Bug 1279155 - Can't start docker container, probably SELinux problem
Can't start docker container, probably SELinux problem
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: docker (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Lokesh Mandvekar
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-08 03:08 EST by Mustafa Muhammad
Modified: 2015-12-01 16:57 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-01 16:57:52 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mustafa Muhammad 2015-11-08 03:08:29 EST
Description of problem:
Can't start docker container, probably SELinux problem, it works after setenforce 0.

[root@localhost mustafa]# docker run -it fedora /bin/bash
permission denied
Error response from daemon: Cannot start container 1275b6195c770f5438a1799d1febf514d4cde3c52166821ff3116c67c376867b: [8] System error: permission denied                                              

[root@localhost mustafa]# setenforce 0                                                             
[root@localhost mustafa]# docker run -it fedora /bin/bash                                          
[root@dae8857e3aee /]#


Version-Release number of selected component (if applicable):
Fedora Rawhide
Docker 1.9.0-dev-fc24

How reproducible:
Always

Steps to Reproduce:
1. Run a docker container with SELinux enabled 
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Mustafa Muhammad 2015-11-08 03:09:29 EST
#journalctl --since 11:05

-- Logs begin at Sun 2015-11-01 09:21:04 AST, end at Sun 2015-11-08 11:05:52 AST. --
Nov 08 11:05:47 localhost.localdomain docker[1067]: time="2015-11-08T11:05:47.372059236+03:00" level=info msg="POST /v1.21/containers/create"
Nov 08 11:05:47 localhost.localdomain kernel: EXT4-fs (dm-1): mounted filesystem with ordered data mode. Opts: (null)
Nov 08 11:05:48 localhost.localdomain kernel: EXT4-fs (dm-1): mounted filesystem with ordered data mode. Opts: 
Nov 08 11:05:48 localhost.localdomain docker[1067]: time="2015-11-08T11:05:48.697695333+03:00" level=info msg="POST /v1.21/containers/77ea71dedae725407ffc7dc600f83160d8e2dee1eeef3541403f3a3277ad322d/attach?stderr=1&stdin=1&stdout=1&stream=1"
Nov 08 11:05:48 localhost.localdomain docker[1067]: time="2015-11-08T11:05:48.698554598+03:00" level=info msg="POST /v1.21/containers/77ea71dedae725407ffc7dc600f83160d8e2dee1eeef3541403f3a3277ad322d/start"
Nov 08 11:05:48 localhost.localdomain kernel: EXT4-fs (dm-1): mounted filesystem with ordered data mode. Opts: 
Nov 08 11:05:48 localhost.localdomain NetworkManager[942]: <warn>  (veth202eb4b): failed to find device 14 'veth202eb4b' with udev
Nov 08 11:05:48 localhost.localdomain audit: ANOM_PROMISCUOUS dev=veth5f6f428 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295
Nov 08 11:05:48 localhost.localdomain NetworkManager[942]: <info>  (veth202eb4b): new Veth device (carrier: OFF, driver: 'veth', ifindex: 14)
Nov 08 11:05:48 localhost.localdomain kernel: device veth5f6f428 entered promiscuous mode
Nov 08 11:05:48 localhost.localdomain kernel: IPv6: ADDRCONF(NETDEV_UP): veth5f6f428: link is not ready
Nov 08 11:05:48 localhost.localdomain audit: NETFILTER_CFG table=filter family=2 entries=0
Nov 08 11:05:48 localhost.localdomain audit: NETFILTER_CFG table=security family=2 entries=0
Nov 08 11:05:48 localhost.localdomain audit: NETFILTER_CFG table=mangle family=2 entries=0
Nov 08 11:05:48 localhost.localdomain audit: NETFILTER_CFG table=raw family=2 entries=0
Nov 08 11:05:48 localhost.localdomain audit: NETFILTER_CFG table=nat family=2 entries=0
Nov 08 11:05:48 localhost.localdomain audit: NETFILTER_CFG table=filter family=10 entries=0
Nov 08 11:05:48 localhost.localdomain systemd-udevd[2810]: Could not generate persistent MAC address for veth5f6f428: No such file or directory
Nov 08 11:05:48 localhost.localdomain audit: NETFILTER_CFG table=security family=10 entries=0
Nov 08 11:05:48 localhost.localdomain NetworkManager[942]: <warn>  (veth5f6f428): failed to find device 15 'veth5f6f428' with udev
Nov 08 11:05:48 localhost.localdomain audit: NETFILTER_CFG table=mangle family=10 entries=0
Nov 08 11:05:48 localhost.localdomain NetworkManager[942]: <info>  (veth5f6f428): new Ethernet device (carrier: OFF, driver: 'veth', ifindex: 15)
Nov 08 11:05:48 localhost.localdomain audit: NETFILTER_CFG table=raw family=10 entries=0
Nov 08 11:05:48 localhost.localdomain NetworkManager[942]: <info>  (docker0): bridge port veth5f6f428 was attached
Nov 08 11:05:48 localhost.localdomain audit: NETFILTER_CFG table=nat family=10 entries=0
Nov 08 11:05:48 localhost.localdomain NetworkManager[942]: <info>  (veth5f6f428): enslaved to docker0
Nov 08 11:05:48 localhost.localdomain NetworkManager[942]: <warn>  (veth202eb4b): failed to disable userspace IPv6LL address handling
