This comment has been minimized.

Show comment
Hide comment
@allencloud
Contributor

allencloud commented Sep 12, 2017

ping @cpuguy83 @runcom

@thaJeztah

LGTM, thanks!

ping @aaronlehmann as well

@yongtang

LGTM

@yongtang yongtang merged commit 1bb55e6 into moby:master Sep 19, 2017

6 checks passed

dco-signed All commits are signed
experimental Jenkins build Docker-PRs-experimental 36657 has succeeded
Details
janky Jenkins build Docker-PRs 45288 has succeeded
Details
powerpc Jenkins build Docker-PRs-powerpc 5687 has succeeded
Details
windowsRS1 Jenkins build Docker-PRs-WoW-RS1 17105 has succeeded
Details
z Jenkins build Docker-PRs-s390x 5473 has succeeded
Details
@allencloud

This comment has been minimized.

Show comment
Hide comment
@allencloud

allencloud Sep 20, 2017

Contributor

Thank @vizv for your contribution. 🍻

Contributor

allencloud commented Sep 20, 2017

Thank @vizv for your contribution. 🍻

@vizv vizv deleted the vizv:fix-relabel-config-files branch Sep 20, 2017

@vizv

This comment has been minimized.

Show comment
Hide comment
@vizv

vizv Sep 20, 2017

Contributor

@allencloud Cheers. 🍻

Contributor

vizv commented Sep 20, 2017

@allencloud Cheers. 🍻

@vieux

This comment has been minimized.

Show comment
Hide comment
@vieux

vieux Oct 11, 2017

Collaborator

@vizv is there any way we could add a test here ? /cc @allencloud @yongtang

Collaborator

vieux commented Oct 11, 2017

@vizv is there any way we could add a test here ? /cc @allencloud @yongtang

@vizv

This comment has been minimized.

Show comment
Hide comment
@vizv

vizv Oct 11, 2017

Contributor

@vieux I don't know how. I can write a shell script and set up a test case for testing (to prove the change works correctly), however I don't know how to write the test in go.

BTW, could someone check docker/libnetwork#1963, I'm not sure if this is a correct fix, but the issue exists for a long time, and many users have experienced this.

Contributor

vizv commented Oct 11, 2017

@vieux I don't know how. I can write a shell script and set up a test case for testing (to prove the change works correctly), however I don't know how to write the test in go.

BTW, could someone check docker/libnetwork#1963, I'm not sure if this is a correct fix, but the issue exists for a long time, and many users have experienced this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment