Description of problem: When I attempt to start a shell session in a running docker container (per http://stackoverflow.com/questions/17903705), SELinux prevents access. Version-Release number of selected component (if applicable): $ docker --version Docker version 1.6.0, build 9d26a07/1.6.0 How reproducible: 100% Steps to Reproduce: 1. Start an instance of the docker registry (per https://blog.docker.com/2013/07/how-to-use-your-own-registry/): $ docker run -p 5000:5000 -v ~/docker_reg:/tmp/registry-dev:z registry 2. Try to start a shell in that container: $ docker ps CONTAINER ID deadbeef... $ docker exec -it deadbeef /bin/bash Actual results: Command returns and does nothing. SELinux alert pops up informing of AVC denial (see error message below). Expected results: An interactive bash shell in the running container Additional info: If I leave off the -t (Allocate a pseudo-TTY), it works, but bash clearly doesn't know that I'm expecting an interactive shell - it's just reading from stdin. Here's the AVC denial message: SELinux is preventing bash from 'read, write' accesses on the chr_file /dev/pts/1. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that bash should be allowed read write access on the 1 chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep bash /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_lxc_net_t:s0:c248,c301 Target Context system_u:object_r:docker_devpts_t:s0 Target Objects /dev/pts/1 [ chr_file ] Source bash Source Path bash Port <Unknown> Host localhost Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-128.4.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name jreinhart-nuc Platform Linux jreinhart-nuc 4.0.7-300.fc22.x86_64 #1 SMP Mon Jun 29 22:15:06 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-07-14 19:16:29 EDT Last Seen 2015-07-14 19:16:29 EDT Local ID d1be5bc8-23ac-47a6-acc0-a7141a7df548 Raw Audit Messages type=AVC msg=audit(1436915789.524:2015): avc: denied { read write } for pid=32151 comm="bash" path="/dev/pts/1" dev="devpts" ino=4 scontext=system_u:system_r:svirt_lxc_net_t:s0:c248,c301 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0 Hash: bash,svirt_lxc_net_t,docker_devpts_t,chr_file,read,write
Please update to docker-1.6.2 dnf -y update --enablerepo=updates-testing
I am seeing this exact bug with the latest releases: $ docker --version Docker version 1.8.2-fc22, build cb216be/1.8.2 Running postgres container, and I see: Dec 1 02:58:35 ksylvan-t420 python: SELinux is preventing /usr/lib/postgresql/9.4/bin/psql from 'read, write' accesses on the chr_file /dev/pts/1
Have you attempted to reinstall docker-selinux? yum reinstall docker-selinux
This is still an issue in F22, reinstall of docker-selinux fixes it. # rpm -q selinux-policy docker-selinux selinux-policy-3.13.1-128.28.fc22.noarch docker-selinux-1.8.2-7.gitcb216be.fc22.x86_64