Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CAHC] building httpd container with 'docker-latest' failing due to AVC denials #285

Open
miabbott opened this issue Jul 14, 2017 · 0 comments
Open

[CAHC] building httpd container with 'docker-latest' failing due to AVC denials #285

miabbott opened this issue Jul 14, 2017 · 0 comments

Comments

@miabbott
Copy link
Contributor

Grab the Dockerfile [0] and the makecache.sh [1] script and try to build an httpd container.

[0] https://github.com/projectatomic/atomic-host-tests/blob/master/roles/docker_build_httpd/files/centos_httpd_Dockerfile
[1] https://github.com/projectatomic/atomic-host-tests/blob/master/roles/docker_build_httpd/files/makecache.sh

I was not able to reproduce this on RHELAH with docker-latest-1.13.1-19.1.git19ea2d3.el7.x86_64 and container-selinux-2.19-2.1.el7.noarch

cc: @lsm5

# rpm-ostree status
State: idle
Deployments:
● centos-atomic-continuous:centos-atomic-host/7/x86_64/devel/continuous
                   Version: 7.2017.477 (2017-07-13 22:24:24)
                    Commit: c87a9e7d577716d737109b1802b50db09a618a344e96a2c9ce219383c6da3fb0
# rpm -q docker-latest container-selinux
docker-latest-1.13-28.git6cd0bbe.el7.x86_64
container-selinux-2.19-2.1.el7.noarch
# chmod +x makecache.sh
# docker build -t centos_httpd -f centos_httpd_Dockerfile .
Sending build context to Docker daemon  16.9 kB
Step 1/11 : FROM centos
Trying to pull repository docker.io/library/centos ... 
sha256:c1010e2fe2b635822d99a096b1f4184becf5d1c98707cbccae00be663a9b9131: Pulling from docker.io/library/centos
7b6bb4652a1b: Pull complete 
Digest: sha256:c1010e2fe2b635822d99a096b1f4184becf5d1c98707cbccae00be663a9b9131
Status: Downloaded newer image for docker.io/centos:latest
 ---> 36540f359ca3
Step 2/11 : MAINTAINER Micah Abbott <[email protected]>
 ---> Running in 385954992d3f
 ---> dfebc1073d02
Removing intermediate container 385954992d3f
Step 3/11 : LABEL Version 1.2
 ---> Running in 86761c551037
 ---> d4b33024e2c2
Removing intermediate container 86761c551037
Step 4/11 : LABEL RUN "docker run -d --name NAME -p 80:80 IMAGE"
 ---> Running in 9e75345dcab2
 ---> 3e13350e00ff
Removing intermediate container 9e75345dcab2
Step 5/11 : ENV container docker
 ---> Running in d108d474d4ed
 ---> 40696ef6b1f3
Removing intermediate container d108d474d4ed
Step 6/11 : ADD makecache.sh /
 ---> 7ece853ec784
Removing intermediate container 2127bdf41379
Step 7/11 : RUN /makecache.sh &&     yum -y install httpd &&     yum clean all
 ---> Running in 322acfe458ef
+ retries=5
+ '[' 5 -gt 0 ']'
+ yum makecache
Loaded plugins: fastestmirror, ovl
http://centos.pymesolutionsweb.com/7.3.1611/os/x86_64/repodata/3a1b41925bb25892c1003b22979ea0705aa815fed57f992cf0229b76539a9ac4-filelists.sqlite.bz2: [Errno 12] Timeout on http://centos.pymesolutionsweb.com/7.3.
1611/os/x86_64/repodata/3a1b41925bb25892c1003b22979ea0705aa815fed57f992cf0229b76539a9ac4-filelists.sqlite.bz2: (28, 'Connection timed out after 30001 milliseconds')
Trying other mirror.
Determining fastest mirrors
 * base: mirror.us.leaseweb.net
 * extras: mirror.us.leaseweb.net
 * updates: mirror.5ninesolutions.com
Metadata Cache Created
+ break
Loaded plugins: fastestmirror, ovl
Loading mirror speeds from cached hostfile
 * base: mirror.us.leaseweb.net
 * extras: mirror.us.leaseweb.net
 * updates: mirror.5ninesolutions.com
Resolving Dependencies
--> Running transaction check
---> Package httpd.x86_64 0:2.4.6-45.el7.centos.4 will be installed
--> Processing Dependency: httpd-tools = 2.4.6-45.el7.centos.4 for package: httpd-2.4.6-45.el7.centos.4.x86_64
--> Processing Dependency: system-logos >= 7.92.1-1 for package: httpd-2.4.6-45.el7.centos.4.x86_64
--> Processing Dependency: /etc/mime.types for package: httpd-2.4.6-45.el7.centos.4.x86_64
--> Processing Dependency: libaprutil-1.so.0()(64bit) for package: httpd-2.4.6-45.el7.centos.4.x86_64
--> Processing Dependency: libapr-1.so.0()(64bit) for package: httpd-2.4.6-45.el7.centos.4.x86_64
--> Running transaction check
---> Package apr.x86_64 0:1.4.8-3.el7 will be installed
---> Package apr-util.x86_64 0:1.5.2-6.el7 will be installed
---> Package centos-logos.noarch 0:70.0.6-3.el7.centos will be installed
---> Package httpd-tools.x86_64 0:2.4.6-45.el7.centos.4 will be installed
---> Package mailcap.noarch 0:2.1.41-2.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package           Arch        Version                       Repository    Size
================================================================================
Installing:
 httpd             x86_64      2.4.6-45.el7.centos.4         updates      2.7 M
Installing for dependencies:
 apr               x86_64      1.4.8-3.el7                   base         103 k
 apr-util          x86_64      1.5.2-6.el7                   base          92 k
 centos-logos      noarch      70.0.6-3.el7.centos           base          21 M
 httpd-tools       x86_64      2.4.6-45.el7.centos.4         updates       84 k
 mailcap           noarch      2.1.41-2.el7                  base          31 k

