docker-ce.spec: bump container-selinux req

[kolyshkin]

Recent runc now requires container-selinux >= 2.95 for write access
to /proc/self/attr/keycreate. In case of older version, the error is:

docker: Error response from daemon: OCI runtime create failed: container_linux.go:345: starting container process caused "process_linux.go:430: container init caused "write /proc/self/attr/keycreate: permission denied"": unknown.

More details at

• runc regression - EPERM running containers from selinux moby/moby#39109

[kolyshkin]

@thaJeztah @seemethere PTAL

[thaJeztah]

@clemenko could you double-check? I think there was a separate regression in that package (exposed ports being blocked) that required downgrading (or do versions > 2.95 work as well?))

[clemenko]

container-selinux version 2.95 has an issue.

If you install UCP with --security-opt label=disable you get ports blocked.

[root@ddc-9594 ~]# cat /etc/docker/daemon.json |grep selinux
 "selinux-enabled": true, 
[root@ddc-9594 ~]# docker -v
Docker version 18.09.6, build 1578dcadd2
[root@ddc-9594 ~]# yum list | grep container-selinux
container-selinux.noarch                    2:2.95-2.el7_6             @extras  
[root@ddc-9594 ~]# docker run --rm -i --name ucp -v /var/run/docker.sock:/var/run/docker.sock --security-opt label=disable docker/ucp:$ucp_ver install --admin-password $password --host-address $controller1 --san ucp.dockr.life --disable-usage --disable-tracking --force-minimums
time="2019-06-10T12:05:59Z" level=info msg="Your engine version 18.09.6, build 1578dca (3.10.0-957.12.2.el7.x86_64) is compatible with UCP 3.1.7 (359d7b8)"
time="2019-06-10T12:05:59Z" level=warning msg="Your system does not have enough memory.  UCP suggests a minimum of 4.00 GB, but you only have 3.88 GB.  You may have unexpected errors."
time="2019-06-10T12:06:39Z" level=fatal msg="the following required ports are blocked on your host: 179, 443, 2376, 6443, 6444, 10250, 12376, 12378 - 12386.  Check your firewall settings"

if you install without --security-opt label=disable then you get permission denied.

[root@ddc-9594 ~]# docker run --rm -i --name ucp -v /var/run/docker.sock:/var/run/docker.sock docker/ucp:$ucp_ver install --admin-password $password --host-address $controller1 --san ucp.dockr.life --disable-usage --disable-tracking --force-minimums
standard_init_linux.go:207: exec user process caused "permission denied"

The current fix is yum downgrade -y container-selinux-2.74-1.el7 and install without --security-opt label=disable.

[kolyshkin]

OK this does not seem to be the fix. To my best understanding, the fix belongs to the kernel (see https://bugzilla.redhat.com/show_bug.cgi?id=1719067), and the workaround belongs to runc (see opencontainers/runc#2070)