Rely on container-selinux for centos/fedora25/rhel by cpuguy83 · Pull Request #32437 · moby/moby

cpuguy83 · 2017-04-07T15:41:06Z

RH now provides container-selinux which provides everything we need
for docker's selinux policy. Rely on container-selinux where
available, and docker-engine-selinux when not.

This still builds the docker-engine-selinux package and presumably
makes it available, but is no longer a requirement in the
docker-engine package preferring container-selinux instead.

container-selinux is available on fedora24, however the version that
is available does not set the correct types on the dockerd binary. We
can use container-selinux and just supplement that with some of our
own policy, but for now just keep using docker-engine-selinux as is.

ping @andrewhsu @rhatdan

thaJeztah · 2017-04-10T12:15:51Z

ping @runcom as well 👍

runcom · 2017-04-10T12:17:52Z

seems fine to me, I'll spin up a F25/F26 vm and test this out.

rhatdan · 2017-04-10T15:59:04Z

👍

cpuguy83 · 2017-04-26T16:59:07Z

Ping

RH now provides `container-selinux` which provides everything we need for docker's selinux policy. Rely on `container-selinux` where available, and `docker-engine-selinux` when not. This still builds the `docker-engine-selinux` package and presumably makes it available, but is no longer a requirement in the `docker-engine` package preferring `container-selinux` instead. `container-selinux` is available on fedora24, however the version that is available does not set the correct types on the `dockerd` binary. We can use `container-selinux` and just supplement that with some of our own policy, but for now just keep using `docker-engine-selinux` as is. Signed-off-by: Brian Goff <cpuguy83@gmail.com>

vdemeester

LGTM 🐢
/cc @runcom

andrewhsu · 2017-05-10T15:25:28Z

LGTM

stuff works:

$ make KEEP_BUNDLE=1 DOCKER_BUILD_PKGS='centos-7' rpm
$ docker run --rm -it -v `pwd`:/v -w /v centos:7 yum -y install bundles/latest/build-rpm/centos-7/RPMS/x86_64/docker-engine-17.06.0-*.rpm
...
Complete!

thaJeztah · 2017-05-11T18:26:29Z

Just chatted with @runcom and he may have some time tomorrow to give it a spin, so I suggest to wait until tomorrow (thanks Antonio!)

runcom · 2017-05-12T09:01:18Z

LGTM!

thaJeztah · 2017-05-12T09:27:03Z

Thank you @runcom 👍

cpuguy83 · 2017-05-12T13:23:11Z

All green.

cognitiaclaeves · 2017-06-15T21:08:35Z

This looks like this has been built. Is the package released yet? I just hit this issue today, in Azure, with docker-ce-17.03.1.ce-1.el7.centos.x86_64.

cpuguy83 · 2017-06-15T21:10:45Z

@cognitiaclaeves It'll be in the 17.06.

cognitiaclaeves · 2017-06-15T21:23:23Z

I see it now. Is there a work around until then?

rhatdan · 2017-06-15T21:45:46Z

Container-selinux is continuously released. The latest package is in fedora-updates.

cpuguy83 · 2017-06-16T19:24:35Z

@cognitiaclaeves Hit what issue, exactly?

ericsysmin · 2017-07-05T16:31:34Z

Please be aware this affects https://docs.docker.com/engine/installation/linux/docker-ce/centos/ where "Uninstall old version" causes previous up-to-date installations to be uninstalled due to changed dependency.

GordonTheTurtle added the status/0-triage label Apr 7, 2017

cpuguy83 mentioned this pull request Apr 7, 2017

docker-engine-selinux-17.03 conflicts with container-selinux-2.10.el7 on RHEL7.3 #31651

Closed

cpuguy83 added status/2-code-review and removed status/0-triage labels Apr 8, 2017

thaJeztah requested a review from runcom April 10, 2017 12:15

GordonTheTurtle assigned tiborvass Apr 22, 2017

cpuguy83 force-pushed the container_selinux branch from 63d1077 to adb2ddf Compare May 1, 2017 15:23

cpuguy83 added the rebuild/windowsRS1 label May 1, 2017

GordonTheTurtle removed the rebuild/windowsRS1 label May 1, 2017

vdemeester approved these changes May 2, 2017

View reviewed changes

thaJeztah added this to the 17.06.0 milestone May 5, 2017

runcom approved these changes May 12, 2017

View reviewed changes

runcom added status/4-merge and removed status/2-code-review labels May 12, 2017

vdemeester added the rebuild/windowsRS1 label May 12, 2017

GordonTheTurtle removed the rebuild/windowsRS1 label May 12, 2017

thaJeztah added the impact/changelog label May 12, 2017

cpuguy83 merged commit c307f45 into moby:master May 12, 2017

cpuguy83 deleted the container_selinux branch May 17, 2017 17:46

thaJeztah mentioned this pull request Oct 2, 2017

Docker service & containers restart due to error when updating selinux-policy package #34522

Closed

euank mentioned this pull request Nov 7, 2017

Docker SELinux policy should more closely match upstream coreos/bugs#2231

Closed

thaJeztah mentioned this pull request Dec 27, 2017

Selinux Warnings during docker install on Fedora #28099

Closed

Conversation

cpuguy83 commented Apr 7, 2017

Uh oh!

thaJeztah commented Apr 10, 2017

Uh oh!

runcom commented Apr 10, 2017

Uh oh!

rhatdan commented Apr 10, 2017

Uh oh!

cpuguy83 commented Apr 26, 2017

Uh oh!

vdemeester left a comment

Choose a reason for hiding this comment

Uh oh!

andrewhsu commented May 10, 2017

Uh oh!

thaJeztah commented May 11, 2017

Uh oh!

runcom commented May 12, 2017

Uh oh!

thaJeztah commented May 12, 2017

Uh oh!

cpuguy83 commented May 12, 2017

Uh oh!

cognitiaclaeves commented Jun 15, 2017

Uh oh!

cpuguy83 commented Jun 15, 2017

Uh oh!

cognitiaclaeves commented Jun 15, 2017

Uh oh!

rhatdan commented Jun 15, 2017

Uh oh!

cpuguy83 commented Jun 16, 2017

Uh oh!

ericsysmin commented Jul 5, 2017

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

10 participants