Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1357131 - libselinux container support [NEEDINFO]
Summary: libselinux container support
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: libselinux
Version: 5.10
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Petr Lautrbach
QA Contact: Milos Malik
Depends On:
TreeView+ depends on / blocked
Reported: 2016-07-15 20:38 UTC by Daniel Walsh
Modified: 2017-04-18 21:57 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-04-18 21:57:04 UTC
Target Upstream Version:
sghosh: needinfo? (snagar)
plautrba: needinfo? (snagar)
dwalsh: needinfo? (bbreard)

Attachments (Terms of Use)
Patch for libselinux rhel-5.11 dist-git branch (deleted)
2016-11-04 09:40 UTC, Petr Lautrbach
no flags Details

Description Daniel Walsh 2016-07-15 20:38:50 UTC
There is a renewed push to package up a RHEL5 base image.  Since RHEL5 is
end of life this winter, we want to offer the customers the ability to run certain workloads in containers. But in order to get this to happen we need to back port the libselinux

patch that says SELinux is disabled in a container with /sys/fs/selinux mounted read/only or not mounted at all, since we don't want SELinux activity done while in the container.  We had to do similar stuff for libselinux back in RHEL6.  This might be more complicated since the rhel5 libselinux is ancient.

Comment 1 Petr Lautrbach 2016-07-15 20:48:31 UTC
It doesn't seem to be so complicated. They are two places where the mountpoint needs to be checked if it's readonly - init_selinuxmnt() and is_selinux_enabled(). There's verify_selinuxmnt() which could be backported and used for this purpose.

Comment 2 RHEL Product and Program Management 2016-07-15 21:18:01 UTC
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.

Comment 3 Paul Moore 2016-07-15 21:21:29 UTC
Miroslav, we will probably need to get the escalated to PM so we can get libselinux on the magic RHEL-5.11 list.

Comment 4 Daniel Walsh 2016-07-18 10:31:59 UTC
Subhendu and Ben, we need this in RHEL5 in order to support a RHEL5 base container.

Comment 13 Daniel Walsh 2016-09-03 11:14:35 UTC
I don't believe the selinuxfs is mounted into the container, It is just the mounting of a sysfs that causes it to happen.

# mount -t sysfs none /mnt
# ls /mnt/fs/selinux

In RHEL5 libselinux is looking for /selinux.

So a hack you could try is to link /selinux to /sys/fs/selinux

ln -s /sys/fs/selinux /selinux

And see if libselinux can handle this.

I am not sure if Peter has back ported the fixes for libselinux into rhel5 yet to fully make this work.

Comment 16 Daniel Walsh 2016-10-18 12:05:30 UTC
Petr do you have a working version of libselinux for RHEL5?

Comment 21 Daniel Walsh 2016-11-01 19:47:53 UTC
Frantisek, could you try this without the new version of libselinux?  Does it report "getenforce() Failed",  I think the RHEL 5 container would not have /selinux mounted in it, and might not have /selinux at all.

Comment 22 Frantisek Kluknavsky 2016-11-03 11:14:02 UTC
The new version gives "Disabled" when no explicit volumes are mounted.
It gives an error message when /sys/fs/selinux from host is mounted into the image anywhere (/selinux, /sys/fs/selinux/ or /asdf).

If the container runs as --privileged and without mounted /sys/fs/selinux, it says Disabled. If the container runs as --privileged and with /sys/fs/selinux mounted anywhere, it says the truth.

The original libselinux gives an error either with or without mounted /sys/fs/selinux. The original libselinux running in --privileged container gives an error without mounted /sys/fs/selinux and says the truth with mounted /sys/fs/selinux

Comment 23 Daniel Walsh 2016-11-03 13:48:36 UTC
Seems good, we definitely want the default to be disabled, and I can think of almost no situation where we would want a RHEL5 container to do any SELinux activity.

Lets get this built into Brew

Comment 24 Petr Lautrbach 2016-11-04 09:40:55 UTC
Created attachment 1217341 [details]
Patch for libselinux rhel-5.11 dist-git branch

A complete scratch build:

A regular build can't be built until this bug has all needed acks.

Comment 25 Petr Lautrbach 2017-01-05 14:27:28 UTC
Ping? It this going to be approved?

Comment 26 Daniel Walsh 2017-01-05 18:25:58 UTC

Comment 27 Chris Williams 2017-04-18 21:57:04 UTC
Red Hat Enterprise Linux 5 shipped it's last minor release, 5.11, on September 14th, 2014. On March 31st, 2017 RHEL 5 exited Production Phase 3 and entered Extended Life Phase. For RHEL releases in the Extended Life Phase, Red Hat  will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.  If the customer purchases the Extended Life-cycle Support (ELS), certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release will be provided.  For more details please consult the Red Hat Enterprise Linux Life Cycle Page:

This BZ does not appear to meet ELS criteria so is being closed WONTFIX. If this BZ is critical for your environment and you have an Extended Life-cycle Support Add-on entitlement, please open a case in the Red Hat Customer Portal, ,provide a thorough business justification and ask that the BZ be re-opened for consideration of an errata. Please note, only certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release can be considered.

Note You need to log in before you can comment on or make changes to this bug.