Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1378822

Summary: container image create fails with "permission denied" due to docker selinux configuration
Product: Red Hat Enterprise Linux 7 Reporter: Dafna Ron <dron>
Component: dockerAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: atomic-bugs <atomic-bugs>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.2CC: amurdaca, lsm5
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: container
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-23 12:44:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dafna Ron 2016-09-23 10:36:21 UTC 
Description of problem:

I was trying to create a docker image from a git repo and was getting permission denied. 
After looking at the logs I determined it may be caused by selinux and disabled it and indeed the issue was resolved. 

Version-Release number of selected component (if applicable):
[root@localhost ~]# rpm -qa |grep docker
docker-1.10.3-46.el7.14.x86_64
docker-common-1.10.3-46.el7.14.x86_64
docker-rhel-push-plugin-1.10.3-46.el7.14.x86_64
docker-selinux-1.10.3-46.el7.14.x86_64


How reproducible:

100%

Steps to Reproduce:
1. Install a rhel7 vm and subscribe to these channels: rhel-7-server-rpms, rhel-7-server-extras-rpms 
2. yum update -y ; reboot; yum install docker
3. systemctl start docker.service
4. groupadd docker; chown root:docker /var/run/docker.sock
5. useradd <username>  
6. usermod -G docker <user>
7. systemctl restart docker.service
8. add your user to sudoer and make it passwordless
9. su - <my_user>;  ssh-keygen -t rsa -b 4096 -C <your_email>@redhat.com
10. add key to github
11. git clone https://github.com/ManageIQ/manageiq
12. git checkout origin/master
13. docker build -t <name of Image> <location> . 

**make sure selinux is in enforcing mode**
** the full pod create procedure I am using is in Mojo: https://mojo.redhat.com/docs/DOC-1088558**

Actual results:

we fail with permission denied error due to selinux configuration . 
if you run setenfore 0 and run docker build again you should be able to create the image 

Expected results:

selinux should not block docker build. 


Additional info:


Dependencies Resolved

==============================================================================================================================================================================================================================================
 Package                                                      Arch                                        Version                                                        Repository                                                      Size
==============================================================================================================================================================================================================================================
Installing:
 docker                                                       x86_64                                      1.10.3-46.el7.14                                               rhel-7-server-extras-rpms                                      9.5 M
Installing for dependencies:
 audit-libs-python                                            x86_64                                      2.6.5-3.el7                                                    rhel-7-server-htb-rpms                                          70 k
 checkpolicy                                                  x86_64                                      2.5-4.el7                                                      rhel-7-server-htb-rpms                                         290 k
 docker-common                                                x86_64                                      1.10.3-46.el7.14                                               rhel-7-server-extras-rpms                                       61 k
 docker-rhel-push-plugin                                      x86_64                                      1.10.3-46.el7.14                                               rhel-7-server-extras-rpms                                      2.3 M
 docker-selinux                                               x86_64                                      1.10.3-46.el7.14                                               rhel-7-server-extras-rpms                                       79 k
 libseccomp                                                   x86_64                                      2.3.1-2.el7                                                    rhel-7-server-htb-rpms                                          56 k
 libsemanage-python                                           x86_64                                      2.5-4.el7                                                      rhel-7-server-htb-rpms                                         103 k
 oci-register-machine                                         x86_64                                      1:0-1.8.gitaf6c129.el7                                         rhel-7-server-extras-rpms                                      1.1 M
 oci-systemd-hook                                             x86_64                                      1:0.1.4-4.git41491a3.el7                                       rhel-7-server-extras-rpms                                       27 k
 policycoreutils-python                                       x86_64                                      2.5-8.el7                                                      rhel-7-server-htb-rpms                                         444 k
 python-IPy                                                   noarch                                      0.75-6.el7                                                     rhel-7-server-aus-rpms                                          32 k
 setools-libs                                                 x86_64                                      3.3.8-1.1.el7                                                  rhel-7-server-htb-rpms                                         610 k


============================================================================


[dron1@localhost manageiq]$ docker build -t dafna_origin_docker_test1 .
Sending build context to Docker daemon 282.6 MB
Step 1 : FROM centos:7
 ---> 980e0e4c79ec
Step 2 : ENV container docker
 ---> Using cache
 ---> 734af3fd2567
Step 3 : MAINTAINER ManageIQ https://github.com/ManageIQ/manageiq-appliance-build
 ---> Using cache
 ---> 0479871e035b
Step 4 : ARG REF=master
 ---> Using cache
 ---> 16e74a86642d
Step 5 : ENV LANG en_US.UTF-8
 ---> Using cache
 ---> 50f45e6dea81
Step 6 : ENV TERM xterm
 ---> Using cache
 ---> ac1987df3c51
Step 7 : ENV RUBY_GEMS_ROOT /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0
 ---> Using cache
 ---> bc102bd0cc5a
Step 8 : ENV APP_ROOT /var/www/miq/vmdb
 ---> Using cache
 ---> b6fb3872a1ff
Step 9 : ENV APPLIANCE_ROOT /opt/manageiq/manageiq-appliance
 ---> Using cache
 ---> 33154cea5ec3
Step 10 : ENV SSUI_ROOT /opt/manageiq/manageiq-ui-self_service
 ---> Using cache
 ---> 996973459dd8
Step 11 : RUN curl -sSLko /etc/yum.repos.d/ncarboni-pglogical-SCL-epel-7.repo       https://copr.fedorainfracloud.org/coprs/ncarboni/pglogical-SCL/repo/epel-7/ncarboni-pglogical-SCL-epel-7.repo
 ---> Running in 5962aead1ec8
permission denied
Container command could not be invoked.
[dron1@localhost manageiq]$ sudo ausearch -m avc -ts recent 
----
time->Fri Sep 23 13:33:36 2016
type=SYSCALL msg=audit(1474626816.719:156): arch=c000003e syscall=59 success=no exit=-13 a0=c820595000 a1=c820577300 a2=c8200533e0 a3=0 items=0 ppid=11559 pid=12891 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="exe" exe="/usr/bin/docker-current" subj=system_u:system_r:unconfined_service_t:s0 key=(null)
type=AVC msg=audit(1474626816.719:156): avc:  denied  { transition } for  pid=12891 comm="exe" path="/usr/bin/bash" dev="dm-3" ino=14680218 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c111,c453 tclass=process
----
time->Fri Sep 23 13:35:02 2016
type=SYSCALL msg=audit(1474626902.282:169): arch=c000003e syscall=59 success=no exit=-13 a0=c820630620 a1=c820664600 a2=c8206bb920 a3=0 items=0 ppid=11559 pid=13009 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="exe" exe="/usr/bin/docker-current" subj=system_u:system_r:unconfined_service_t:s0 key=(null)
type=AVC msg=audit(1474626902.282:169): avc:  denied  { transition } for  pid=13009 comm="exe" path="/usr/bin/bash" dev="dm-3" ino=14680218 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c77,c796 tclass=process
[dron1@localhost manageiq]$
Comment 1 Daniel Walsh 2016-09-23 12:44:17 UTC 
You need to  update to the rhel7.3 selinux-policy package and reinstall docker-selinux I believe.  The problem you are seeing is that docker and docker-current are labeled incorrectly.