View Issue Details

IDProjectCategoryView StatusLast Update
0007404CentOS-7-OTHERpublic2014-07-22 04:50
Reporterdecker.rj Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Platformx86_64OSCentOSOS Version7
Product Version7.0-1406 
Summary0007404: When building DBD::Oracle in a docker v1.0 container on CentOS 7, host SELinux blocks library use
DescriptionAttempting to build the DBD::Oracle perl library (via cpanm) on a CentOS 7 docker install (via the EPEL 7 docker-io package) against the oracle instant client v10.2.0.4-1, the host CentOS 7 SELinux will prevent DBD::Oracle from dynamically linking the oracle instant client libraries.
Steps To ReproduceAdd EPEL 7: sudo yum install -y http://dl.fedoraproject.org/pub/epel/beta/7/x86_64/epel-release-7-0.2.noarch.rpm
Add SELinux tools: libselinux-utils
Ensure SELinux is running: sudo /usr/sbin/sestatus
(Enable if not: sudo /usr/sbin/setenforce 1)
Install Docker v1.0.0: sudo yum install docker-io
Get oracle instant client basic, sqlplus, and devel RPMs from Oracle's site; v10.2.0.4
Use Dockerfile below to add RPMs to an image. Ensure that the files are in the same directory as the Dockerfile: docker build -t centos7-selinux <dir with dockerfile>
Run docker: docker run -t -i centos7-selinux /bin/bash
Install DBD::Oracle with cpanm: cpanm -l /opt/dbd-oracle DBD::Oracle

cpanm log will show permission denied for loading Oracle shared objects.
I
Additional InformationDockerfile:
FROM centos:centos7
ADD . /opt
yum install -y gcc tar bzip2 compat-libstdc++-33 perl perl-DBI perl-App-cpanminus /opt/*
ENV ORACLE_HOME /usr/lib/oracle/10.2.0.4/client64
ENV LD_LIBRARY_PATH /usr/lib/oracle/10.2.0.4/client64/lib
TagsNo tags attached.
abrt_hash
URL

Activities

decker.rj

decker.rj

2014-07-19 16:47

reporter   ~0020474

Typo in the Dockerfile:
Line "yum install -y gcc tar bzip2 compat-libstdc++-33 perl perl-DBI perl-App-cpanminus /opt/*" should be "RUN yum install -y gcc tar bzip2 compat-libstdc++-33 perl perl-DBI perl-App-cpanminus /opt/*"
decker.rj

decker.rj

2014-07-19 16:54

reporter   ~0020475

Sample Error line from cpanm log:
Can't load '/.cpanm/work/1405803109.8/DBD-Oracle-1.74/blib/arch/auto/DBD/Oracle/Oracle.so' for module DBD::Oracle: /usr/lib/oracle/10.2.0.4/client64/lib/libnnz10.so: cannot restore segment prot after reloc: Permission denied at /usr/lib64/perl5/DynaLoader.pm

user1999

2014-07-19 17:42

  ~0020478

Last edited: 2014-07-20 11:38

Can you please show us the relevant AVC messages from the audit log ?

decker.rj

decker.rj

2014-07-21 03:22

reporter   ~0020486

The AVC messages appear in the host machine - the docker container does not run SELinux.

Pasted below are the relevant lines from the log, showing the denial from SELinux on loading the shared object:

type=AVC msg=audit(1405927220.515:12547): avc: denied { execmod } for pid=2046 comm="perl" path="/usr/lib/oracle/10.2.0.4/client64/lib/libnnz10.so" dev="dm-5" ino=402107 scontext=system_u:system_r:svirt_lxc_net_t:s0:c500,c846 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c500,c846 tclass=file
type=SYSCALL msg=audit(1405927220.515:12547): arch=c000003e syscall=10 success=no exit=-13 a0=7f3fde5ca000 a1=2ef000 a2=5 a3=0 items=0 ppid=577 pid=2046 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=4294967295 comm="perl" exe="/usr/bin/perl" subj=system_u:system_r:svirt_lxc_net_t:s0:c500,c846 key=(null)

Let me know if you need more context around the error, but the log is spammed pretty heavily by each test run for DBD::Oracle.

user1999

2014-07-21 07:27

  ~0020487

As far as I can tell the problem is that the oracle binary is incorrectly built. If I am right you can probably fix it by using
chcon -t textrel_shlib_t /usr/lib/oracle/10.2.0.4/client64/lib/libnnz10.so
decker.rj

decker.rj

2014-07-21 15:08

reporter   ~0020489

The docker CentOS image is built without SELinux, so I can't chcon the libraries, and attempting to do so gives an error message. Additionally, this issue does not exist if using CentOS 6 as the base docker image instead of CentOS 7. I don't believe there should be a reason for CentOS 7 to reach inside a running container that has SELinux disabled and apply SELinux controls.

From the docker image:
bash-4.2# whoami
root
bash-4.2# chcon -t textrel_shlib_t /usr/lib/oracle/10.2.0.4/client64/lib/libnnz10.so
chcon: failed to change context of '/usr/lib/oracle/10.2.0.4/client64/lib/libnnz10.so' to 'system_u:object_r:textrel_shlib_t:s0:c382,c961': Operation not supported

Nothing shows up in the AVC log when running chcon from inside the docker image.
Evolution

Evolution

2014-07-21 16:43

reporter   ~0020490

It happens the other way. Docker uses the host kernel. There's no way to strip or ignore the selinux contexts of the host kernel to run the process unconstrained *in* the docker image. If you want selinux disabled, you have to do this at the host, not in the container.
decker.rj

decker.rj

2014-07-21 17:55

reporter   ~0020491

I can't seem to reproduce my earlier success in building DBD::Oracle with SELinux enabled on the host machine under a CentOS 6 docker image.

Thanks for helping me with this issue - I don't believe there is a resolution aside from running docker --privileged or disabling SELinux on the host machine.

user1999

2014-07-22 04:50

  ~0020496

The chcon command should be run on the host.

Issue History

Date Modified Username Field Change
2014-07-19 16:45 decker.rj New Issue
2014-07-19 16:47 decker.rj Note Added: 0020474
2014-07-19 16:54 decker.rj Note Added: 0020475
2014-07-19 17:42 user1999 Note Added: 0020478
2014-07-19 17:43 user1999 Note Edited: 0020478
2014-07-20 11:38 user1999 Note Edited: 0020478
2014-07-21 03:22 decker.rj Note Added: 0020486
2014-07-21 07:27 user1999 Note Added: 0020487
2014-07-21 15:08 decker.rj Note Added: 0020489
2014-07-21 16:43 Evolution Note Added: 0020490
2014-07-21 17:55 decker.rj Note Added: 0020491
2014-07-22 04:50 user1999 Note Added: 0020496