Skip to content

[CAHC] building httpd container with 'docker-latest' failing due to AVC denials #285

Open
Open
[CAHC] building httpd container with 'docker-latest' failing due to AVC denials#285
@miabbott

Description

@miabbott
miabbott
opened on Jul 14, 2017

Grab the Dockerfile [0] and the makecache.sh [1] script and try to build an httpd container.

[0] https://github.com/projectatomic/atomic-host-tests/blob/master/roles/docker_build_httpd/files/centos_httpd_Dockerfile
[1] https://github.com/projectatomic/atomic-host-tests/blob/master/roles/docker_build_httpd/files/makecache.sh

I was not able to reproduce this on RHELAH with docker-latest-1.13.1-19.1.git19ea2d3.el7.x86_64 and container-selinux-2.19-2.1.el7.noarch

cc: @lsm5

# rpm-ostree status
State: idle
Deployments:
● centos-atomic-continuous:centos-atomic-host/7/x86_64/devel/continuous
                   Version: 7.2017.477 (2017-07-13 22:24:24)
                    Commit: c87a9e7d577716d737109b1802b50db09a618a344e96a2c9ce219383c6da3fb0
# rpm -q docker-latest container-selinux
docker-latest-1.13-28.git6cd0bbe.el7.x86_64
container-selinux-2.19-2.1.el7.noarch
# chmod +x makecache.sh
# docker build -t centos_httpd -f centos_httpd_Dockerfile .
Sending build context to Docker daemon  16.9 kB
Step 1/11 : FROM centos
Trying to pull repository docker.io/library/centos ... 
sha256:c1010e2fe2b635822d99a096b1f4184becf5d1c98707cbccae00be663a9b9131: Pulling from docker.io/library/centos
7b6bb4652a1b: Pull complete 
Digest: sha256:c1010e2fe2b635822d99a096b1f4184becf5d1c98707cbccae00be663a9b9131
Status: Downloaded newer image for docker.io/centos:latest
 ---> 36540f359ca3
Step 2/11 : MAINTAINER Micah Abbott <micah@redhat.com>
 ---> Running in 385954992d3f
 ---> dfebc1073d02
Removing intermediate container 385954992d3f
Step 3/11 : LABEL Version 1.2
 ---> Running in 86761c551037
 ---> d4b33024e2c2
Removing intermediate container 86761c551037
Step 4/11 : LABEL RUN "docker run -d --name NAME -p 80:80 IMAGE"
 ---> Running in 9e75345dcab2
 ---> 3e13350e00ff
Removing intermediate container 9e75345dcab2
Step 5/11 : ENV container docker
 ---> Running in d108d474d4ed
 ---> 40696ef6b1f3
Removing intermediate container d108d474d4ed
Step 6/11 : ADD makecache.sh /
 ---> 7ece853ec784
Removing intermediate container 2127bdf41379
Step 7/11 : RUN /makecache.sh &&     yum -y install httpd &&     yum clean all
 ---> Running in 322acfe458ef
+ retries=5
+ '[' 5 -gt 0 ']'
+ yum makecache
Loaded plugins: fastestmirror, ovl
http://centos.pymesolutionsweb.com/7.3.1611/os/x86_64/repodata/3a1b41925bb25892c1003b22979ea0705aa815fed57f992cf0229b76539a9ac4-filelists.sqlite.bz2: [Errno 12] Timeout on http://centos.pymesolutionsweb.com/7.3.
1611/os/x86_64/repodata/3a1b41925bb25892c1003b22979ea0705aa815fed57f992cf0229b76539a9ac4-filelists.sqlite.bz2: (28, 'Connection timed out after 30001 milliseconds')
Trying other mirror.
Determining fastest mirrors
 * base: mirror.us.leaseweb.net
 * extras: mirror.us.leaseweb.net
 * updates: mirror.5ninesolutions.com
Metadata Cache Created
+ break
Loaded plugins: fastestmirror, ovl
Loading mirror speeds from cached hostfile
 * base: mirror.us.leaseweb.net
 * extras: mirror.us.leaseweb.net
 * updates: mirror.5ninesolutions.com
Resolving Dependencies
--> Running transaction check
---> Package httpd.x86_64 0:2.4.6-45.el7.centos.4 will be installed
--> Processing Dependency: httpd-tools = 2.4.6-45.el7.centos.4 for package: httpd-2.4.6-45.el7.centos.4.x86_64
--> Processing Dependency: system-logos >= 7.92.1-1 for package: httpd-2.4.6-45.el7.centos.4.x86_64
--> Processing Dependency: /etc/mime.types for package: httpd-2.4.6-45.el7.centos.4.x86_64
--> Processing Dependency: libaprutil-1.so.0()(64bit) for package: httpd-2.4.6-45.el7.centos.4.x86_64
--> Processing Dependency: libapr-1.so.0()(64bit) for package: httpd-2.4.6-45.el7.centos.4.x86_64
--> Running transaction check
---> Package apr.x86_64 0:1.4.8-3.el7 will be installed
---> Package apr-util.x86_64 0:1.5.2-6.el7 will be installed
---> Package centos-logos.noarch 0:70.0.6-3.el7.centos will be installed
---> Package httpd-tools.x86_64 0:2.4.6-45.el7.centos.4 will be installed
---> Package mailcap.noarch 0:2.1.41-2.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package           Arch        Version                       Repository    Size
================================================================================
Installing:
 httpd             x86_64      2.4.6-45.el7.centos.4         updates      2.7 M
Installing for dependencies:
 apr               x86_64      1.4.8-3.el7                   base         103 k
 apr-util          x86_64      1.5.2-6.el7                   base          92 k
 centos-logos      noarch      70.0.6-3.el7.centos           base          21 M
 httpd-tools       x86_64      2.4.6-45.el7.centos.4         updates       84 k
 mailcap           noarch      2.1.41-2.el7                  base          31 k

