Hide Forgot
The problem is the docker-selinux package did not install properly. There are build differences between 7.3 and 7.2.7 selinux-policy package that is causing docker-selinux to blow up.
Reportedly fixed by https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=11693024 See also: https://atomic-e2e-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/rhelah-autobrew-7.3-treecompose/
I agree this is a blocker. The latest docker-selinux should have /usr/bin/docker* labeled as docker_exec_t. yum reinstall docker-selinux restorecon -v /usr/bin/docker* ls -lZ /usr/bin/docker* If they are all labeled docker_exec_t, then you should be able to systemctl restart docker Or docker-latest Now check the label on the docker process. ps -eZ | grep docker They should all be labeled docker_t.
That only applies to non-AH. For AH we want Docker to work by default. If you look at https://atomic-e2e-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/rhelah-autobrew-7.3-treecompose/ The error is: 02:02:16 Failed to resolve typeattributeset statement at /etc/selinux/targeted/tmp/modules/200/docker/cil:168 02:02:16 /usr/sbin/semodule: Failed!
Is /etc/selinux/targeted/tmp/modules/200/docker/cil still available? The question is what typeattribute is it blowing up over.
The issue was on selinux-policy
Should be fixed in selinux-policy-3.13.1-97.el7
Docker package should be a requires on this patch.
@Colin, Indeed you're right, after docker reinstall issue resolved.
Yes I just checked in a fix for this in docker-selinux. edbbfc9001fbf949e4fb98392c647cdd820f06fe fixes this issue. Seems selinux policy in RHEL now has a domain for k8s which defines this path. This policy is not present in Rawhide though.
*** Bug 1373952 has been marked as a duplicate of this bug. ***
C#19 is this bug. I would say.
c#21 is somewhat covered here. https://bugzilla.redhat.com/show_bug.cgi?id=1373648
Ok, works with: # atomic host status State: idle Deployments: ● rhelah-autobuild:rhel-atomic-host/7.3/x86_64/autobrew/buildmaster Version: 7.3.internal.0.27 (2016-09-08 12:49:40) Commit: ff03b46032f9e12b033b322b4f2e0841543f04178d955963a08a1b7e71412413 OSName: rhel-atomic-host # rpm -q docker selinux-policy docker-1.10.3-53.el7.x86_64 selinux-policy-3.13.1-97.el7.noarch
Woohoo Finally.
VERIFIED with these versions: docker-1.10.3-53.el7.x86_64 docker-selinux-1.10.3-53.el7.x86_64 selinux-policy-3.13.1-98.el7.noarch Beaker job which works with atomic/docker executables: https://beaker.engineering.redhat.com/recipes/3085819#tasks
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-2634.html