← Back to team overview

touch-packages team mailing list archive

  1. touch-packages team
  2. Mailing list archive
  3. Message #57392

[Bug 1424795] [NEW] Old libselinux in Precise breaks things in Docker on SELinux-enabled host

  Thread PreviousDate PreviousThread Next 
Public bug reported:

In a Docker container running on an SELinux capable kernel, the fact
that /sys is mounted RO is supposed to signal to the container that
SELinux is not supported on the inside, so it doesn't try to do things
that won't work. The version of libselinux in Ubuntu 12.04 is too old to
have the above check, breaking basic functionality like shadow-utils.

RHEL 6 had the same problem; their fix was to update libselinux:
https://bugzilla.redhat.com/show_bug.cgi?id=1112748

Previously reported downstream: https://github.com/tianon/docker-brew-
ubuntu-core/issues/29

Release: Ubuntu 12.04.5 LTS

Installed package version: 2.1.0-4.1ubuntu1

Expected results:
# useradd test
<success>
# id -Z
id: --context (-Z) works only on an SELinux-enabled kernel

Actual results:
root@b55e77ab9ef4:/# useradd test
useradd: failure while writing changes to /etc/passwd
root@b55e77ab9ef4:/# vipw
vipw: setfscreatecon () failed: Permission denied
vipw: /etc/passwd is unchanged
root@b55e77ab9ef4:/# id -Z
system_u:system_r:svirt_lxc_net_t:s0:c14,c127

** Affects: libselinux (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libselinux in Ubuntu.
https://bugs.launchpad.net/bugs/1424795

Title:
  Old libselinux in Precise breaks things in Docker on SELinux-enabled
  host

Status in libselinux package in Ubuntu:
  New

Bug description:
  In a Docker container running on an SELinux capable kernel, the fact
  that /sys is mounted RO is supposed to signal to the container that
  SELinux is not supported on the inside, so it doesn't try to do things
  that won't work. The version of libselinux in Ubuntu 12.04 is too old
  to have the above check, breaking basic functionality like shadow-
  utils.

  RHEL 6 had the same problem; their fix was to update libselinux:
  https://bugzilla.redhat.com/show_bug.cgi?id=1112748

  Previously reported downstream: https://github.com/tianon/docker-brew-
  ubuntu-core/issues/29

  Release: Ubuntu 12.04.5 LTS

  Installed package version: 2.1.0-4.1ubuntu1

  Expected results:
  # useradd test
  <success>
  # id -Z
  id: --context (-Z) works only on an SELinux-enabled kernel

  Actual results:
  root@b55e77ab9ef4:/# useradd test
  useradd: failure while writing changes to /etc/passwd
  root@b55e77ab9ef4:/# vipw
  vipw: setfscreatecon () failed: Permission denied
  vipw: /etc/passwd is unchanged
  root@b55e77ab9ef4:/# id -Z
  system_u:system_r:svirt_lxc_net_t:s0:c14,c127

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libselinux/+bug/1424795/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next