umoci: layer: Xattr unpack code is broken on Fedora/RHEL

just have a busybox image copied with skopeo to OCI format, then:

$ umoci unpack --image busybox bundle
INFO[0000] parsed mappings                               map.gid=[] map.uid=[]
FATA[0000] create runtime bundle: chown rootfs: lchown bundle/rootfs: operation not permitted

$ sudo $GOPATH/bin/umoci unpack --image busybox bundle
INFO[0000] parsed mappings                               map.gid=[] map.uid=[]
INFO[0000] unpack manifest: unpacking layer sha256:56bec22e355981d8ba0878c6c2f23b21f422f30ab0aba188b54f1ffeff59c190  diffid="sha256:e88b3f82283bc59d5e0df427c824e9f95557e661fcb0ea15fb0fb6f97760f9d9"
FATA[0000] create runtime bundle: unpack layer: unpack entry: bin: apply hdr metadata: clear xattr metadata: /home/amurdaca/go/src/github.com/docker/containerd/bundle/rootfs/bin: lclearxattrs: lremovexattr(/home/amurdaca/go/src/github.com/docker/containerd/bundle/rootfs/bin, security.selinux): permission denied

About this issue

Original URL
State: closed
Created 8 years ago
Comments: 22 (15 by maintainers)

Commits related to this issue

oci: layer: fix xattr extraction Lclearxattr is actually not useful because on SELinux enabled systems, attempting to remove a security context label will always fail. There's probably nicer ways of ... — committed to opencontainers/umoci by cyphar 8 years ago
pkg: xattr: ignore EPERM in Lclearxattrs On RHEL/Fedora this fixes issues under SELinux where trying to remove a "security.selinux" label is a capital-B bad idea. It also might be necessary to handle... — committed to opencontainers/umoci by cyphar 8 years ago
pkg: xattr: ignore EPERM in Lclearxattrs On RHEL/Fedora this fixes issues under SELinux where trying to remove a "security.selinux" label is a capital-B bad idea. It also might be necessary to handle... — committed to opencontainers/umoci by cyphar 8 years ago
pkg: xattr: ignore EPERM in Lclearxattrs On RHEL/Fedora this fixes issues under SELinux where trying to remove a "security.selinux" label is a capital-B bad idea. It also might be necessary to handle... — committed to opencontainers/umoci by cyphar 8 years ago
pkg: xattr: ignore EPERM in Lclearxattrs On RHEL/Fedora this fixes issues under SELinux where trying to remove a "security.selinux" label is a capital-B bad idea. It also might be necessary to handle... — committed to opencontainers/umoci by cyphar 8 years ago
pkg: xattr: ignore EPERM in Lclearxattrs On RHEL/Fedora this fixes issues under SELinux where trying to remove a "security.selinux" label is a capital-B bad idea. It also might be necessary to handle... — committed to opencontainers/umoci by cyphar 8 years ago
merge branch 'xattr-fix-selinux' Fixes: cyphar/umoci#49 LGTMs: @cyphar — committed to opencontainers/umoci by cyphar 8 years ago

Most upvoted comments

It probably does. I will try it out, but is there a nice environment I can use to test SELinux? Will a Fedora VM work out-of-the box with SELinux in enforcing mode?

I usually spin up fedora vms out of qcow2 images (fedora cloud images) and everything works great with Selinux and the rest

runcom on Dec 16, 2016