Description of problem: With the latest update (which incuded kernel-4.6.4, libselinux*-2.5-9, and docker*-2:1.10.3-24.git29066b4), docker volumes can no longer be accessed in the container due to "permission denied" issues unless "--privileged" is passed when starting the container. Version-Release number of selected component (if applicable): docker-selinux-1.10.3-24.git29066b4.fc24.x86_64 docker-1.10.3-24.git29066b4.fc24.x86_64 How reproducible: Always Steps to Reproduce: 1. mkdir /var/tmp/docker-volume-test 2. docker run -i -t --rm --volume=/var/tmp/docker-volume-test:/test busybox 3. ls /test # note: this is executed in the docker container Actual results: ls: can't open '/test': Permission denied Expected results: I get what I expect if I instead run "privileged", but I shouldn't need to do so: $ docker run --privileged -i -t --rm --volume=/var/tmp/docker-volume-test:/test busybox / # ls /test / # Additional info: I'm unsure if it's the docker update, the kernel update, or the libselinux update that broke this. I've tried downgrading docker, libselinux, and running with the previous kernel, but I still get the same error. It's possible the issue preceded the update (and I just coincidentally noticed it), but I'd be surprised if I (and others) didn't notice it if it indeed occurred earlier. It's also possible this in journalctl's logs may be related: Jul 20 09:24:02 fedora-machine systemd[1]: Started docker container 405aeca70e61ad3ec1883678355d5e1e34016c69455f563c9a08a594e16ae809. Jul 20 09:24:02 fedora-machine kernel: SELinux: mount invalid. Same superblock, different security settings for (dev mqueue, type mqueue) Jul 20 09:24:03 fedora-machine oci-register-machine[4934]: 2016/07/20 09:24:02 Register machine: prestart 405aeca70e61ad3ec1883678355d5e1e34016c69455f563c9a08a594e16ae809 4909 /var/lib/docker/devicemapper/mnt/696c4c305d5b5ad5ff66b2d1f0d6629dcd347f2b8296f29f75e8d4480b237fff/rootfs
Note that this completely breaks docker-compose when installed as a container (see "Install as a container" under "Alternative install options" in https://docs.docker.com/compose/install/) because passing "--privileged" is not an option here. The result you'll get trying to run docker-compose in this manner is: ERROR: Can't find a suitable configuration file in this directory or any parent. Are you in the right directory? Supported filenames: docker-compose.yml, docker-compose.yaml
Try docker run --privileged -i -t --rm --volume=/var/tmp/docker-volume-test:/test:Z busybox http://www.projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/ It has always been this way.
It's possible I didn't notice this "regression" when I switched back to Fedora images as part of upgrading to F24 (https://yum.dockerproject.org/repo/main/fedora/$releasever/ is missing for f24, and won't be officially available until the 1.12.0 release, so I reverted to Fedora images), but I suspect not. In any case, I tried to the Docker project's "testing" images (https://yum.dockerproject.org/repo/testing/fedora/$releasever/) and have confirmed that docker-engine-1.12.0-0.5.rc5.fc24.x86_64 and docker-engine-selinux-1.12.0-0.5.rc5.fc24.noarch work as I expect. I'm able to mount volumes (and use docker-compose) without having to pass "--privileged". It seems possible, at least, mount volumes without having to run privileged.
Docker just released 1.12.0 and put it up on yum.dockerproject.org for Fedora 24. This RPM does not require the use of --privileged to mount volumes. I'll use it, instead. Thanks!