Skip to content

[CAHC] building httpd container with 'docker-latest' failing due to AVC denials #285

New issue
New issue
Open
Open
[CAHC] building httpd container with 'docker-latest' failing due to AVC denials#285
@miabbott

Description

@miabbott
miabbott
opened on Jul 14, 2017

Grab the Dockerfile [0] and the makecache.sh [1] script and try to build an httpd container.

[0] https://github.com/projectatomic/atomic-host-tests/blob/master/roles/docker_build_httpd/files/centos_httpd_Dockerfile
[1] https://github.com/projectatomic/atomic-host-tests/blob/master/roles/docker_build_httpd/files/makecache.sh

I was not able to reproduce this on RHELAH with docker-latest-1.13.1-19.1.git19ea2d3.el7.x86_64 and container-selinux-2.19-2.1.el7.noarch

cc: @lsm5

# rpm-ostree status
State: idle
Deployments:
● centos-atomic-continuous:centos-atomic-host/7/x86_64/devel/continuous
                   Version: 7.2017.477 (2017-07-13 22:24:24)
                    Commit: c87a9e7d577716d737109b1802b50db09a618a344e96a2c9ce219383c6da3fb0
# rpm -q docker-latest container-selinux
docker-latest-1.13-28.git6cd0bbe.el7.x86_64
container-selinux-2.19-2.1.el7.noarch
# chmod +x makecache.sh
# docker build -t centos_httpd -f centos_httpd_Dockerfile .
Sending build context to Docker daemon  16.9 kB
Step 1/11 : FROM centos
Trying to pull repository docker.io/library/centos ... 
sha256:c1010e2fe2b635822d99a096b1f4184becf5d1c98707cbccae00be663a9b9131: Pulling from docker.io/library/centos
7b6bb4652a1b: Pull complete 
Digest: sha256:c1010e2fe2b635822d99a096b1f4184becf5d1c98707cbccae00be663a9b9131
Status: Downloaded newer image for docker.io/centos:latest
 ---> 36540f359ca3
Step 2/11 : MAINTAINER Micah Abbott <[email protected]>
 ---> Running in 385954992d3f
 ---> dfebc1073d02
Removing intermediate container 385954992d3f
Step 3/11 : LABEL Version 1.2
 ---> Running in 86761c551037
 ---> d4b33024e2c2
Removing intermediate container 86761c551037
Step 4/11 : LABEL RUN "docker run -d --name NAME -p 80:80 IMAGE"
 ---> Running in 9e75345dcab2
 ---> 3e13350e00ff
Removing intermediate container 9e75345dcab2
Step 5/11 : ENV container docker
 ---> Running in d108d474d4ed
 ---> 40696ef6b1f3
Removing intermediate container d108d474d4ed
Step 6/11 : ADD makecache.sh /
 ---> 7ece853ec784
Removing intermediate container 2127bdf41379
Step 7/11 : RUN /makecache.sh &&     yum -y install httpd &&     yum clean all
 ---> Running in 322acfe458ef
+ retries=5
+ '[' 5 -gt 0 ']'
+ yum makecache
Loaded plugins: fastestmirror, ovl
http://centos.pymesolutionsweb.com/7.3.1611/os/x86_64/repodata/3a1b41925bb25892c1003b22979ea0705aa815fed57f992cf0229b76539a9ac4-filelists.sqlite.bz2: [Errno 12] Timeout on http://centos.pymesolutionsweb.com/7.3.
1611/os/x86_64/repodata/3a1b41925bb25892c1003b22979ea0705aa815fed57f992cf0229b76539a9ac4-filelists.sqlite.bz2: (28, 'Connection timed out after 30001 milliseconds')
Trying other mirror.
Determining fastest mirrors
 * base: mirror.us.leaseweb.net
 * extras: mirror.us.leaseweb.net
 * updates: mirror.5ninesolutions.com
Metadata Cache Created
+ break
Loaded plugins: fastestmirror, ovl
Loading mirror speeds from cached hostfile
 * base: mirror.us.leaseweb.net
 * extras: mirror.us.leaseweb.net
 * updates: mirror.5ninesolutions.com
Resolving Dependencies
--> Running transaction check
---> Package httpd.x86_64 0:2.4.6-45.el7.centos.4 will be installed
--> Processing Dependency: httpd-tools = 2.4.6-45.el7.centos.4 for package: httpd-2.4.6-45.el7.centos.4.x86_64
--> Processing Dependency: system-logos >= 7.92.1-1 for package: httpd-2.4.6-45.el7.centos.4.x86_64
--> Processing Dependency: /etc/mime.types for package: httpd-2.4.6-45.el7.centos.4.x86_64
--> Processing Dependency: libaprutil-1.so.0()(64bit) for package: httpd-2.4.6-45.el7.centos.4.x86_64
--> Processing Dependency: libapr-1.so.0()(64bit) for package: httpd-2.4.6-45.el7.centos.4.x86_64
--> Running transaction check
---> Package apr.x86_64 0:1.4.8-3.el7 will be installed
---> Package apr-util.x86_64 0:1.5.2-6.el7 will be installed
---> Package centos-logos.noarch 0:70.0.6-3.el7.centos will be installed
---> Package httpd-tools.x86_64 0:2.4.6-45.el7.centos.4 will be installed
---> Package mailcap.noarch 0:2.1.41-2.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package           Arch        Version                       Repository    Size
================================================================================
Installing:
 httpd             x86_64      2.4.6-45.el7.centos.4         updates      2.7 M
Installing for dependencies:
 apr               x86_64      1.4.8-3.el7                   base         103 k
 apr-util          x86_64      1.5.2-6.el7                   base          92 k
 centos-logos      noarch      70.0.6-3.el7.centos           base          21 M
 httpd-tools       x86_64      2.4.6-45.el7.centos.4         updates       84 k
 mailcap           noarch      2.1.41-2.el7                  base          31 k

