RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1373952 - [extras-rhel-7.3.0] selinux issues prevent docker.service from starting
Summary: [extras-rhel-7.3.0] selinux issues prevent docker.service from starting
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: docker
Version: 7.3
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact: atomic-bugs@redhat.com
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-07 14:04 UTC by Lokesh Mandvekar
Modified: 2019-03-06 00:40 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-01-17 20:43:27 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
strace for systemctl status docker (28.99 KB, text/plain)
2016-09-09 16:05 UTC, Alex Jia 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0116 0 normal SHIPPED_LIVE Moderate: docker security, bug fix, and enhancement update 2017-01-18 01:39:43 UTC

Description Lokesh Mandvekar 2016-09-07 14:04:13 UTC 
Description of problem:

Dan, docker.service does start up fine in permissive mode. journalctl -xe gives me the logs below. 

Sep 07 10:00:48 rhel.os1.phx2.redhat.com systemd[1]: Starting Docker Storage Setup...
-- Subject: Unit docker-storage-setup.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit docker-storage-setup.service has begun starting up.
Sep 07 10:00:48 rhel.os1.phx2.redhat.com systemd[2660]: Failed at step EXEC spawning /usr/bin/docker-storage-setup: Permission denied
-- Subject: Process /usr/bin/docker-storage-setup could not be executed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- The process /usr/bin/docker-storage-setup could not be executed and failed.
-- 
-- The error number returned by this process is 13.
Sep 07 10:00:48 rhel.os1.phx2.redhat.com systemd[1]: docker-storage-setup.service: main process exited, code=exited, status=203/EXEC
Sep 07 10:00:48 rhel.os1.phx2.redhat.com systemd[1]: Failed to start Docker Storage Setup.
-- Subject: Unit docker-storage-setup.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit docker-storage-setup.service has failed.
-- 
-- The result is failed.
Sep 07 10:00:48 rhel.os1.phx2.redhat.com systemd[1]: Unit docker-storage-setup.service entered failed state.
Sep 07 10:00:48 rhel.os1.phx2.redhat.com systemd[1]: docker-storage-setup.service failed.
Sep 07 10:00:48 rhel.os1.phx2.redhat.com systemd[1]: Starting Docker Application Container Engine...
-- Subject: Unit docker.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit docker.service has begun starting up.
Sep 07 10:00:48 rhel.os1.phx2.redhat.com systemd[2662]: Failed at step EXEC spawning /usr/bin/docker-current: Permission denied
-- Subject: Process /usr/bin/docker-current could not be executed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- The process /usr/bin/docker-current could not be executed and failed.
-- 
-- The error number returned by this process is 13.
Sep 07 10:00:48 rhel.os1.phx2.redhat.com systemd[1]: docker.service: main process exited, code=exited, status=203/EXEC
Sep 07 10:00:48 rhel.os1.phx2.redhat.com systemd[1]: Failed to start Docker Application Container Engine.
-- Subject: Unit docker.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit docker.service has failed.
-- 
-- The result is failed.
Sep 07 10:00:48 rhel.os1.phx2.redhat.com systemd[1]: Unit docker.service entered failed state.
Sep 07 10:00:48 rhel.os1.phx2.redhat.com systemd[1]: docker.service failed.
Sep 07 10:00:48 rhel.os1.phx2.redhat.com polkitd[478]: Unregistered Authentication Agent for unix-process:2654:61726 (system bus name :1.39, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Comment 1 Colin Walters 2016-09-07 14:05:15 UTC 

