Description of problem: Can't start docker container, probably SELinux problem, it works after setenforce 0. [root@localhost mustafa]# docker run -it fedora /bin/bash permission denied Error response from daemon: Cannot start container 1275b6195c770f5438a1799d1febf514d4cde3c52166821ff3116c67c376867b: [8] System error: permission denied [root@localhost mustafa]# setenforce 0 [root@localhost mustafa]# docker run -it fedora /bin/bash [root@dae8857e3aee /]# Version-Release number of selected component (if applicable): Fedora Rawhide Docker 1.9.0-dev-fc24 How reproducible: Always Steps to Reproduce: 1. Run a docker container with SELinux enabled 2. 3. Actual results: Expected results: Additional info:
#journalctl --since 11:05 -- Logs begin at Sun 2015-11-01 09:21:04 AST, end at Sun 2015-11-08 11:05:52 AST. -- Nov 08 11:05:47 localhost.localdomain docker[1067]: time="2015-11-08T11:05:47.372059236+03:00" level=info msg="POST /v1.21/containers/create" Nov 08 11:05:47 localhost.localdomain kernel: EXT4-fs (dm-1): mounted filesystem with ordered data mode. Opts: (null) Nov 08 11:05:48 localhost.localdomain kernel: EXT4-fs (dm-1): mounted filesystem with ordered data mode. Opts: Nov 08 11:05:48 localhost.localdomain docker[1067]: time="2015-11-08T11:05:48.697695333+03:00" level=info msg="POST /v1.21/containers/77ea71dedae725407ffc7dc600f83160d8e2dee1eeef3541403f3a3277ad322d/attach?stderr=1&stdin=1&stdout=1&stream=1" Nov 08 11:05:48 localhost.localdomain docker[1067]: time="2015-11-08T11:05:48.698554598+03:00" level=info msg="POST /v1.21/containers/77ea71dedae725407ffc7dc600f83160d8e2dee1eeef3541403f3a3277ad322d/start" Nov 08 11:05:48 localhost.localdomain kernel: EXT4-fs (dm-1): mounted filesystem with ordered data mode. Opts: Nov 08 11:05:48 localhost.localdomain NetworkManager[942]: <warn> (veth202eb4b): failed to find device 14 'veth202eb4b' with udev Nov 08 11:05:48 localhost.localdomain audit: ANOM_PROMISCUOUS dev=veth5f6f428 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295 Nov 08 11:05:48 localhost.localdomain NetworkManager[942]: <info> (veth202eb4b): new Veth device (carrier: OFF, driver: 'veth', ifindex: 14) Nov 08 11:05:48 localhost.localdomain kernel: device veth5f6f428 entered promiscuous mode Nov 08 11:05:48 localhost.localdomain kernel: IPv6: ADDRCONF(NETDEV_UP): veth5f6f428: link is not ready Nov 08 11:05:48 localhost.localdomain audit: NETFILTER_CFG table=filter family=2 entries=0 Nov 08 11:05:48 localhost.localdomain audit: NETFILTER_CFG table=security family=2 entries=0 Nov 08 11:05:48 localhost.localdomain audit: NETFILTER_CFG table=mangle family=2 entries=0 Nov 08 11:05:48 localhost.localdomain audit: NETFILTER_CFG table=raw family=2 entries=0 Nov 08 11:05:48 localhost.localdomain audit: NETFILTER_CFG table=nat family=2 entries=0 Nov 08 11:05:48 localhost.localdomain audit: NETFILTER_CFG table=filter family=10 entries=0 Nov 08 11:05:48 localhost.localdomain systemd-udevd[2810]: Could not generate persistent MAC address for veth5f6f428: No such file or directory Nov 08 11:05:48 localhost.localdomain audit: NETFILTER_CFG table=security family=10 entries=0 Nov 08 11:05:48 localhost.localdomain NetworkManager[942]: <warn> (veth5f6f428): failed to find device 15 'veth5f6f428' with udev Nov 08 11:05:48 localhost.localdomain audit: NETFILTER_CFG table=mangle family=10 entries=0 Nov 08 11:05:48 localhost.localdomain NetworkManager[942]: <info> (veth5f6f428): new Ethernet device (carrier: OFF, driver: 'veth', ifindex: 15) Nov 08 11:05:48 localhost.localdomain audit: NETFILTER_CFG table=raw family=10 entries=0 Nov 08 11:05:48 localhost.localdomain NetworkManager[942]: <info> (docker0): bridge port veth5f6f428 was attached Nov 08 11:05:48 localhost.localdomain audit: NETFILTER_CFG table=nat family=10 entries=0 Nov 08 11:05:48 localhost.localdomain NetworkManager[942]: <info> (veth5f6f428): enslaved to docker0 Nov 08 11:05:48 localhost.localdomain NetworkManager[942]: <warn> (veth202eb4b): failed to disable userspace IPv6LL address handling Nov 08 11:05:48 localhost.localdomain kernel: eth0: renamed from veth202eb4b Nov 08 11:05:48 localhost.localdomain kernel: IPv6: ADDRCONF(NETDEV_CHANGE): veth5f6f428: link becomes ready Nov 08 11:05:48 localhost.localdomain kernel: docker0: port 1(veth5f6f428) entered forwarding state Nov 08 11:05:48 localhost.localdomain kernel: docker0: port 1(veth5f6f428) entered forwarding state Nov 08 11:05:48 localhost.localdomain NetworkManager[942]: <info> (veth5f6f428): link connected Nov 08 11:05:48 localhost.localdomain NetworkManager[942]: <info> (docker0): link connected Nov 08 11:05:48 localhost.localdomain audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Nov 08 11:05:48 localhost.localdomain audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Nov 08 11:05:48 localhost.localdomain systemd[1]: Started docker container 77ea71dedae725407ffc7dc600f83160d8e2dee1eeef3541403f3a3277ad322d. Nov 08 11:05:48 localhost.localdomain audit[2823]: AVC avc: denied { transition } for pid=2823 comm="exe" path="/usr/bin/bash" dev="dm-1" ino=262502 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c157,c353 tclass=process permissive=0 Nov 08 11:05:48 localhost.localdomain docker[1067]: time="2015-11-08T11:05:48.886007241+03:00" level=warning msg="exit status 1" Nov 08 11:05:48 localhost.localdomain audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Nov 08 11:05:48 localhost.localdomain audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Nov 08 11:05:48 localhost.localdomain systemd[1]: Stopped docker container 77ea71dedae725407ffc7dc600f83160d8e2dee1eeef3541403f3a3277ad322d. Nov 08 11:05:48 localhost.localdomain kernel: docker0: port 1(veth5f6f428) entered disabled state Nov 08 11:05:48 localhost.localdomain kernel: veth202eb4b: renamed from eth0 Nov 08 11:05:48 localhost.localdomain NetworkManager[942]: <info> (veth5f6f428): link disconnected Nov 08 11:05:48 localhost.localdomain NetworkManager[942]: <warn> (veth202eb4b): failed to find device 14 'veth202eb4b' with udev Nov 08 11:05:48 localhost.localdomain NetworkManager[942]: <info> (veth202eb4b): new Veth device (carrier: OFF, driver: 'veth', ifindex: 14) Nov 08 11:05:48 localhost.localdomain NetworkManager[942]: <info> (docker0): link disconnected (deferring action for 4 seconds) Nov 08 11:05:48 localhost.localdomain kernel: docker0: port 1(veth5f6f428) entered disabled state Nov 08 11:05:48 localhost.localdomain audit: ANOM_PROMISCUOUS dev=veth5f6f428 prom=0 old_prom=256 auid=4294967295 uid=0 gid=0 ses=4294967295 Nov 08 11:05:48 localhost.localdomain kernel: device veth5f6f428 left promiscuous mode Nov 08 11:05:48 localhost.localdomain kernel: docker0: port 1(veth5f6f428) entered disabled state Nov 08 11:05:48 localhost.localdomain NetworkManager[942]: <warn> (veth202eb4b): failed to disable userspace IPv6LL address handling Nov 08 11:05:48 localhost.localdomain NetworkManager[942]: <info> (docker0): bridge port veth5f6f428 was detached Nov 08 11:05:48 localhost.localdomain NetworkManager[942]: <info> (veth5f6f428): released from master docker0 Nov 08 11:05:49 localhost.localdomain NetworkManager[942]: <warn> (veth5f6f428): failed to disable userspace IPv6LL address handling Nov 08 11:05:49 localhost.localdomain docker[1067]: time="2015-11-08T11:05:49.422224062+03:00" level=error msg="Error unmounting device 77ea71dedae725407ffc7dc600f83160d8e2dee1eeef3541403f3a3277ad322d: UnmountDevice: device not-mounted id 77ea71dedae725407ffc7dc600f83160d8e2dee1eeef3541403f3a3277ad322d" Nov 08 11:05:49 localhost.localdomain docker[1067]: time="2015-11-08T11:05:49.422442996+03:00" level=error msg="Handler for POST /containers/{name:.*}/start returned error: Cannot start container 77ea71dedae725407ffc7dc600f83160d8e2dee1eeef3541403f3a3277ad322d: [8] System error: permission denied" Nov 08 11:05:49 localhost.localdomain docker[1067]: time="2015-11-08T11:05:49.422467524+03:00" level=error msg="HTTP Error" err="Cannot start container 77ea71dedae725407ffc7dc600f83160d8e2dee1eeef3541403f3a3277ad322d: [8] System error: permission denied" statusCode=500 Nov 08 11:05:52 localhost.localdomain NetworkManager[942]: <info> (docker0): link disconnected (calling deferred action)
Lokesh this is caused by a bad docker-selinux being in rawhide. For some reason docker.fc was not in this build so docker is not labeled as docker_exec_t. Please update the docker package with the latest fedora-1.9 docker selinux stuff.
Fixed in the current release