Transaction Summary
================================================================================
Install  1 Package (+5 Dependent packages)

Total download size: 24 M
Installed size: 32 M
Downloading packages:
warning: /var/cache/yum/x86_64/7/base/packages/apr-util-1.5.2-6.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Public key for apr-util-1.5.2-6.el7.x86_64.rpm is not installed
Public key for httpd-tools-2.4.6-45.el7.centos.4.x86_64.rpm is not installed
--------------------------------------------------------------------------------
Total                                              7.7 MB/s |  24 MB  00:03     
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Importing GPG key 0xF4A80EB5:
 Userid     : "CentOS-7 Key (CentOS 7 Official Signing Key) <[email protected]>"
 Fingerprint: 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5
 Package    : centos-release-7-3.1611.el7.centos.x86_64 (@CentOS)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : apr-1.4.8-3.el7.x86_64                                       1/6 
  Installing : apr-util-1.5.2-6.el7.x86_64                                  2/6 
  Installing : httpd-tools-2.4.6-45.el7.centos.4.x86_64                     3/6 
  Installing : centos-logos-70.0.6-3.el7.centos.noarch                      4/6 
  Installing : mailcap-2.1.41-2.el7.noarch                                  5/6 
  Installing : httpd-2.4.6-45.el7.centos.4.x86_64                           6/6

Rpmdb checksum is invalid: dCDPT(pkg checksums): apr.x86_64 0:1.4.8-3.el7 - u
 
The command '/bin/sh -c /makecache.sh &&     yum -y install httpd &&     yum clean all' returned a non-zero code: 1
[root@micah-cahc-vm0714a ~]# journalctl -b | grep denied
Jul 14 15:58:06 host-172-16-171-237 kernel: type=1400 audit(1500047886.554:7): avc:  denied  { write } for  pid=11306 comm="yum" path="/var/lib/rpm/__db.001" dev="overlay" ino=143429 scontext=system_u:system_r:s
virt_lxc_net_t:s0:c132,c213 tcontext=system_u:object_r:container_share_t:s0 tclass=file
Jul 14 15:59:10 host-172-16-171-237 kernel: type=1400 audit(1500047950.317:8): avc:  denied  { write } for  pid=11363 comm="yum" path="/var/lib/rpm/__db.001" dev="overlay" ino=143429 scontext=system_u:system_r:s
virt_lxc_net_t:s0:c132,c213 tcontext=system_u:object_r:container_share_t:s0 tclass=file
Jul 14 15:59:10 host-172-16-171-237 kernel: type=1400 audit(1500047950.357:9): avc:  denied  { write } for  pid=11363 comm="yum" path="/var/lib/rpm/__db.001" dev="overlay" ino=143429 scontext=system_u:system_r:s
virt_lxc_net_t:s0:c132,c213 tcontext=system_u:object_r:container_share_t:s0 tclass=file
Jul 14 15:59:10 host-172-16-171-237 kernel: type=1400 audit(1500047950.372:10): avc:  denied  { write } for  pid=11363 comm="yum" path="/var/lib/rpm/__db.001" dev="overlay" ino=143429 scontext=system_u:system_r:
svirt_lxc_net_t:s0:c132,c213 tcontext=system_u:object_r:container_share_t:s0 tclass=file
Jul 14 15:59:12 host-172-16-171-237 kernel: type=1400 audit(1500047952.366:11): avc:  denied  { write } for  pid=11363 comm="yum" path="/var/lib/rpm/__db.001" dev="overlay" ino=143429 scontext=system_u:system_r:
svirt_lxc_net_t:s0:c132,c213 tcontext=system_u:object_r:container_share_t:s0 tclass=file
Jul 14 15:59:14 host-172-16-171-237 kernel: type=1400 audit(1500047954.362:12): avc:  denied  { write } for  pid=11363 comm="yum" path="/var/lib/rpm/__db.001" dev="overlay" ino=143429 scontext=system_u:system_r:
svirt_lxc_net_t:s0:c132,c213 tcontext=system_u:object_r:container_share_t:s0 tclass=file
Jul 14 15:59:14 host-172-16-171-237 kernel: type=1400 audit(1500047954.378:13): avc:  denied  { write } for  pid=11363 comm="yum" path="/var/lib/rpm/__db.001" dev="overlay" ino=143429 scontext=system_u:system_r:
svirt_lxc_net_t:s0:c132,c213 tcontext=system_u:object_r:container_share_t:s0 tclass=file
Jul 14 15:59:14 host-172-16-171-237 kernel: type=1400 audit(1500047954.428:14): avc:  denied  { write } for  pid=11363 comm="yum" path="/var/lib/rpm/__db.001" dev="overlay" ino=143429 scontext=system_u:system_r:
svirt_lxc_net_t:s0:c132,c213 tcontext=system_u:object_r:container_share_t:s0 tclass=file

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions