Description of problem: On Fedora-atomic 22.28 when trying to execute a command in a Docker container, SELinux denies "docker exec" to open a pseudo terminal. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: # docker exec -ti registry bash Actual results: After executing the above command the following events are being logged in journal: Jun 08 11:48:15 atomic.local docker[850]: time="2015-06-08T11:48:15+03:00" level=info msg="POST /v1.18/containers/registry/exec" Jun 08 11:48:15 atomic.local docker[850]: time="2015-06-08T11:48:15+03:00" level=info msg="+job execCreate(registry)" Jun 08 11:48:15 atomic.local docker[850]: time="2015-06-08T11:48:15+03:00" level=info msg="+job log(exec_create: bash , 7f5b883483c956aa9af4a79bea1fbe5d3beb55cad08d2629789739e4001a3534, docker.io/registry:2.0)" Jun 08 11:48:15 atomic.local docker[850]: time="2015-06-08T11:48:15+03:00" level=info msg="-job log(exec_create: bash , 7f5b883483c956aa9af4a79bea1fbe5d3beb55cad08d2629789739e4001a3534, docker.io/registry:2.0) = OK (0)" Jun 08 11:48:15 atomic.local docker[850]: time="2015-06-08T11:48:15+03:00" level=info msg="-job execCreate(registry) = OK (0)" Jun 08 11:48:15 atomic.local docker[850]: time="2015-06-08T11:48:15+03:00" level=info msg="POST /v1.18/exec/4486878987a06b5a047ae501cb83143be22c315adc3aa86f6ef9107692cea6ca/start" Jun 08 11:48:15 atomic.local docker[850]: time="2015-06-08T11:48:15+03:00" level=info msg="+job execStart(4486878987a06b5a047ae501cb83143be22c315adc3aa86f6ef9107692cea6ca)" Jun 08 11:48:15 atomic.local docker[850]: time="2015-06-08T11:48:15+03:00" level=info msg="+job log(exec_start: bash , 7f5b883483c956aa9af4a79bea1fbe5d3beb55cad08d2629789739e4001a3534, docker.io/registry:2.0)" Jun 08 11:48:15 atomic.local docker[850]: time="2015-06-08T11:48:15+03:00" level=info msg="-job log(exec_start: bash , 7f5b883483c956aa9af4a79bea1fbe5d3beb55cad08d2629789739e4001a3534, docker.io/registry:2.0) = OK (0)" Jun 08 11:48:15 atomic.local docker[850]: time="2015-06-08T11:48:15+03:00" level=info msg="POST /v1.18/exec/4486878987a06b5a047ae501cb83143be22c315adc3aa86f6ef9107692cea6ca/resize?h=44&w=171" Jun 08 11:48:15 atomic.local docker[850]: time="2015-06-08T11:48:15+03:00" level=info msg="+job execResize(4486878987a06b5a047ae501cb83143be22c315adc3aa86f6ef9107692cea6ca, 44, 171)" Jun 08 11:48:15 atomic.local audit[1829]: <audit-1400> avc: denied { read write } for pid=1829 comm="bash" path="/dev/pts/2" dev="devpts" ino=5 scontext=system_u:system_r:svirt_lxc_net_t:s0:c92,c108 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0 Jun 08 11:48:15 atomic.local audit[1829]: <audit-1400> avc: denied { read write } for pid=1829 comm="bash" path="/dev/pts/2" dev="devpts" ino=5 scontext=system_u:system_r:svirt_lxc_net_t:s0:c92,c108 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0 Jun 08 11:48:15 atomic.local audit[1829]: <audit-1400> avc: denied { read write } for pid=1829 comm="bash" path="/dev/pts/2" dev="devpts" ino=5 scontext=system_u:system_r:svirt_lxc_net_t:s0:c92,c108 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0 Jun 08 11:48:15 atomic.local audit[1829]: <audit-1400> avc: denied { read write } for pid=1829 comm="bash" path="/dev/pts/2" dev="devpts" ino=5 scontext=system_u:system_r:svirt_lxc_net_t:s0:c92,c108 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0 Jun 08 11:48:15 atomic.local docker[850]: bad file descriptor Expected results: -bash-4.3# docker exec -ti registry bash root@registry:/go/src/github.com/docker/distribution# Additional info: When trying to enter into the name space of the container using nsenter I do not encounter any issues. Also, I can enter into the container with "docker exec" after switching to SELinux Permissive mode.
*** This bug has been marked as a duplicate of bug 1221379 ***