Bug 1557893
Summary: | SELinux is preventing docker from 'connectto' accesses on the unix_stream_socket /run/docker.sock. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Yaniv Kaul <ykaul> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 27 | CC: | dwalsh, lvrabec, mgrepl, pasik, plautrba, pmoore |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:70f2bfa2dd7889442f9474c6c993fbbb3cb8a3a5e4e02703915d1ffe309e853f;VARIANT_ID=workstation; | ||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-03-19 10:01:24 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Yaniv Kaul
2018-03-19 08:14:48 UTC
You do know this is a serious security issue. Giving a container access to the docker socket, means you are giving it full root on your system. So SELinux is doing its job. If you need to give container full access to the system then run it as a --privileged container or disable SELinux separation for the container. docker run --security-opt label:disable ... |