Description of problem: I was trying to use docker while being staff_t role. Docker use a socket in /var/run that can be accessed by users to interact with the daemon. Using a restricted user, I cannot access to docker at all, even in staff_t. SELinux is preventing /usr/bin/docker from 'write' accesses on the sock_file docker.sock. ***** Plugin catchall (100. confidence) suggests ************************** If vous pensez que docker devrait être autorisé à accéder write sur docker.sock sock_file par défaut. Then vous devriez rapporter ceci en tant qu'anomalie. Vous pouvez générer un module de stratégie local pour autoriser cet accès. Do autoriser cet accès pour le moment en exécutant : # grep docker /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context staff_u:staff_r:staff_t:s0-s0:c0.c1023 Target Context system_u:object_r:var_run_t:s0 Target Objects docker.sock [ sock_file ] Source docker Source Path /usr/bin/docker Port <Unknown> Host (removed) Source RPM Packages docker-io-0.7.2-2.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-106.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.12.5-302.fc20.x86_64 #1 SMP Tue Dec 17 20:42:32 UTC 2013 x86_64 x86_64 Alert Count 3 First Seen 2013-12-24 23:02:27 CET Last Seen 2013-12-24 23:04:12 CET Local ID c29ba1dd-230e-48bf-9982-c61ffbf707d2 Raw Audit Messages type=AVC msg=audit(1387922652.646:620): avc: denied { write } for pid=5092 comm="docker" name="docker.sock" dev="tmpfs" ino=48977 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file type=SYSCALL msg=audit(1387922652.646:620): arch=x86_64 syscall=connect success=yes exit=0 a0=3 a1=c2001af090 a2=17 a3=0 items=0 ppid=4836 pid=5092 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 ses=1 tty=pts4 comm=docker exe=/usr/bin/docker subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) Hash: docker,staff_t,var_run_t,sock_file,write Additional info: reporter: libreport-2.1.10 hashmarkername: setroubleshoot kernel: 3.12.5-302.fc20.x86_64 type: libreport
Well considering you would have gotten 2014/01/06 13:31:48 dial unix /var/run/docker.sock: permission denied Probably not that big of a deal. We are working on policy for docker in Rawhide.
possibly related under RHEL 7 RC with docker 0.11: [root@rhel7rc test]# docker run -v /var/run/docker.sock:/root/test/docker.sock -i -t -p 8080 fedora /bin/bash bash-4.2# cd /root/test bash-4.2# ls -l ls: cannot access docker.sock: Permission denied total 0 -????????? ? ? ? ? ? docker.sock bash-4.2#
Yes this access should be blocked. If you want to control docker from a container you need to use a priv container. Then it would not be contained...
Right, typo on the command line, --privileged=true, got left off somehow. Downside of command line editing :-(