Transaction Summary
================================================================================
Install  1 Package (+5 Dependent packages)

Total download size: 24 M
Installed size: 32 M
Downloading packages:
warning: /var/cache/yum/x86_64/7/base/packages/apr-util-1.5.2-6.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Public key for apr-util-1.5.2-6.el7.x86_64.rpm is not installed
Public key for httpd-tools-2.4.6-45.el7.centos.4.x86_64.rpm is not installed
--------------------------------------------------------------------------------
Total                                              7.7 MB/s |  24 MB  00:03     
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Importing GPG key 0xF4A80EB5:
 Userid     : "CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>"
 Fingerprint: 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5
 Package    : centos-release-7-3.1611.el7.centos.x86_64 (@CentOS)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : apr-1.4.8-3.el7.x86_64                                       1/6 
  Installing : apr-util-1.5.2-6.el7.x86_64                                  2/6 
  Installing : httpd-tools-2.4.6-45.el7.centos.4.x86_64                     3/6 
  Installing : centos-logos-70.0.6-3.el7.centos.noarch                      4/6 
  Installing : mailcap-2.1.41-2.el7.noarch                                  5/6 
  Installing : httpd-2.4.6-45.el7.centos.4.x86_64                           6/6

Rpmdb checksum is invalid: dCDPT(pkg checksums): apr.x86_64 0:1.4.8-3.el7 - u
 
The command '/bin/sh -c /makecache.sh &&     yum -y install httpd &&     yum clean all' returned a non-zero code: 1
[root@micah-cahc-vm0714a ~]# journalctl -b | grep denied
Jul 14 15:58:06 host-172-16-171-237 kernel: type=1400 audit(1500047886.554:7): avc:  denied  { write } for  pid=11306 comm="yum" path="/var/lib/rpm/__db.001" dev="overlay" ino=143429 scontext=system_u:system_r:s
virt_lxc_net_t:s0:c132,c213 tcontext=system_u:object_r:container_share_t:s0 tclass=file
Jul 14 15:59:10 host-172-16-171-237 kernel: type=1400 audit(1500047950.317:8): avc:  denied  { write } for  pid=11363 comm="yum" path="/var/lib/rpm/__db.001" dev="overlay" ino=143429 scontext=system_u:system_r:s
virt_lxc_net_t:s0:c132,c213 tcontext=system_u:object_r:container_share_t:s0 tclass=file
Jul 14 15:59:10 host-172-16-171-237 kernel: type=1400 audit(1500047950.357:9): avc:  denied  { write } for  pid=11363 comm="yum" path="/var/lib/rpm/__db.001" dev="overlay" ino=143429 scontext=system_u:system_r:s
virt_lxc_net_t:s0:c132,c213 tcontext=system_u:object_r:container_share_t:s0 tclass=file
Jul 14 15:59:10 host-172-16-171-237 kernel: type=1400 audit(1500047950.372:10): avc:  denied  { write } for  pid=11363 comm="yum" path="/var/lib/rpm/__db.001" dev="overlay" ino=143429 scontext=system_u:system_r:
svirt_lxc_net_t:s0:c132,c213 tcontext=system_u:object_r:container_share_t:s0 tclass=file
Jul 14 15:59:12 host-172-16-171-237 kernel: type=1400 audit(1500047952.366:11): avc:  denied  { write } for  pid=11363 comm="yum" path="/var/lib/rpm/__db.001" dev="overlay" ino=143429 scontext=system_u:system_r:
svirt_lxc_net_t:s0:c132,c213 tcontext=system_u:object_r:container_share_t:s0 tclass=file
Jul 14 15:59:14 host-172-16-171-237 kernel: type=1400 audit(1500047954.362:12): avc:  denied  { write } for  pid=11363 comm="yum" path="/var/lib/rpm/__db.001" dev="overlay" ino=143429 scontext=system_u:system_r:
svirt_lxc_net_t:s0:c132,c213 tcontext=system_u:object_r:container_share_t:s0 tclass=file
Jul 14 15:59:14 host-172-16-171-237 kernel: type=1400 audit(1500047954.378:13): avc:  denied  { write } for  pid=11363 comm="yum" path="/var/lib/rpm/__db.001" dev="overlay" ino=143429 scontext=system_u:system_r:
svirt_lxc_net_t:s0:c132,c213 tcontext=system_u:object_r:container_share_t:s0 tclass=file
Jul 14 15:59:14 host-172-16-171-237 kernel: type=1400 audit(1500047954.428:14): avc:  denied  { write } for  pid=11363 comm="yum" path="/var/lib/rpm/__db.001" dev="overlay" ino=143429 scontext=system_u:system_r:
svirt_lxc_net_t:s0:c132,c213 tcontext=system_u:object_r:container_share_t:s0 tclass=file

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions