Does this fix the problem?

dnf -y reinstall docker-selinux

(In reply to Daniel Walsh from comment #1)
> Does this fix the problem?
> 
> dnf -y reinstall docker-selinux


Seems to work:

```
[root@cloudhost ~]# dnf -y reinstall docker-selinux 
... 
...
Reinstalled:
  docker-selinux.x86_64 1:1.8.2-5.gitcb216be.fc23                               

Complete!
[root@cloudhost ~]# semodule -l | grep docker
docker
[root@cloudhost ~]# ls -lZ /usr/bin/docker   
-rwxr-xr-x. 1 root root system_u:object_r:docker_exec_t:s0 20707376 Sep 21 20:21 /usr/bin/docker
```

But I still get a weird error when trying to start docker:


```
[root@cloudhost ~]# systemctl start docker 
Failed to start docker.service: Access denied
[root@cloudhost ~]# journalctl | tail -n 2
Oct 11 14:42:38 cloudhost.localdomain audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=1000 uid=0 gid=0 path="/usr/lib/systemd/system/docker.service" cmdline="systemctl start docker" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:docker_unit_file_t:s0 tclass=service
                                                 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
```


If I do a systemctl daemon-reexec then I am able to start docker just fine, which might be expected.

Yes this is a known issue.  My concern is how you got docker-selinux installed without a docker.pp being installed.

Can someone recreate this situation.  Did this happen on an initial install or an upgrade?

(In reply to Daniel Walsh from comment #3)
> Yes this is a known issue.  My concern is how you got docker-selinux
> installed without a docker.pp being installed.
> 
> Can someone recreate this situation.  Did this happen on an initial install
> or an upgrade?

This happened starting from the F23 beta cloud image. The steps to reproduce are in the original description. The pertinent information is in the "Version-Release number of selected component (if applicable):" and "Steps to Reproduce:" sections.

mgrepl: I don't understand why this got closed as NOTABUG with no explanation. If it is a known issue then please explain more and point a git commit or something that describes the resolution.

I apologize. The wrong bug number. Should be moved on docker-selinux.

Miroslav, I am not sure this is a docker-selinux bug.  Since dnf -y reinstall docker-selinux fixus the problem.

It seems to be an interaction between docker-selinux and the selinux-policy-targeted package that is causing the problem

Dusty do you have the anaconda.log in /root?  I wonder if docker-selinux is  being installed before selinux-policy-targeted?

(In reply to Daniel Walsh from comment #6)
> Miroslav, I am not sure this is a docker-selinux bug.  Since dnf -y
> reinstall docker-selinux fixus the problem.
> 
> It seems to be an interaction between docker-selinux and the
> selinux-policy-targeted package that is causing the problem
> 
> Dusty do you have the anaconda.log in /root?  I wonder if docker-selinux is 
> being installed before selinux-policy-targeted?

Since docker (including docker-selinux) gets installed by me after system bringup then the order is selinux-policy-targeted and then docker-selinux. If either of you would like to recreate the exact steps are in the description. You can download the cloud image and then simply run the exact steps that I have pasted and observe the behavior.

The only risk of something changing is if the version of docker gets newer before you try it. I just ran through the steps again and noticed something new which is probably a pretty big clue:

During the install:

```
  Installing  : docker-selinux-1:1.8.2-7.gitcb216be.fc23.x86_64            7/18 
[  209.073879] SELinux:  Class netlink_iscsi_socket not defined in policy.
[  209.074587] SELinux:  Class netlink_fib_lookup_socket not defined in policy.
[  209.075268] SELinux:  Class netlink_connector_socket not defined in policy.
[  209.075931] SELinux:  Class netlink_netfilter_socket not defined in policy.
[  209.076617] SELinux:  Class netlink_generic_socket not defined in policy.
[  209.077271] SELinux:  Class netlink_scsitransport_socket not defined in policy.
[  209.077970] SELinux:  Class netlink_rdma_socket not defined in policy.
[  209.078607] SELinux:  Class netlink_crypto_socket not defined in policy.
[  209.079269] SELinux:  Permission audit_read in class capability2 not defined in policy.
[  209.080037] SELinux:  Class binder not defined in policy.
[  209.080559] SELinux: the above unknown classes and permissions will be allowed
Failed to resolve allow statement at 757 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
Failed to resolve ast
/usr/sbin/semodule:  Failed!
restorecon:  lstat(/var/lib/docker) failed:  No such file or directory
warning: %post(docker-selinux-1:1.8.2-7.gitcb216be.fc23.x86_64) scriptlet failed, exit status 255
Non-fatal POSTIN scriptlet failure in rpm package docker-selinux
Non-fatal POSTIN scriptlet failure in rpm package docker-selinux
```

I have a fix I just sent to Lokesh for the 

restorecon:  lstat(/var/lib/docker) failed:  No such file or directory

Issue, we need to add

package selinux
Require(Post) docker

To make sure docker is installed before the post install section of docker-selinux.

Created attachment 1082459 [details]
Patch to fix spec file for docker-selinux.

Miroslav any idea why semodule is failing?

docker.spec currently requires selinux-policy-base to be installed?

Ok it looks there is a bug in the docker policy if we see

Failed to resolve allow statement at 757 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
Failed to resolve ast
/usr/sbin/semodule:  Failed!

I don't see any issues on F24.

Lukas,
could you please check F23 if you are able to reproduce it?

Hi, 

[fedora@fedora ~]$ rpm -q selinux-policy
selinux-policy-3.13.1-151.fc23.noarch

[fedora@fedora ~]$ rpm -q --all | grep docker

[fedora@fedora ~]$ sudo semodule -l | grep docker

[fedora@fedora ~]$ sudo dnf install docker
...
...
...
Installed:
  device-mapper-event.x86_64 1.02.107-1.fc23                            device-mapper-event-libs.x86_64 1.02.107-1.fc23                    
  device-mapper-persistent-data.x86_64 0.5.5-1.fc23                     docker.x86_64 1:1.8.2-7.gitcb216be.fc23                            
  docker-selinux.x86_64 1:1.8.2-7.gitcb216be.fc23                       libaio.x86_64 0.3.110-5.fc23                                       
  lvm2.x86_64 2.02.130-1.fc23                                           lvm2-libs.x86_64 2.02.130-1.fc23                                   
  policycoreutils-python-utils.x86_64 2.4-14.fc23                       xfsprogs.x86_64 3.2.4-1.fc23 

[fedora@fedora ~]$ rpm -q --all | grep docker-selinux
docker-selinux-1.8.2-7.gitcb216be.fc23.x86_64
[fedora@fedora ~]$ sudo semodule -l | grep docker
docker

[fedora@fedora ~]$ ps -efZ  | grep docker
system_u:system_r:docker_t:s0   root     12498     1  0 09:56 ?        00:00:00 /usr/bin/docker daemon --selinux-enabled
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 fedora 12618 943  0 09:57 pts/0 00:00:00 grep --color=auto docker

[fedora@fedora ~]$ sudo ausearch -m AVC | grep docker 

I just see this during installation docker:
restorecon:  lstat(/var/lib/docker) failed:  No such file or directory
warning: %post(docker-selinux-1:1.8.2-7.gitcb216be.fc23.x86_64) scriptlet failed, exit status 255
Non-fatal POSTIN scriptlet failure in rpm package docker-selinux
Non-fatal POSTIN scriptlet failure in rpm package docker-selinux

But, I believe this problem is connected with refreshing cache in systemd (In f22 we using #systemctl daemon-reexec to fix it). Could you guys update libselinux packages and try to restart docker? 

Thank you!

The restorecon error is caused by docker-selinux not requiring docker for its post install.

This has been fixed in latest docker, but not sure if this has made its way into fedora 23 yet. Lokesh?

Lukas, according to the last comment this is fixed in docker-selinux so I am clearing needinfo flag.

All, There is no new version of docker (with fix) in F23 yet. This doesn't qualify as a blocker but would be nice to have in so that if people install docker on release day they don't get a failure.

Fixed in docker-1.9

A couple of questions/comments

- is this going to get fixed for 1.8?

- is 1.9 going to overtake 1.8 for f23? i.e will 1.8 never get released?

- for latest f23 images (since they disabled the updates-testing repo by default) I get docker 1.7, which means I no longer see an issue as long as I don't go grab 1.8 from updates-testing. This is fine as long as 1.8 never gets released to stable repos.

It should be fixed in docker-1.8.2 build, but I am not sure.  I am sure it is fixed in docker-1.9.  I believe docker-1.8.2 will get released pretty soon after f23 finally gets released.  I think it is being held up by the release.

(In reply to Daniel Walsh from comment #19)
> It should be fixed in docker-1.8.2 build, but I am not sure.  I am sure it
> is fixed in docker-1.9.  I believe docker-1.8.2 will get released pretty
> soon after f23 finally gets released.  I think it is being held up by the
> release.

Ok I think the selinux issue is fixed but I still see this with docker-selinux-1:1.8.2-9.gitbdb52b6.fc23.x86_64:

```
  Installing  : docker-selinux-1:1.8.2-9.gitbdb52b6.fc23.x86_64            9/10 
restorecon:  lstat(/var/lib/docker) failed:  No such file or directory
warning: %post(docker-selinux-1:1.8.2-9.gitbdb52b6.fc23.x86_64) scriptlet failed, exit status 255
Non-fatal POSTIN scriptlet failure in rpm package docker-selinux
Non-fatal POSTIN scriptlet failure in rpm package docker-selinux
```

Was your fix you proposed in comment#8 applied?

Ok just confirmed on an F23 system. Now that 1.8.2-7.gitcb216be.fc23 has made it into the updates repo we get the POSTIN failure on docker install. This is what users will experience when installing docker for the first time on Fedora 23.

(In reply to Daniel Walsh from comment #15)
> The restorecon error is caused by docker-selinux not requiring docker for
> its post install.
> 
> This has been fixed in latest docker, but not sure if this has made its way
> into fedora 23 yet. Lokesh?

This has been included in 1.8.2-9

 git show f3edcb48486ccece8b544bab072ba04e5d8dfec7
commit f3edcb48486ccece8b544bab072ba04e5d8dfec7
Author: Dan Walsh <dwalsh>
Date:   Tue Oct 13 13:49:54 2015

    docker-selinux post requires docker to be installed
    
    <correct typo>
    Signed-off-by: Lokesh Mandvekar <lsm5>

diff --git a/docker.spec b/docker.spec
index aed5096..49becf9 100644
--- a/docker.spec
+++ b/docker.spec
@@ -308,10 +308,10 @@ Summary: SELinux policies for Docker
 BuildRequires: selinux-policy
 BuildRequires: selinux-policy-devel
 Requires(post): selinux-policy-base >= %{selinux_policyver}
-Requires(post): selinux-policy-targeted >= %{selinux_policyver}
 Requires(post): policycoreutils
 Requires(post): policycoreutils-python-utils
 Requires(post): libselinux-utils
+Requires(post): docker
 Provides: %{repo}-io-selinux

 %description selinux

Dan/Lukas, could you take another look at the docker-selinux scriptlet https://pkgs.fedoraproject.org/cgit/docker.git/tree/docker.spec?h=f23#n528

docker-1.8.2-10.git28c300f.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-7e1a61e141

docker-1.8.2-10.git28c300f.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update docker'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-7e1a61e141

docker-1.8.2-10.git28c300f.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.