Transaction Summary
================================================================================
Install  1 Package (+5 Dependent packages)

Total download size: 24 M
Installed size: 32 M
Downloading packages:
warning: /var/cache/yum/x86_64/7/base/packages/apr-util-1.5.2-6.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Public key for apr-util-1.5.2-6.el7.x86_64.rpm is not installed
Public key for httpd-tools-2.4.6-45.el7.centos.4.x86_64.rpm is not installed
--------------------------------------------------------------------------------
Total                                              7.7 MB/s |  24 MB  00:03     
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Importing GPG key 0xF4A80EB5:
 Userid     : "CentOS-7 Key (CentOS 7 Official Signing Key) <[email protected]>"
 Fingerprint: 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5
 Package    : centos-release-7-3.1611.el7.centos.x86_64 (@CentOS)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : apr-1.4.8-3.el7.x86_64                                       1/6 
  Installing : apr-util-1.5.2-6.el7.x86_64                                  2/6 
  Installing : httpd-tools-2.4.6-45.el7.centos.4.x86_64                     3/6 
  Installing : centos-logos-70.0.6-3.el7.centos.noarch                      4/6 
  Installing : mailcap-2.1.41-2.el7.noarch                                  5/6 
  Installing : httpd-2.4.6-45.el7.centos.4.x86_64                           6/6

Rpmdb checksum is invalid: dCDPT(pkg checksums): apr.x86_64 0:1.4.8-3.el7 - u
 
The command '/bin/sh -c /makecache.sh &&     yum -y install httpd &&     yum clean all' returned a non-zero code: 1
[root@micah-cahc-vm0714a ~]# journalctl -b | grep denied
Jul 14 15:58:06 host-172-16-171-237 kernel: type=1400 audit(1500047886.554:7): avc:  denied  { write } for  pid=11306 comm="yum" path="/var/lib/rpm/__db.001" dev="overlay" ino=143429 scontext=system_u:system_r:s
virt_lxc_net_t:s0:c132,c213 tcontext=system_u:object_r:container_share_t:s0 tclass=file
Jul 14 15:59:10 host-172-16-171-237 kernel: type=1400 audit(1500047950.317:8): avc:  denied  { write } for  pid=11363 comm="yum" path="/var/lib/rpm/__db.001" dev="overlay" ino=143429 scontext=system_u:system_r:s
virt_lxc_net_t:s0:c132,c213 tcontext=system_u:object_r:container_share_t:s0 tclass=file
Jul 14 15:59:10 host-172-16-171-237 kernel: type=1400 audit(1500047950.357:9): avc:  denied  { write } for  pid=11363 comm="yum" path="/var/lib/rpm/__db.001" dev="overlay" ino=143429 scontext=system_u:system_r:s
virt_lxc_net_t:s0:c132,c213 tcontext=system_u:object_r:container_share_t:s0 tclass=file
Jul 14 15:59:10 host-172-16-171-237 kernel: type=1400 audit(1500047950.372:10): avc:  denied  { write } for  pid=11363 comm="yum" path="/var/lib/rpm/__db.001" dev="overlay" ino=143429 scontext=system_u:system_r:
svirt_lxc_net_t:s0:c132,c213 tcontext=system_u:object_r:container_share_t:s0 tclass=file
Jul 14 15:59:12 host-172-16-171-237 kernel: type=1400 audit(1500047952.366:11): avc:  denied  { write } for  pid=11363 comm="yum" path="/var/lib/rpm/__db.001" dev="overlay" ino=143429 scontext=system_u:system_r:
svirt_lxc_net_t:s0:c132,c213 tcontext=system_u:object_r:container_share_t:s0 tclass=file
Jul 14 15:59:14 host-172-16-171-237 kernel: type=1400 audit(1500047954.362:12): avc:  denied  { write } for  pid=11363 comm="yum" path="/var/lib/rpm/__db.001" dev="overlay" ino=143429 scontext=system_u:system_r:
svirt_lxc_net_t:s0:c132,c213 tcontext=system_u:object_r:container_share_t:s0 tclass=file
Jul 14 15:59:14 host-172-16-171-237 kernel: type=1400 audit(1500047954.378:13): avc:  denied  { write } for  pid=11363 comm="yum" path="/var/lib/rpm/__db.001" dev="overlay" ino=143429 scontext=system_u:system_r:
svirt_lxc_net_t:s0:c132,c213 tcontext=system_u:object_r:container_share_t:s0 tclass=file
Jul 14 15:59:14 host-172-16-171-237 kernel: type=1400 audit(1500047954.428:14): avc:  denied  { write } for  pid=11363 comm="yum" path="/var/lib/rpm/__db.001" dev="overlay" ino=143429 scontext=system_u:system_r:
svirt_lxc_net_t:s0:c132,c213 tcontext=system_u:object_r:container_share_t:s0 tclass=file
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@miabbott