Old libselinux in Precise breaks things in Docker on SELinux-enabled host
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libselinux (Ubuntu) |
Expired
|
Undecided
|
Unassigned | ||
Bug Description
In a Docker container running on an SELinux capable kernel, the fact that /sys is mounted RO is supposed to signal to the container that SELinux is not supported on the inside, so it doesn't try to do things that won't work. The version of libselinux in Ubuntu 12.04 is too old to have the above check, breaking basic functionality like shadow-utils.
RHEL 6 had the same problem; their fix was to update libselinux: https:/
Previously reported downstream: https:/
Release: Ubuntu 12.04.5 LTS
Installed package version: 2.1.0-4.1ubuntu1
Expected results:
# useradd test
<success>
# id -Z
id: --context (-Z) works only on an SELinux-enabled kernel
Actual results:
root@b55e77ab9e
useradd: failure while writing changes to /etc/passwd
root@b55e77ab9e
vipw: setfscreatecon () failed: Permission denied
vipw: /etc/passwd is unchanged
root@b55e77ab9e
system_
Same problem here (in my case the host is an x86_64 Fedora 22 box and the Docker container is running Precise); note that *anything* that tries to update SELinux context will fail due to the Docker-unaware libselinux. This includes a simple "cp -a". Since "cp -a" appears to be used somewhere deep inside dh_install, this breaks package building in a Precise Docker container. Since that's what I use my Docker containers for, this is something of a deal breaker for me!
Looks like the specific patch mentioned above is libselinux- 2.0.94_ enabled. patch from http:// vault.centos. org/6.6/ centosplus/ Source/ SPackages/ libselinux- 2.0.94- 5.3.0.1. el6.centos. plus.src. rpm and something like that patch should probably work its way into the Precise package. (I tried to build a package with the patch to test this for myself but dh_install failed, see above ;)
My temporary workaround in the meantime was to simply replace the Precise libselinux1 package with that from Trusty. Frankly I'm surprised that worked but it does appear to be binary compatible. i.e. my Precise Dockerfile includes the line
RUN wget http:// mirrors. kernel. org/ubuntu/ pool/main/ libs/libselinux /libselinux1_ 2.2.2-1_ amd64.deb && dpkg -i libselinux1_ 2.2.2-1_ amd64.deb && rm -f libselinux1_ 2.2.2-1_ amd64.deb