Hide Forgot
Description of problem: I was trying to create a docker image from a git repo and was getting permission denied. After looking at the logs I determined it may be caused by selinux and disabled it and indeed the issue was resolved. Version-Release number of selected component (if applicable): [root@localhost ~]# rpm -qa |grep docker docker-1.10.3-46.el7.14.x86_64 docker-common-1.10.3-46.el7.14.x86_64 docker-rhel-push-plugin-1.10.3-46.el7.14.x86_64 docker-selinux-1.10.3-46.el7.14.x86_64 How reproducible: 100% Steps to Reproduce: 1. Install a rhel7 vm and subscribe to these channels: rhel-7-server-rpms, rhel-7-server-extras-rpms 2. yum update -y ; reboot; yum install docker 3. systemctl start docker.service 4. groupadd docker; chown root:docker /var/run/docker.sock 5. useradd <username> 6. usermod -G docker <user> 7. systemctl restart docker.service 8. add your user to sudoer and make it passwordless 9. su - <my_user>; ssh-keygen -t rsa -b 4096 -C <your_email>@redhat.com 10. add key to github 11. git clone https://github.com/ManageIQ/manageiq 12. git checkout origin/master 13. docker build -t <name of Image> <location> . **make sure selinux is in enforcing mode** ** the full pod create procedure I am using is in Mojo: https://mojo.redhat.com/docs/DOC-1088558** Actual results: we fail with permission denied error due to selinux configuration . if you run setenfore 0 and run docker build again you should be able to create the image Expected results: selinux should not block docker build. Additional info: Dependencies Resolved ============================================================================================================================================================================================================================================== Package Arch Version Repository Size ============================================================================================================================================================================================================================================== Installing: docker x86_64 1.10.3-46.el7.14 rhel-7-server-extras-rpms 9.5 M Installing for dependencies: audit-libs-python x86_64 2.6.5-3.el7 rhel-7-server-htb-rpms 70 k checkpolicy x86_64 2.5-4.el7 rhel-7-server-htb-rpms 290 k docker-common x86_64 1.10.3-46.el7.14 rhel-7-server-extras-rpms 61 k docker-rhel-push-plugin x86_64 1.10.3-46.el7.14 rhel-7-server-extras-rpms 2.3 M docker-selinux x86_64 1.10.3-46.el7.14 rhel-7-server-extras-rpms 79 k libseccomp x86_64 2.3.1-2.el7 rhel-7-server-htb-rpms 56 k libsemanage-python x86_64 2.5-4.el7 rhel-7-server-htb-rpms 103 k oci-register-machine x86_64 1:0-1.8.gitaf6c129.el7 rhel-7-server-extras-rpms 1.1 M oci-systemd-hook x86_64 1:0.1.4-4.git41491a3.el7 rhel-7-server-extras-rpms 27 k policycoreutils-python x86_64 2.5-8.el7 rhel-7-server-htb-rpms 444 k python-IPy noarch 0.75-6.el7 rhel-7-server-aus-rpms 32 k setools-libs x86_64 3.3.8-1.1.el7 rhel-7-server-htb-rpms 610 k ============================================================================ [dron1@localhost manageiq]$ docker build -t dafna_origin_docker_test1 . Sending build context to Docker daemon 282.6 MB Step 1 : FROM centos:7 ---> 980e0e4c79ec Step 2 : ENV container docker ---> Using cache ---> 734af3fd2567 Step 3 : MAINTAINER ManageIQ https://github.com/ManageIQ/manageiq-appliance-build ---> Using cache ---> 0479871e035b Step 4 : ARG REF=master ---> Using cache ---> 16e74a86642d Step 5 : ENV LANG en_US.UTF-8 ---> Using cache ---> 50f45e6dea81 Step 6 : ENV TERM xterm ---> Using cache ---> ac1987df3c51 Step 7 : ENV RUBY_GEMS_ROOT /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0 ---> Using cache ---> bc102bd0cc5a Step 8 : ENV APP_ROOT /var/www/miq/vmdb ---> Using cache ---> b6fb3872a1ff Step 9 : ENV APPLIANCE_ROOT /opt/manageiq/manageiq-appliance ---> Using cache ---> 33154cea5ec3 Step 10 : ENV SSUI_ROOT /opt/manageiq/manageiq-ui-self_service ---> Using cache ---> 996973459dd8 Step 11 : RUN curl -sSLko /etc/yum.repos.d/ncarboni-pglogical-SCL-epel-7.repo https://copr.fedorainfracloud.org/coprs/ncarboni/pglogical-SCL/repo/epel-7/ncarboni-pglogical-SCL-epel-7.repo ---> Running in 5962aead1ec8 permission denied Container command could not be invoked. [dron1@localhost manageiq]$ sudo ausearch -m avc -ts recent ---- time->Fri Sep 23 13:33:36 2016 type=SYSCALL msg=audit(1474626816.719:156): arch=c000003e syscall=59 success=no exit=-13 a0=c820595000 a1=c820577300 a2=c8200533e0 a3=0 items=0 ppid=11559 pid=12891 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="exe" exe="/usr/bin/docker-current" subj=system_u:system_r:unconfined_service_t:s0 key=(null) type=AVC msg=audit(1474626816.719:156): avc: denied { transition } for pid=12891 comm="exe" path="/usr/bin/bash" dev="dm-3" ino=14680218 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c111,c453 tclass=process ---- time->Fri Sep 23 13:35:02 2016 type=SYSCALL msg=audit(1474626902.282:169): arch=c000003e syscall=59 success=no exit=-13 a0=c820630620 a1=c820664600 a2=c8206bb920 a3=0 items=0 ppid=11559 pid=13009 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="exe" exe="/usr/bin/docker-current" subj=system_u:system_r:unconfined_service_t:s0 key=(null) type=AVC msg=audit(1474626902.282:169): avc: denied { transition } for pid=13009 comm="exe" path="/usr/bin/bash" dev="dm-3" ino=14680218 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c77,c796 tclass=process [dron1@localhost manageiq]$
You need to update to the rhel7.3 selinux-policy package and reinstall docker-selinux I believe. The problem you are seeing is that docker and docker-current are labeled incorrectly.