Description of problem: When I try to use docker, it always fails with weird error and selinux alert: The alert: kvě 12 14:04:48 blackbox setroubleshoot[3720]: SELinux is preventing exe from mac_admin access on the capability2 Unknown. For complete SELinux messages. run sealert -l b8af2d9b-e0ca-45a6-89aa-1dd13f840c67 kvě 12 14:04:48 blackbox python3[3720]: SELinux is preventing exe from mac_admin access on the capability2 Unknown. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that exe should be allowed mac_admin access on the Unknown capability2 by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c exe --raw | audit2allow -M mypol # semodule -i mypol.pp Reproducer: $ sudo systemctl start docker $ sudo docker run -ti registry.access.redhat.com/rhel6.7 bash Unable to find image 'registry.access.redhat.com/rhel6.7:latest' locally 0701b067a296: Error pulling image (latest) from registry.access.redhat.com/rhel6.7, ApplyLayer exit status 1 stdout: stderr: invalid argument failed Error pulling image (latest) from registry.access.redhat.com/rhel6.7, ApplyLayer exit status 1 stdout: stderr: invalid argument Version-Release number of selected component (if applicable): $ uname -a Linux blackbox 4.4.8-300.fc23.x86_64 #1 SMP Wed Apr 20 16:59:27 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q docker docker-selinux libselinux selinux-policy selinux-policy-targeted docker-1.9.1-9.gitee06d03.fc23.x86_64 docker-selinux-1.9.1-9.gitee06d03.fc23.x86_64 libselinux-2.4-4.fc23.x86_64 libselinux-2.4-4.fc23.i686 selinux-policy-3.13.1-158.14.fc23.noarch selinux-policy-targeted-3.13.1-158.14.fc23.noarch How reproducible: Always
Just a note, the solution suggested by selinux troubleshooter: ausearch -c exe --raw | audit2allow -M mypol semodule -i mypol.pp worked and now I'm able to use docker correctly.
I think this should reported against "docker", not "docker-distribution". When you disable selinux, are you able to pull images?
As I wrote in comment #1 in the end, I was able to pull images even when selinux enabled, but I had to use the commands from selinux troubleshooter.
What was the AVC that you were seeing? ausearch -m avc
time->Thu May 12 14:04:44 2016 type=AVC msg=audit(1463054684.400:380): avc: denied { mac_admin } for pid=3679 comm="exe" capability=33 scontext=system_u:system_r:docker_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=capability2 permissive=0
This means that docker attempted to write a label that the kernel did not understand. This is not something you want to use. Looks like their is something wrong with your selinux-policy install. dnf -y reinstall selinux-policy\* docker-selinux And see if this fixes the issue.
I've reinstalled selinux-policy packages: $ dnf -y reinstall selinux-policy\* docker-selinux Removed the mypol package that fixed the issue before: $ sudo semodule -r mypol Restarted docker service: $ sudo systemctl restart docker And tried again: $ sudo docker run -ti registry.access.redhat.com/rhel6.7 bash I'm not sure if the revert of: ausearch -c exe --raw | audit2allow -M mypol semodule -i mypol.pp was done correctly, but if so, then feel free to close this bug.