Description of problem: Docker cannot start a container, here is an example with docker build, but any docker run would fail (using Dockerfiles from https://github.com/fedora-cloud/Fedora-Dockerfiles.git): $ sudo docker build --tag=fedora-django Fedora-Dockerfiles/Django Sending build context to Docker daemon 22.02 kB Step 0 : FROM fedora ---> 85f4e2af80d3 Step 1 : MAINTAINER http://fedoraproject.org/wiki/Cloud ---> Using cache ---> d3c1da7dec81 Step 2 : RUN dnf -y update && dnf clean all ---> Running in 961b29510a35 [8] System error: permission denied Here is a policy that can fix it: $ cat local.te module R 1.0; require { type unconfined_service_t; type svirt_lxc_net_t; class process transition; } #============= unconfined_service_t ============== #!!!! The file '/usr/bin/bash' is mislabeled on your system. #!!!! Fix with $ restorecon -R -v /usr/bin/bash allow unconfined_service_t svirt_lxc_net_t:process transition; This is the log: $ sudo cat /var/log/audit/audit.log | grep bash type=AVC msg=audit(1445344855.353:762): avc: denied { transition } for pid=3099 comm="exe" path="/usr/bin/bash" dev="dm-1" ino=1835366 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c396,c617 tclass=process permissive=0 type=AVC msg=audit(1445344887.183:778): avc: denied { transition } for pid=3176 comm="exe" path="/usr/bin/bash" dev="dm-1" ino=1835366 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c689,c723 tclass=process permissive=0 type=AVC msg=audit(1445346035.993:847): avc: denied { transition } for pid=3330 comm="exe" path="/usr/bin/bash" dev="dm-1" ino=1835366 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c156,c913 tclass=process permissive=0 Actual results: `docker run` command fails. Expected results: Docker works as expected with SELinux enabled and without created custom policy modules. Additional info: I did find this in official Vagrant Fedora 23 box.
Something went wrong with your docker-selinux install # yum reinstall docker-selinux # systemctl restart docker # ps -eZ | grep docker Make sure docker is running as docker_t
> Make sure docker is running as docker_t Yes, this is an issue: $ ps -eZ | grep docker system_u:system_r:unconfined_service_t:s0 2010 ? 00:00:00 docker Reinstalling docker-selinux does not help: $ sudo dnf reinstall docker-selinux Last metadata expiration check performed 0:05:17 ago on Wed Oct 21 10:17:20 2015. Dependencies resolved. ======================================================================================================== Package Arch Version Repository Size ======================================================================================================== Reinstalling: docker-selinux x86_64 1:1.8.2-7.gitcb216be.fc23 updates-testing 55 k Transaction Summary ======================================================================================================== Total download size: 55 k Is this ok [y/N]: y Downloading Packages: docker-selinux-1.8.2-7.gitcb216be.fc23.x86_64.rpm 243 kB/s | 55 kB 00:00 -------------------------------------------------------------------------------------------------------- Total 34 kB/s | 55 kB 00:01 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Reinstalling: docker-selinux-1:1.8.2-7.gitcb216be.fc23.x86_64 1/2 Failed to resolve allow statement at 757 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil Failed to resolve ast /usr/sbin/semodule: Failed! Erasing : docker-selinux-1:1.8.2-7.gitcb216be.fc23.x86_64 2/2 Verifying : docker-selinux-1:1.8.2-7.gitcb216be.fc23.x86_64 1/2 Verifying : docker-selinux-1:1.8.2-7.gitcb216be.fc23.x86_64 2/2 Reinstalled: docker-selinux.x86_64 1:1.8.2-7.gitcb216be.fc23 Complete! Note the line stating "Failed to resolve allow statement at 757 of /var/lib/selinux/targeted"...
Miroslav any ideas?
There needs to be a bug in the docker policy.
I don't see it on my F23 system. But I checked docker.cil and it is caused by (allow docker_t spc_t (netlink_iscsi_socket (relabelfrom relabelto))) Josef, could you make sure you are up-to-date. The latest kernel and SELinux packages.
I ran 'dnf update' and it seems to be fixed. Thanks, closing.