Bug 1400333

The issue is with the context not set on both /usr/bin/docker-current and /usr/bin/docker-latest. The rpm postinstall script [1] in doing a restorecon and leaving out both /usr/bin/docker-current and /usr/bin/docker-latest, which the files end up keeping the default context for files in /usr/bin.

So to fix this bug we should run restorecon on /usr/bin/docker-current and /usr/bin/docker-latest. 



[1] 
[root@master-1 ~]# rpm -ql docker-selinux-1.10.3-57.el7.x86_64
/usr/share/selinux/packages/docker.pp.bz2

[root@master-1 ~]# rpm -qc docker-selinux-1.10.3-57.el7.x86_64  --scripts
postinstall scriptlet (using /bin/sh):
# Install all modules in a single transaction
export MODULES=""; for x in docker; do MODULES+=/usr/share/selinux/packages/$x.pp.bz2; MODULES+=" "; done;
/usr/sbin/semodule -n --priority=200 -s targeted -i $MODULES > /dev/null
if /usr/sbin/selinuxenabled ; then
    /usr/sbin/load_policy
    /usr/sbin/restorecon -R /usr/bin/docker /var/run/docker.sock /var/run/docker.pid /etc/docker /var/log/docker /var/log/lxc /var/lock/lxc /usr/lib/systemd/system/docker.service /etc/docker &> /dev/null || :
    if [ $1 -eq 1 ]; then
    restorecon -R /var/lib/docker &> /dev/null || :
    fi
fi
postuninstall scriptlet (using /bin/sh):
if [ $1 -eq 0 ]; then
/usr/sbin/semodule -n -r docker &> /dev/null || :
if /usr/sbin/selinuxenabled ; then
/usr/sbin/load_policy
/usr/sbin/restorecon -R /usr/bin/docker /var/run/docker.sock /var/run/docker.pid /etc/docker /var/log/docker /var/log/lxc /var/lock/lxc /usr/lib/systemd/system/docker.service /etc/docker &> /dev/null || :
fi
fi

Copying my comment from the original just in case:

I'm seeing OCP 3.3 installation on RHEL 7.3 with packages of 2017-01-12 failing due to this.

For some reason I can't reopen this BZ, this definitely should be reopened.

[root@infra01 ~]# yum reinstall docker-selinux
Loaded plugins: priorities, product-id, subscription-manager
Resolving Dependencies
--> Running transaction check
---> Package docker-selinux.x86_64 0:1.10.3-57.el7 will be reinstalled
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package            Arch       Version           Repository                Size
================================================================================
Reinstalling:
 docker-selinux     x86_64     1.10.3-57.el7     rhel-7-extras-rpms        79 k

Transaction Summary
================================================================================
Reinstall  1 Package

Total download size: 79 k
Installed size: 27 k
Is this ok [y/d/N]: y
Downloading packages:
docker-selinux-1.10.3-57.el7.x86_64.rpm                    |  79 kB   00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : docker-selinux-1.10.3-57.el7.x86_64                          1/1 
Re-declaration of type docker_t
Failed to create node
Bad type declaration at /etc/selinux/targeted/tmp/modules/200/docker/cil:1
/usr/sbin/semodule:  Failed!
  Verifying  : docker-selinux-1.10.3-57.el7.x86_64                          1/1 

Installed:
  docker-selinux.x86_64 0:1.10.3-57.el7                                         

Complete!
[root@infra01 ~]# rpm -q docker-selinux selinux-policy
docker-selinux-1.10.3-57.el7.x86_64
selinux-policy-3.13.1-102.el7_3.7.noarch
[root@infra01 ~]# restorecon -v /usr/bin/docker-current
[root@infra01 ~]# matchpathcon /usr/bin/docker-current 
/usr/bin/docker-current	system_u:object_r:bin_t:s0
[root@infra01 ~]# ls -lZ /usr/bin/docker-current
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/docker-current
[root@infra01 ~]# docker run -it test
docker: Error response from daemon: Cannot start container 8f3718c4e282e36ce234749adbea8c2ed2054267a8775f663019cd84cfd0ff68: [9] System error: exit status 1.
[root@infra01 ~]# 

Thanks.

On an OpenShift infra node I also see:

[root@infra01 ~]# yum remove docker\*
Loaded plugins: priorities, product-id, subscription-manager
Resolving Dependencies
--> Running transaction check
---> Package docker.x86_64 2:1.10.3-59.el7 will be erased
---> Package docker-common.x86_64 2:1.10.3-59.el7 will be erased
---> Package docker-rhel-push-plugin.x86_64 2:1.10.3-59.el7 will be erased
---> Package docker-selinux.x86_64 0:1.10.3-57.el7 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package                  Arch    Version          Repository              Size
================================================================================
Removing:
 docker                   x86_64  2:1.10.3-59.el7  @rhel-7-extras-rpms     55 M
 docker-common            x86_64  2:1.10.3-59.el7  @rhel-7-extras-rpms    3.0 k
 docker-rhel-push-plugin  x86_64  2:1.10.3-59.el7  @rhel-7-extras-rpms    9.6 M
 docker-selinux           x86_64  1.10.3-57.el7    @rhel-7-extras-rpms     27 k

Transaction Summary
================================================================================
Remove  4 Packages

Installed size: 64 M
Is this ok [y/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Erasing    : 2:docker-1.10.3-59.el7.x86_64                                1/4 
  Erasing    : 2:docker-common-1.10.3-59.el7.x86_64                         2/4 
  Erasing    : docker-selinux-1.10.3-57.el7.x86_64                          3/4 
  Erasing    : 2:docker-rhel-push-plugin-1.10.3-59.el7.x86_64               4/4 
  Verifying  : 2:docker-1.10.3-59.el7.x86_64                                1/4 
  Verifying  : 2:docker-common-1.10.3-59.el7.x86_64                         2/4 
  Verifying  : docker-selinux-1.10.3-57.el7.x86_64                          3/4 
  Verifying  : 2:docker-rhel-push-plugin-1.10.3-59.el7.x86_64               4/4 

Removed:
  docker.x86_64 2:1.10.3-59.el7                                                 
  docker-common.x86_64 2:1.10.3-59.el7                                          
  docker-rhel-push-plugin.x86_64 2:1.10.3-59.el7                                
  docker-selinux.x86_64 0:1.10.3-57.el7                                         

Complete!
[root@infra01 ~]# restorecon -R / > /dev/null 2>&1
[root@infra01 ~]# yum install docker docker-selinux
Loaded plugins: priorities, product-id, subscription-manager
Resolving Dependencies
--> Running transaction check
---> Package docker.x86_64 2:1.10.3-59.el7 will be installed
--> Processing Dependency: docker-common = 2:1.10.3-59.el7 for package: 2:docker-1.10.3-59.el7.x86_64
--> Processing Dependency: docker-rhel-push-plugin = 2:1.10.3-59.el7 for package: 2:docker-1.10.3-59.el7.x86_64
---> Package docker-selinux.x86_64 0:1.10.3-57.el7 will be installed
--> Running transaction check
---> Package docker-common.x86_64 2:1.10.3-59.el7 will be installed
---> Package docker-rhel-push-plugin.x86_64 2:1.10.3-59.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package                  Arch    Version           Repository             Size
================================================================================
Installing:
 docker                   x86_64  2:1.10.3-59.el7   rhel-7-extras-rpms     12 M
 docker-selinux           x86_64  1.10.3-57.el7     rhel-7-extras-rpms     79 k
Installing for dependencies:
 docker-common            x86_64  2:1.10.3-59.el7   rhel-7-extras-rpms     63 k
 docker-rhel-push-plugin  x86_64  2:1.10.3-59.el7   rhel-7-extras-rpms    2.3 M

Transaction Summary
================================================================================
Install  2 Packages (+2 Dependent packages)

Total download size: 14 M
Installed size: 64 M
Is this ok [y/d/N]: y
Downloading packages:
(1/4): docker-common-1.10.3-59.el7.x86_64.rpm              |  63 kB   00:00     
(2/4): docker-rhel-push-plugin-1.10.3-59.el7.x86_64.rpm    | 2.3 MB   00:02     
(3/4): docker-selinux-1.10.3-57.el7.x86_64.rpm             |  79 kB   00:00     
(4/4): docker-1.10.3-59.el7.x86_64.rpm                     |  12 MB   00:13     
--------------------------------------------------------------------------------
Total                                              1.0 MB/s |  14 MB  00:13     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : 2:docker-rhel-push-plugin-1.10.3-59.el7.x86_64               1/4 
  Installing : 2:docker-common-1.10.3-59.el7.x86_64                         2/4 
  Installing : 2:docker-1.10.3-59.el7.x86_64                                3/4 
  Installing : docker-selinux-1.10.3-57.el7.x86_64                          4/4 
Re-declaration of type docker_t
Failed to create node
Bad type declaration at /etc/selinux/targeted/tmp/modules/200/docker/cil:1
/usr/sbin/semodule:  Failed!
  Verifying  : 2:docker-1.10.3-59.el7.x86_64                                1/4 
  Verifying  : 2:docker-common-1.10.3-59.el7.x86_64                         2/4 
  Verifying  : docker-selinux-1.10.3-57.el7.x86_64                          3/4 
  Verifying  : 2:docker-rhel-push-plugin-1.10.3-59.el7.x86_64               4/4 

Installed:
  docker.x86_64 2:1.10.3-59.el7      docker-selinux.x86_64 0:1.10.3-57.el7     

Dependency Installed:
  docker-common.x86_64 2:1.10.3-59.el7                                          
  docker-rhel-push-plugin.x86_64 2:1.10.3-59.el7                                

Complete!
[root@infra01 ~]# 

Thanks.

Please disregard comment 4.

As discussed over bug 1358819, docker-selinux should not be used anymore, container-selinux is the new package. However, with it there is still at least one problem which is being tracked in:

https://bugzilla.redhat.com/show_bug.cgi?id=1412803

Thanks.

FWIW, I'm not seeing any related issues with latest OCP 3.4 containerized installation using:

container-selinux-2.9-4.el7.noarch
docker-1.12.6-11.el7.x86_64
selinux-policy-3.13.1-102.el7_3.16.noarch

Thanks.

This is fixed in the current release.