*** This bug has been marked as a duplicate of bug 1370935 ***
Comment 2 Lokesh Mandvekar 2016-09-07 14:11:15 UTC 
Dan, just an fyi, this is not quite a duplicate of 1370935, in that I see this issue even after docker-selinux commit 3d17c3ffa79415a9c467802b24f1d1d8f6a41a23
Comment 3 Daniel Walsh 2016-09-07 15:25:55 UTC 
Lokesh, please attach the AVC messages.
Comment 4 Lokesh Mandvekar 2016-09-07 15:47:41 UTC 
----
time->Fri Sep  2 15:02:33 2016
type=SYSCALL msg=audit(1472842953.881:4761): arch=c000003e syscall=59 success=no exit=-13 a0=c8205634b8 a1=c8205634c0 a2=c820544a80 a3=0 items=0 ppid=8922 pid=9131 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=4294967295 comm="exe" exe="/usr/bin/docker-current" subj=system_u:system_r:unconfined_service_t:s0 key=(null)
type=AVC msg=audit(1472842953.881:4761): avc:  denied  { transition } for  pid=9131 comm="exe" path="/bin/sh" dev="dm-1" ino=4194433 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c738,c986 tclass=process
----
time->Fri Sep  2 15:02:45 2016
type=SYSCALL msg=audit(1472842965.816:4780): arch=c000003e syscall=59 success=yes exit=0 a0=c820658408 a1=c820658410 a2=c8205e1c20 a3=0 items=0 ppid=8922 pid=9209 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=4294967295 comm="sh" exe="/bin/sh" subj=system_u:system_r:svirt_lxc_net_t:s0:c595,c955 key=(null)
type=AVC msg=audit(1472842965.816:4780): avc:  denied  { transition } for  pid=9209 comm="exe" path="/bin/sh" dev="dm-1" ino=4194433 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c595,c955 tclass=process
----
time->Fri Sep  2 15:02:45 2016
type=SYSCALL msg=audit(1472842965.825:4781): arch=c000003e syscall=61 success=yes exit=9209 a0=23f9 a1=c8214c1284 a2=0 a3=c8213466c0 items=0 ppid=1 pid=8927 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="docker-current" exe="/usr/bin/docker-current" subj=system_u:system_r:unconfined_service_t:s0 key=(null)
type=AVC msg=audit(1472842965.825:4781): avc:  denied  { sigchld } for  pid=8927 comm="docker-current" scontext=system_u:system_r:svirt_lxc_net_t:s0:c595,c955 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process
----
time->Fri Sep  2 15:23:23 2016
type=SYSCALL msg=audit(1472844203.477:4859): arch=c000003e syscall=59 success=no exit=-13 a0=c82063f298 a1=c82063f2a0 a2=c8205e4ae0 a3=0 items=0 ppid=8922 pid=9781 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=4294967295 comm="exe" exe="/usr/bin/docker-current" subj=system_u:system_r:unconfined_service_t:s0 key=(null)
type=AVC msg=audit(1472844203.477:4859): avc:  denied  { transition } for  pid=9781 comm="exe" path="/bin/sh" dev="dm-1" ino=4194433 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c760,c970 tclass=process
----
time->Fri Sep  2 15:25:15 2016
type=SYSCALL msg=audit(1472844315.652:4873): arch=c000003e syscall=59 success=no exit=-13 a0=c820656cd8 a1=c820656ce0 a2=c820686840 a3=0 items=0 ppid=8922 pid=9923 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=4294967295 comm="exe" exe="/usr/bin/docker-current" subj=system_u:system_r:unconfined_service_t:s0 key=(null)
type=AVC msg=audit(1472844315.652:4873): avc:  denied  { transition } for  pid=9923 comm="exe" path="/bin/sh" dev="dm-1" ino=4194433 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c155,c823 tclass=process
----
time->Fri Sep  2 15:45:27 2016
type=SYSCALL msg=audit(1472845527.703:110): arch=c000003e syscall=59 success=no exit=-13 a0=c8205d4eb8 a1=c8205d4ec0 a2=c8205fa900 a3=0 items=0 ppid=2314 pid=2498 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="exe" exe="/usr/bin/docker-current" subj=system_u:system_r:unconfined_service_t:s0 key=(null)
type=AVC msg=audit(1472845527.703:110): avc:  denied  { transition } for  pid=2498 comm="exe" path="/bin/sh" dev="dm-1" ino=4194433 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c119,c137 tclass=process
----
time->Tue Sep  6 09:21:31 2016
type=SYSCALL msg=audit(1473168091.052:2453): arch=c000003e syscall=59 success=no exit=-13 a0=c8206562f0 a1=c820656300 a2=c8206be8a0 a3=0 items=0 ppid=26309 pid=26539 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="exe" exe="/usr/bin/docker-current" subj=system_u:system_r:unconfined_service_t:s0 key=(null)
type=AVC msg=audit(1473168091.052:2453): avc:  denied  { transition } for  pid=26539 comm="exe" path="/usr/bin/bash" dev="dm-1" ino=23068818 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c472,c540 tclass=process
----
time->Tue Sep  6 16:39:59 2016
type=SYSCALL msg=audit(1473194399.272:104): arch=c000003e syscall=59 success=no exit=-13 a0=c820573050 a1=c820573060 a2=c820672b10 a3=0 items=0 ppid=2209 pid=2392 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="exe" exe="/usr/bin/docker-current" subj=system_u:system_r:unconfined_service_t:s0 key=(null)
type=AVC msg=audit(1473194399.272:104): avc:  denied  { transition } for  pid=2392 comm="exe" path="/usr/bin/bash" dev="dm-1" ino=23068818 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c502,c964 tclass=process
----
time->Tue Sep  6 16:54:18 2016
type=SYSCALL msg=audit(1473195258.800:194): arch=c000003e syscall=59 success=no exit=-13 a0=c820682e90 a1=c820682ea0 a2=c82055e660 a3=0 items=0 ppid=2209 pid=2836 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=4294967295 comm="exe" exe="/usr/bin/docker-current" subj=system_u:system_r:unconfined_service_t:s0 key=(null)
type=AVC msg=audit(1473195258.800:194): avc:  denied  { transition } for  pid=2836 comm="exe" path="/usr/bin/bash" dev="dm-1" ino=23068818 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c677,c896 tclass=process
----
time->Tue Sep  6 17:37:25 2016
type=SYSCALL msg=audit(1473197845.405:317): arch=c000003e syscall=59 success=no exit=-13 a0=7fa844aa4070 a1=7fa844aa5cc0 a2=7fa844cbbd40 a3=3 items=0 ppid=1 pid=13799 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(ge-setup)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473197845.405:317): avc:  denied  { transition } for  pid=13799 comm="(ge-setup)" path="/usr/bin/docker-storage-setup" dev="vda1" ino=9939018 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
type=SELINUX_ERR msg=audit(1473197845.405:317): op=security_compute_av reason=bounds scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process perms=transition
----
time->Tue Sep  6 17:37:25 2016
type=SYSCALL msg=audit(1473197845.438:319): arch=c000003e syscall=59 success=no exit=-13 a0=7fa844b31810 a1=7fa844d43bd0 a2=7fa844d5bd00 a3=7fa842ad11b0 items=0 ppid=1 pid=13801 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(-current)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473197845.438:319): avc:  denied  { transition } for  pid=13801 comm="(-current)" path="/usr/bin/docker-current" dev="vda1" ino=8411862 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
----
time->Tue Sep  6 17:37:44 2016
type=SYSCALL msg=audit(1473197864.975:326): arch=c000003e syscall=59 success=no exit=-13 a0=7fa844aa4070 a1=7fa844cd2270 a2=7fa844ba8d30 a3=3 items=0 ppid=1 pid=13815 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(ge-setup)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473197864.975:326): avc:  denied  { transition } for  pid=13815 comm="(ge-setup)" path="/usr/bin/docker-storage-setup" dev="vda1" ino=9939018 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
----
time->Tue Sep  6 17:37:44 2016
type=SYSCALL msg=audit(1473197864.982:328): arch=c000003e syscall=59 success=no exit=-13 a0=7fa844b31810 a1=7fa844b401c0 a2=7fa844b3fee0 a3=5 items=0 ppid=1 pid=13817 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(-current)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473197864.982:328): avc:  denied  { transition } for  pid=13817 comm="(-current)" path="/usr/bin/docker-current" dev="vda1" ino=8411862 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
----
time->Tue Sep  6 17:37:55 2016
type=SYSCALL msg=audit(1473197875.425:345): arch=c000003e syscall=59 success=no exit=-13 a0=7fa844aa4070 a1=7fa844cd2270 a2=7fa844b83b70 a3=3 items=0 ppid=1 pid=13849 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(ge-setup)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473197875.425:345): avc:  denied  { transition } for  pid=13849 comm="(ge-setup)" path="/usr/bin/docker-storage-setup" dev="vda1" ino=9939018 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
----
time->Tue Sep  6 17:37:55 2016
type=SYSCALL msg=audit(1473197875.432:347): arch=c000003e syscall=59 success=no exit=-13 a0=7fa844b31810 a1=7fa844b401c0 a2=7fa844b403c0 a3=5 items=0 ppid=1 pid=13851 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(-current)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473197875.432:347): avc:  denied  { transition } for  pid=13851 comm="(-current)" path="/usr/bin/docker-current" dev="vda1" ino=8411862 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
----
time->Tue Sep  6 17:53:27 2016
type=SYSCALL msg=audit(1473198807.798:125): arch=c000003e syscall=59 success=no exit=-13 a0=c8206903a0 a1=c8206903b0 a2=c8205d5b60 a3=0 items=0 ppid=2463 pid=2649 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="exe" exe="/usr/bin/docker-current" subj=system_u:system_r:unconfined_service_t:s0 key=(null)
type=AVC msg=audit(1473198807.798:125): avc:  denied  { transition } for  pid=2649 comm="exe" path="/usr/bin/bash" dev="dm-1" ino=23068818 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c818,c936 tclass=process
----
time->Wed Sep  7 09:49:19 2016
type=SYSCALL msg=audit(1473256159.307:1887): arch=c000003e syscall=59 success=no exit=-13 a0=7f5fcee5f2f0 a1=7f5fcee2e570 a2=7f5fcee2af20 a3=3 items=0 ppid=1 pid=5826 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(ge-setup)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473256159.307:1887): avc:  denied  { transition } for  pid=5826 comm="(ge-setup)" path="/usr/bin/docker-storage-setup" dev="vda1" ino=8411864 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
type=SELINUX_ERR msg=audit(1473256159.307:1887): op=security_compute_av reason=bounds scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process perms=transition
----
time->Wed Sep  7 09:49:19 2016
type=SYSCALL msg=audit(1473256159.341:1889): arch=c000003e syscall=59 success=no exit=-13 a0=7f5fcee29580 a1=7f5fcee48150 a2=7f5fcee40360 a3=7f5fcd2a71b0 items=0 ppid=1 pid=5828 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(-current)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473256159.341:1889): avc:  denied  { transition } for  pid=5828 comm="(-current)" path="/usr/bin/docker-current" dev="vda1" ino=8411862 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
----
time->Wed Sep  7 09:49:30 2016
type=SYSCALL msg=audit(1473256170.699:1896): arch=c000003e syscall=59 success=no exit=-13 a0=7f5fcee5f2f0 a1=7f5fced8edb0 a2=7f5fced43950 a3=3 items=0 ppid=1 pid=5841 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(ge-setup)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473256170.699:1896): avc:  denied  { transition } for  pid=5841 comm="(ge-setup)" path="/usr/bin/docker-storage-setup" dev="vda1" ino=8411864 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
----
time->Wed Sep  7 09:49:30 2016
type=SYSCALL msg=audit(1473256170.710:1898): arch=c000003e syscall=59 success=no exit=-13 a0=7f5fcee29580 a1=7f5fcedb2c60 a2=7f5fcedf98c0 a3=7f5fcd2a71b0 items=0 ppid=1 pid=5843 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(-current)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473256170.710:1898): avc:  denied  { transition } for  pid=5843 comm="(-current)" path="/usr/bin/docker-current" dev="vda1" ino=8411862 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
----
time->Wed Sep  7 09:49:41 2016
type=SYSCALL msg=audit(1473256181.027:1910): arch=c000003e syscall=59 success=no exit=-13 a0=7f5fcee5f2f0 a1=7f5fced43950 a2=7f5fcee2b3e0 a3=3 items=0 ppid=1 pid=5865 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(ge-setup)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473256181.027:1910): avc:  denied  { transition } for  pid=5865 comm="(ge-setup)" path="/usr/bin/docker-storage-setup" dev="vda1" ino=8411864 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
----
time->Wed Sep  7 09:49:41 2016
type=SYSCALL msg=audit(1473256181.035:1912): arch=c000003e syscall=59 success=no exit=-13 a0=7f5fcee29580 a1=7f5fcee45e10 a2=7f5fcedf98c0 a3=7f5fcd2a71b0 items=0 ppid=1 pid=5867 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(-current)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473256181.035:1912): avc:  denied  { transition } for  pid=5867 comm="(-current)" path="/usr/bin/docker-current" dev="vda1" ino=8411862 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
----
time->Wed Sep  7 09:55:42 2016
type=SYSCALL msg=audit(1473256542.578:72): arch=c000003e syscall=59 success=no exit=-13 a0=7f66818d8030 a1=7f66818d8000 a2=7f66818d80b0 a3=3 items=0 ppid=1 pid=2227 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(ge-setup)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473256542.578:72): avc:  denied  { transition } for  pid=2227 comm="(ge-setup)" path="/usr/bin/docker-storage-setup" dev="vda1" ino=8411864 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
type=SELINUX_ERR msg=audit(1473256542.578:72): op=security_compute_av reason=bounds scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process perms=transition
----
time->Wed Sep  7 09:55:42 2016
type=SYSCALL msg=audit(1473256542.775:74): arch=c000003e syscall=59 success=no exit=-13 a0=7f66818b6b40 a1=7f66818d9fb0 a2=7f66818d5790 a3=7f667f2701b0 items=0 ppid=1 pid=2229 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(-current)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473256542.775:74): avc:  denied  { transition } for  pid=2229 comm="(-current)" path="/usr/bin/docker-current" dev="vda1" ino=8411862 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
----
time->Wed Sep  7 09:55:50 2016
type=SYSCALL msg=audit(1473256550.226:81): arch=c000003e syscall=59 success=no exit=-13 a0=7f66818d8030 a1=7f66818c7b90 a2=7f66818b6b20 a3=3 items=0 ppid=1 pid=2240 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(ge-setup)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473256550.226:81): avc:  denied  { transition } for  pid=2240 comm="(ge-setup)" path="/usr/bin/docker-storage-setup" dev="vda1" ino=8411864 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
----
time->Wed Sep  7 09:55:50 2016
type=SYSCALL msg=audit(1473256550.241:83): arch=c000003e syscall=59 success=no exit=-13 a0=7f66818b6b40 a1=7f66818d9ff0 a2=7f66818d7fc0 a3=5 items=0 ppid=1 pid=2242 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(-current)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473256550.241:83): avc:  denied  { transition } for  pid=2242 comm="(-current)" path="/usr/bin/docker-current" dev="vda1" ino=8411862 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
----
time->Wed Sep  7 09:58:22 2016
type=SYSCALL msg=audit(1473256702.180:113): arch=c000003e syscall=59 success=no exit=-13 a0=7f66818d84c0 a1=7f6681826190 a2=7f66818b2550 a3=3 items=0 ppid=1 pid=2382 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(ge-setup)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473256702.180:113): avc:  denied  { transition } for  pid=2382 comm="(ge-setup)" path="/usr/bin/docker-storage-setup" dev="vda1" ino=9556611 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
type=SELINUX_ERR msg=audit(1473256702.180:113): op=security_compute_av reason=bounds scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process perms=transition
----
time->Wed Sep  7 09:58:22 2016
type=SYSCALL msg=audit(1473256702.225:115): arch=c000003e syscall=59 success=no exit=-13 a0=7f66818b03d0 a1=7f6681856e10 a2=7f66818d9300 a3=746e65674100 items=0 ppid=1 pid=2384 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(-current)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473256702.225:115): avc:  denied  { transition } for  pid=2384 comm="(-current)" path="/usr/bin/docker-current" dev="vda1" ino=9556610 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
----
time->Wed Sep  7 09:59:14 2016
type=SYSCALL msg=audit(1473256754.449:134): arch=c000003e syscall=59 success=no exit=-13 a0=7f66818d84c0 a1=7f66818b2550 a2=7f6681857680 a3=3 items=0 ppid=1 pid=2437 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(ge-setup)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473256754.449:134): avc:  denied  { transition } for  pid=2437 comm="(ge-setup)" path="/usr/bin/docker-storage-setup" dev="vda1" ino=9556611 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
type=SELINUX_ERR msg=audit(1473256754.449:134): op=security_compute_av reason=bounds scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process perms=transition
----
time->Wed Sep  7 09:59:14 2016
type=SYSCALL msg=audit(1473256754.459:136): arch=c000003e syscall=59 success=no exit=-13 a0=7f66818b03d0 a1=7f66818d9300 a2=7f668187cfa0 a3=5 items=0 ppid=1 pid=2439 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(-current)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473256754.459:136): avc:  denied  { transition } for  pid=2439 comm="(-current)" path="/usr/bin/docker-current" dev="vda1" ino=9556610 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
----
time->Wed Sep  7 10:00:04 2016
type=SYSCALL msg=audit(1473256804.963:152): arch=c000003e syscall=59 success=yes exit=0 a0=7f66818d84c0 a1=7f66818b2550 a2=7f6681857680 a3=3 items=0 ppid=1 pid=2483 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="docker-storage-" exe="/usr/bin/bash" subj=system_u:system_r:docker_t:s0 key=(null)
type=AVC msg=audit(1473256804.963:152): avc:  denied  { transition } for  pid=2483 comm="(ge-setup)" path="/usr/bin/docker-storage-setup" dev="vda1" ino=9556611 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
----
time->Wed Sep  7 10:00:48 2016
type=SYSCALL msg=audit(1473256848.826:191): arch=c000003e syscall=59 success=no exit=-13 a0=7f66818d84c0 a1=7f66818b7280 a2=7f66818b0f90 a3=3 items=0 ppid=1 pid=2660 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(ge-setup)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473256848.826:191): avc:  denied  { transition } for  pid=2660 comm="(ge-setup)" path="/usr/bin/docker-storage-setup" dev="vda1" ino=9556611 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
type=SELINUX_ERR msg=audit(1473256848.826:191): op=security_compute_av reason=bounds scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process perms=transition
----
time->Wed Sep  7 10:00:48 2016
type=SYSCALL msg=audit(1473256848.841:193): arch=c000003e syscall=59 success=no exit=-13 a0=7f66818b03d0 a1=7f6681828d10 a2=7f668187ce40 a3=5 items=0 ppid=1 pid=2662 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(-current)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473256848.841:193): avc:  denied  { transition } for  pid=2662 comm="(-current)" path="/usr/bin/docker-current" dev="vda1" ino=9556610 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
----
time->Wed Sep  7 11:46:42 2016
type=SYSCALL msg=audit(1473263202.608:423): arch=c000003e syscall=59 success=no exit=-13 a0=7f66818d84c0 a1=7f66818b6240 a2=7f66818b7500 a3=3 items=0 ppid=1 pid=5533 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(ge-setup)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473263202.608:423): avc:  denied  { transition } for  pid=5533 comm="(ge-setup)" path="/usr/bin/docker-storage-setup" dev="vda1" ino=9556611 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
type=SELINUX_ERR msg=audit(1473263202.608:423): op=security_compute_av reason=bounds scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process perms=transition
----
time->Wed Sep  7 11:46:42 2016
type=SYSCALL msg=audit(1473263202.619:425): arch=c000003e syscall=59 success=no exit=-13 a0=7f66818b03d0 a1=7f668184a7e0 a2=7f6681828da0 a3=5 items=0 ppid=1 pid=5535 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(-current)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1473263202.619:425): avc:  denied  { transition } for  pid=5535 comm="(-current)" path="/usr/bin/docker-current" dev="vda1" ino=9556610 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=process
Comment 5 Daniel Walsh 2016-09-07 16:31:15 UTC 
Looks like typebounds are not properly supported in rhel kernel.  Removal of typebounds from policy should fix this issue.

I have pushed an update to docker-selinux.
Comment 7 Daniel Walsh 2016-09-07 17:07:37 UTC 
Fixed in docker-1.10.3-53.el7.x86_64
Comment 8 Alex Jia 2016-09-09 04:55:44 UTC 
(In reply to Daniel Walsh from comment #7)
> Fixed in docker-1.10.3-53.el7.x86_64

Daniel, I met other AVC denied in docker-1.10.3-53.el7.x86_64.

# getenforce
Enforcing

# systemctl start docker
Failed to get properties: Access denied

<audit>
type=USER_AVC msg=audit(1473396275.252:48576): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=1000 uid=0 gid=0 path="/usr/lib/systemd/system/docker.service" cmdline="systemctl start docker" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:docker_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
</audit>

# setenforce 0

# getenforce
Permissive

# systemctl start docker
# systemctl is-active docker
active
Comment 9 Daniel Walsh 2016-09-09 11:53:36 UTC 
That is allowed in Rawhide.

audit2allow  -i /tmp/t


#============= unconfined_t ==============

#!!!! This avc is allowed in the current policy
allow unconfined_t docker_unit_file_t:service status;
Comment 10 Daniel Walsh 2016-09-09 11:56:07 UTC 
On RHEL I also see this as allowed.

sudo sh
sh-4.2# audit2allow 
type=USER_AVC msg=audit(1473396275.252:48576): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=1000 uid=0 gid=0 path="/usr/lib/systemd/system/docker.service" cmdline="systemctl start docker" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:docker_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'


#============= unconfined_t ==============

#!!!! This avc is allowed in the current policy
allow unconfined_t docker_unit_file_t:service status;

# rpm -q selinux-policy docker-selinux
selinux-policy-3.13.1-97.el7.noarch
docker-selinux-1.10.3-53.el7.x86_64
# getenforce 
Enforcing
# systemctl restart docker
#
Comment 11 Alex Jia 2016-09-09 16:04:13 UTC 
(In reply to Daniel Walsh from comment #10)

It also allowed for me, but I can't stasu/stop/start docker service w/ SELinux enforcing mode, and got "Access denied", I will attach strace message as attachment.

[root@dhcp-2-50 ~]# audit2allow -i /tmp/t


#============= unconfined_t ==============

#!!!! This avc is allowed in the current policy
allow unconfined_t docker_unit_file_t:service status;
[root@dhcp-2-50 ~]# getenforce
Permissive
[root@dhcp-2-50 ~]# setenforce 1
[root@dhcp-2-50 ~]# audit2allow -i /tmp/t


#============= unconfined_t ==============

#!!!! This avc is allowed in the current policy
allow unconfined_t docker_unit_file_t:service status;
[root@dhcp-2-50 ~]# getenforce
Enforcing


[root@dhcp-2-50 ~]# systemctl status docker
Failed to get properties: Access denied

[root@dhcp-2-50 ~]# systemctl stop docker
Failed to stop docker.service: Access denied

Failed to get load state of docker.service: Access denied
[root@dhcp-2-50 ~]# systemctl start docker
Failed to start docker.service: Access denied


[root@dhcp-2-50 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.2 (Maipo)

[root@dhcp-2-50 ~]# rpm -q selinux-policy docker docker-selinux
selinux-policy-3.13.1-97.el7.noarch
docker-1.10.3-53.el7.x86_64
docker-selinux-1.10.3-53.el7.x86_64
Comment 12 Alex Jia 2016-09-09 16:05:19 UTC 
Created attachment 1199528 [details]
strace for systemctl status docker
Comment 13 Daniel Walsh 2016-09-09 17:45:41 UTC 
Alex could you try 

yum reinstall docker-selinux

It seems like the policy is not currently loaded.
Comment 14 Alex Jia 2016-09-10 02:53:11 UTC 
(In reply to Daniel Walsh from comment #13)
> Alex could you try 
> 
> yum reinstall docker-selinux
> 
> It seems like the policy is not currently loaded.

Daniel, I can start docker service in another RHEL7 system, it may be a ENV issue.
Comment 16 Luwen Su 2016-11-10 09:56:37 UTC 
# getenforce
Enforcing
# rpm -q selinux-policy
selinux-policy-3.13.1-102.el7_3.4.noarch
# rpm -q container-selinux
container-selinux-1.12.3-4.el7.x86_64
# rpm -q docker
docker-1.12.3-4.el7.x86_64
# service docker restart
Redirecting to /bin/systemctl restart  docker.service
# echo $?
0


Move to verified
Comment 18 errata-xmlrpc 2017-01-17 20:43:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2017-0116.html
Note You need to log in before you can comment on or make changes to this bug.