Nov 08 11:05:48 localhost.localdomain kernel: eth0: renamed from veth202eb4b
Nov 08 11:05:48 localhost.localdomain kernel: IPv6: ADDRCONF(NETDEV_CHANGE): veth5f6f428: link becomes ready
Nov 08 11:05:48 localhost.localdomain kernel: docker0: port 1(veth5f6f428) entered forwarding state
Nov 08 11:05:48 localhost.localdomain kernel: docker0: port 1(veth5f6f428) entered forwarding state
Nov 08 11:05:48 localhost.localdomain NetworkManager[942]: <info>  (veth5f6f428): link connected
Nov 08 11:05:48 localhost.localdomain NetworkManager[942]: <info>  (docker0): link connected
Nov 08 11:05:48 localhost.localdomain audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Nov 08 11:05:48 localhost.localdomain audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Nov 08 11:05:48 localhost.localdomain systemd[1]: Started docker container 77ea71dedae725407ffc7dc600f83160d8e2dee1eeef3541403f3a3277ad322d.
Nov 08 11:05:48 localhost.localdomain audit[2823]: AVC avc:  denied  { transition } for  pid=2823 comm="exe" path="/usr/bin/bash" dev="dm-1" ino=262502 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c157,c353 tclass=process permissive=0
Nov 08 11:05:48 localhost.localdomain docker[1067]: time="2015-11-08T11:05:48.886007241+03:00" level=warning msg="exit status 1"
Nov 08 11:05:48 localhost.localdomain audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Nov 08 11:05:48 localhost.localdomain audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Nov 08 11:05:48 localhost.localdomain systemd[1]: Stopped docker container 77ea71dedae725407ffc7dc600f83160d8e2dee1eeef3541403f3a3277ad322d.
Nov 08 11:05:48 localhost.localdomain kernel: docker0: port 1(veth5f6f428) entered disabled state
Nov 08 11:05:48 localhost.localdomain kernel: veth202eb4b: renamed from eth0
Nov 08 11:05:48 localhost.localdomain NetworkManager[942]: <info>  (veth5f6f428): link disconnected
Nov 08 11:05:48 localhost.localdomain NetworkManager[942]: <warn>  (veth202eb4b): failed to find device 14 'veth202eb4b' with udev
Nov 08 11:05:48 localhost.localdomain NetworkManager[942]: <info>  (veth202eb4b): new Veth device (carrier: OFF, driver: 'veth', ifindex: 14)
Nov 08 11:05:48 localhost.localdomain NetworkManager[942]: <info>  (docker0): link disconnected (deferring action for 4 seconds)
Nov 08 11:05:48 localhost.localdomain kernel: docker0: port 1(veth5f6f428) entered disabled state
Nov 08 11:05:48 localhost.localdomain audit: ANOM_PROMISCUOUS dev=veth5f6f428 prom=0 old_prom=256 auid=4294967295 uid=0 gid=0 ses=4294967295
Nov 08 11:05:48 localhost.localdomain kernel: device veth5f6f428 left promiscuous mode
Nov 08 11:05:48 localhost.localdomain kernel: docker0: port 1(veth5f6f428) entered disabled state
Nov 08 11:05:48 localhost.localdomain NetworkManager[942]: <warn>  (veth202eb4b): failed to disable userspace IPv6LL address handling
Nov 08 11:05:48 localhost.localdomain NetworkManager[942]: <info>  (docker0): bridge port veth5f6f428 was detached
Nov 08 11:05:48 localhost.localdomain NetworkManager[942]: <info>  (veth5f6f428): released from master docker0
Nov 08 11:05:49 localhost.localdomain NetworkManager[942]: <warn>  (veth5f6f428): failed to disable userspace IPv6LL address handling
Nov 08 11:05:49 localhost.localdomain docker[1067]: time="2015-11-08T11:05:49.422224062+03:00" level=error msg="Error unmounting device 77ea71dedae725407ffc7dc600f83160d8e2dee1eeef3541403f3a3277ad322d: UnmountDevice: device not-mounted id 77ea71dedae725407ffc7dc600f83160d8e2dee1eeef3541403f3a3277ad322d"
Nov 08 11:05:49 localhost.localdomain docker[1067]: time="2015-11-08T11:05:49.422442996+03:00" level=error msg="Handler for POST /containers/{name:.*}/start returned error: Cannot start container 77ea71dedae725407ffc7dc600f83160d8e2dee1eeef3541403f3a3277ad322d: [8] System error: permission denied"
Nov 08 11:05:49 localhost.localdomain docker[1067]: time="2015-11-08T11:05:49.422467524+03:00" level=error msg="HTTP Error" err="Cannot start container 77ea71dedae725407ffc7dc600f83160d8e2dee1eeef3541403f3a3277ad322d: [8] System error: permission denied" statusCode=500
Nov 08 11:05:52 localhost.localdomain NetworkManager[942]: <info>  (docker0): link disconnected (calling deferred action)
Comment 2 Daniel Walsh 2015-11-09 07:51:27 EST
Lokesh this is caused by a bad docker-selinux being in rawhide.  For some reason docker.fc was not in this build so docker is not labeled as docker_exec_t.  Please update the docker package with the latest fedora-1.9 docker selinux stuff.
Comment 3 Daniel Walsh 2015-12-01 16:57:52 EST
Fixed in the current release

Note You need to log in before you can comment on or make changes to this bug.