Description of problem: docker-1.12 is executed wrong SELinux context (unconfined_service_t) Version-Release number of selected component (if applicable): docker-1.12.0-5.gitad4812e.fc26.x86_64 How reproducible: Deterministic Steps to Reproduce: 1. Install docker on rawhide dnf install -y docker 2. start docker service systemctl start docker 3. check SELinux context of docker ps axZ | grep docke[r] Actual results: system_u:system_r:unconfined_service_t:s0 2638 ? Ssl 0:00 /usr/libexec/docker/docker-containerd --listen unix:///run/containerd.sock --runtime /usr/libexec/docker/docker-runc --runtime-args --systemd-cgroup=true --shim /usr/libexec/docker/docker-containerd-shim system_u:system_r:unconfined_service_t:s0 2672 ? Ssl 0:01 dockerd --containerd /run/containerd.sock --exec-opt native.cgroupdriver=systemd --selinux-enabled --log-driver=journald -s btrfs Expected results: Different type than unconfined_service_t Probably system_u:system_r:docker_t ?
sh# rpm -qa 'selinux-policy*' docker-selinux selinux-policy-3.13.1-206.fc26.noarch selinux-policy-targeted-3.13.1-206.fc26.noarch docker-selinux-1.12.0-5.gitad4812e.fc26.x86_64
BTW I saw a failure when I was upgrading to .6 Is it related? Running transaction Upgrading : docker-selinux-2:1.12.0-6.gitad4812e.fc26.x86_64 1/6 Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/docker/cil:169 /usr/sbin/semodule: Failed! Upgrading : docker-2:1.12.0-6.gitad4812e.fc26.x86_64 2/6 Upgrading : docker-v1.10-migrator-2:1.12.0-6.gitad4812e.fc26.x86_64
Yes I just found the issue and am working with selinux-policy team to fix it. Sadly the bug was introduced by a patch I sent. Lokesh we will need a new build of docker-selinux once the selinux-policy gets updated.
Fixed in current release.