New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix failure when selinux enabled in old kernel #2033
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: lifubang <lifubang@acmcoder.com>
Please see opencontainers/selinux#50 |
And I think @cyphar has pointed it out in opencontainers/selinux#49 (comment). |
As PR opencontainers/selinux#50 is closed by @rhatdan . Please see opencontainers/selinux#52 @cyphar PTAL |
This patch doesn't make much sense to me -- old kernels will give you failures because I would prefer to just wait for opencontainers/selinux#52 to be resolved. |
Oh, my god, too many things to consider.
Ok, let's wait. Thanks. |
Rolling back to rc6 as rc7 shown issues while starting pod "init caused \"write /proc/self/attr/keycreate: invalid argument\"": unknown"" opencontainers/runc#2033
OK this is what I just saw on CentOS 7 system (with the latest CentOS 7 kernel, 3.10.0-957.12.2.el7.x86_64). This is from strace on containerd:
this |
What AVC's are you seeing? ausearch -m avc -ts recent |
|
So you are running runc directly as a service in a systemd unit file? Or are you running this under docker? Either way it should not be running as unconfined_service_t, it should be running as container_runtime_t. (Not sure if this would work either with that policy.) In Fedora we currently have |
@lifubang what version of docker are you running? It might be the case that your containerd and/or runc binaries are mislabeled. To test:
Both commands should have If this is not the case,
should fix the issue. |
Signed-off-by: lifubang lifubang@acmcoder.com
I think #2032 fixed the problem on disabled SELinux Machines.
But on enabled SELinux Machines with some old kernels, it still be fail when
selinuxLabel
is empty.So, I think we should add
selinuxLabel
check in runc, it will be more safe to run.And I will send a PR to selinux project soon.