After upgrading to kernel 3.15 (kernel-3.15.5-200.fc20.x86_64), many operations inside of docker containers now fail reliably. For example: $ docker run -ti fedora /bin/bash bash-4.2# su -c 'uptime' su: System error bash-4.2# runuser -c uptime runuser: System error If I attach something to /dev/log in the container, I see that "su" is logging the following message: Jul 19 14:31:18 su: PAM audit_log_acct_message() failed: Operation not permitted If I reboot back into kernel 3.14 (kernel-3.14.9-200.fc20.x86_64), this problem goes away.
This behavior appears to have been introduced by kernel commit 33faba7fa7f2288d2f8aaea95958b2c97bf9ebfb (https://github.com/torvalds/linux/commits/33faba7fa7f2288d2f8aaea95958b2c97bf9ebfb). From v3.15, running 'git revert 33faba7' and dealing with the result conflicts results in a build that operates correctly. I haven't actually taken a close look at the code does or why it actually fails.
Specifically, this check is failing in kernel/audit.c, in audit_netlink_ok(): case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2: if (!netlink_capable(skb, CAP_AUDIT_WRITE)) err = -EPERM; break;
I should clarify that this manifests using Docker package docker-io-0:1.0.0-6.fc20.x86_64 (as well as docker-io-1.0.0-7.fc22.x86_64).
*** This bug has been marked as a duplicate of bug 1119849 ***