Description of problem: Starting previously running docker containers with latest update fails with a number of SELinux failures. Other docker operations fail as well. Version-Release number of selected component (if applicable): docker-1.8.2-7.gitcb216be.fc22.x86_64 docker-selinux-1.8.2-7.gitcb216be.fc22.x86_64 selinux-policy-targeted-3.13.1-128.21.fc22.noarch selinux-policy-3.13.1-128.21.fc22.noarch How reproducible: Updated selinux policy from selinux-policy.noarch 3.13.1-128.18.fc22 (large numbers of packages were updated) Steps to Reproduce: 1. have docker daemon running (--selinux-enabled option is present for daemon) 2. docker create --name=test ubuntu /sbin/init 3. docker start test 4. docker exec -i -t test /bin/bash Actual results: `docker start` generates a bunch of SELinux failures, but starts. `docker exec` doesn't start, also due to SELinux. Expected results: No SELinux audit failures. Additional info: SELinux errors from the point of starting a container, and trying exec: type=ANOM_PROMISCUOUS msg=audit(1452766375.462:1426): dev=veth64a9a72 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295 type=NETFILTER_CFG msg=audit(1452766375.467:1427): table=filter family=2 entries=0 type=NETFILTER_CFG msg=audit(1452766375.467:1428): table=raw family=2 entries=0 type=NETFILTER_CFG msg=audit(1452766375.467:1429): table=security family=2 entries=0 type=NETFILTER_CFG msg=audit(1452766375.467:1430): table=mangle family=2 entries=0 type=NETFILTER_CFG msg=audit(1452766375.467:1431): table=nat family=2 entries=0 type=NETFILTER_CFG msg=audit(1452766375.467:1432): table=filter family=10 entries=0 type=NETFILTER_CFG msg=audit(1452766375.467:1433): table=raw family=10 entries=0 type=NETFILTER_CFG msg=audit(1452766375.467:1434): table=security family=10 entries=0 type=NETFILTER_CFG msg=audit(1452766375.467:1435): table=mangle family=10 entries=0 type=NETFILTER_CFG msg=audit(1452766375.467:1436): table=nat family=10 entries=0 type=AVC msg=audit(1452766375.547:1437): avc: denied { mounton } for pid=28343 comm="init" path="/proc" dev="proc" ino=1 scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:proc_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1452766375.547:1438): avc: denied { mounton } for pid=28343 comm="init" path="/sys" dev="sysfs" ino=1 scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1452766375.603:1439): avc: denied { remount } for pid=28409 comm="mount" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem permissive=0 type=AVC msg=audit(1452766375.928:1440): avc: denied { create } for pid=29167 comm="mknod" name="ram0-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0 type=AVC msg=audit(1452766375.931:1441): avc: denied { create } for pid=29170 comm="mknod" name="ram1-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0 type=AVC msg=audit(1452766375.932:1442): avc: denied { create } for pid=29173 comm="mknod" name="ram2-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0 type=AVC msg=audit(1452766375.934:1443): avc: denied { create } for pid=29176 comm="mknod" name="ram3-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0 type=AVC msg=audit(1452766375.935:1444): avc: denied { create } for pid=29179 comm="mknod" name="ram4-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0 type=AVC msg=audit(1452766375.937:1445): avc: denied { create } for pid=29182 comm="mknod" name="ram5-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0 type=AVC msg=audit(1452766375.939:1446): avc: denied { create } for pid=29185 comm="mknod" name="ram6-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0 type=AVC msg=audit(1452766375.940:1447): avc: denied { create } for pid=29188 comm="mknod" name="ram7-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0 type=AVC msg=audit(1452766375.942:1448): avc: denied { create } for pid=29191 comm="mknod" name="ram8-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0 type=AVC msg=audit(1452766375.944:1449): avc: denied { create } for pid=29195 comm="mknod" name="ram9-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0 type=AVC msg=audit(1452766375.946:1450): avc: denied { create } for pid=29198 comm="mknod" name="ram10-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0 type=AVC msg=audit(1452766375.947:1451): avc: denied { create } for pid=29201 comm="mknod" name="ram11-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0 type=AVC msg=audit(1452766375.949:1452): avc: denied { create } for pid=29204 comm="mknod" name="ram12-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0 type=AVC msg=audit(1452766375.950:1453): avc: denied { create } for pid=29207 comm="mknod" name="ram13-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0 type=AVC msg=audit(1452766375.952:1454): avc: denied { create } for pid=29210 comm="mknod" name="ram14-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0 type=AVC msg=audit(1452766375.954:1455): avc: denied { create } for pid=29213 comm="mknod" name="ram15-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0 type=AVC msg=audit(1452766375.955:1456): avc: denied { create } for pid=29216 comm="mknod" name="ram16-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0 type=AVC msg=audit(1452766376.065:1457): avc: denied { create } for pid=29577 comm="mknod" name="loop0-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0 type=AVC msg=audit(1452766376.067:1458): avc: denied { create } for pid=29580 comm="mknod" name="loop1-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0 type=AVC msg=audit(1452766376.071:1459): avc: denied { create } for pid=29584 comm="mknod" name="loop2-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0 type=AVC msg=audit(1452766376.072:1460): avc: denied { create } for pid=29587 comm="mknod" name="loop3-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0 type=AVC msg=audit(1452766376.074:1461): avc: denied { create } for pid=29590 comm="mknod" name="loop4-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0 type=AVC msg=audit(1452766376.076:1462): avc: denied { create } for pid=29593 comm="mknod" name="loop5-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0 type=AVC msg=audit(1452766376.077:1463): avc: denied { create } for pid=29596 comm="mknod" name="loop6-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0 type=AVC msg=audit(1452766376.079:1464): avc: denied { create } for pid=29599 comm="mknod" name="loop7-" scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c299,c990 tclass=blk_file permissive=0 type=AVC msg=audit(1452766383.838:1465): avc: denied { read write } for pid=31493 comm="bash" path="/dev/pts/6" dev="devpts" ino=9 scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1452766383.838:1466): avc: denied { read write } for pid=31493 comm="bash" path="/dev/pts/6" dev="devpts" ino=9 scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1452766383.838:1467): avc: denied { read write } for pid=31493 comm="bash" path="/dev/pts/6" dev="devpts" ino=9 scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1452766383.839:1468): avc: denied { read write } for pid=31493 comm="bash" path="/dev/pts/6" dev="devpts" ino=9 scontext=system_u:system_r:svirt_lxc_net_t:s0:c299,c990 tcontext=system_u:object_r:docker_devpts_t:s0 tclass=chr_file permissive=0
This looks like you are running systemd or an init system inside of a container. In order to do this you need to run --privileged. All of the activity that SELinux is blocking is ligit. You don't want device nodes being created and mount commands executing within a container. You also need to resinstall docker-selinux yum reinstall docker-selinux This is a known bug.