As always, I'm running with unconfined disabled. The dockerfile for my container looks like so: [sampre@vrici jbotcan_mariadb]$ cat Dockerfile FROM mariadb:10.1.20 RUN usermod -u 1085 mysql RUN find / -xdev -user 999 -print0 | xargs -0 chown mysql RUN groupmod -g 1085 mysql RUN find / -xdev -group 999 -print0 | xargs -0 chgrp mysql Attempting to build that Docker container fails on the usermod step. I've tried various experiments, and literally every RUN line in there will fail. Here's the failure: [sampre@vrici jbotcan_mariadb]$ sudo docker kill jbotcan_mariadb Error response from daemon: Cannot kill container jbotcan_mariadb: Container 6f57b7a4320c40504092eb23185ebb17a753f8034baab672e1fb210a40a6d777 is not running [sampre@vrici jbotcan_mariadb]$ sudo docker rm jbotcan_mariadb jbotcan_mariadb [sampre@vrici jbotcan_mariadb]$ sudo docker build --no-cache -t sampre/jbotcan_mariadb . Sending build context to Docker daemon 119.6 MB Step 1 : FROM mariadb:10.1.20 ---> c9466db443d8 Step 2 : RUN usermod -u 1085 mysql ---> Running in dc0d3999b717 container_linux.go:247: starting container process caused "process_linux.go:258: applying cgroup configuration for process caused \"SELinux policy denies access.\"" invalid header field value "oci runtime error: container_linux.go:247: starting container process caused \"process_linux.go:258: applying cgroup configuration for process caused \\\"SELinux policy denies access.\\\"\"\n" If I use "setenforce 0" to build the thing and then turn enforcing back on, I also get errors when I try to run it: [sampre@vrici jbotcan_mariadb]$ sudo /bin/docker run --name jbotcan_mariadb -v /home/sampre/jbotcan_mariadb/db:/var/lib/mysql -d sampre/jbotcan_mariadb 9191f4f6d95c7e7e4ae6e005fb9ea25284eb659dc050cf428bc57d382f6e3d0a /usr/bin/docker-current: Error response from daemon: invalid header field value "oci runtime error: container_linux.go:247: starting container process caused \"process_linux.go:258: applying cgroup configuration for process caused \\\"SELinux policy denies access.\\\"\"\n". Here https://paste.fedoraproject.org/520567/67384914 are all the AVCs resulting from the following 4 lines: sudo docker build --no-cache -t sampre/jbotcan_mariadb . sudo docker kill jbotcan_mariadb sudo docker rm jbotcan_mariadb sudo /bin/docker run --name jbotcan_mariadb -v /home/sampre/jbotcan_mariadb/db:/var/lib/mysql -d sampre/jbotcan_mariadb
The following seems to do the trick; no idea if it's a good solution: policy_module(MYLOCAL_dockerbugs1410665,1.0.0) require { type container_runtime_t; type container_plugin_var_run_t; type init_t; type init_var_run_t; class dir read; class system { start stop }; class service start; } #============= container_runtime_t ============== allow container_runtime_t container_plugin_var_run_t:dir read; allow container_runtime_t init_t:system { start stop }; allow container_runtime_t init_var_run_t:service start;
Docker policy is shipped by docker team. Dan, Could you look on it? Thanks.
Could you add the raw AVCs. What system service is docker starting and stopping?
The raw AVCs are in the last link in my first comment. Repeating: Here https://paste.fedoraproject.org/520567/67384914 are all the AVCs resulting from the following 4 lines: sudo docker build --no-cache -t sampre/jbotcan_mariadb . sudo docker kill jbotcan_mariadb sudo docker rm jbotcan_mariadb sudo /bin/docker run --name jbotcan_mariadb -v /home/sampre/jbotcan_mariadb/db:/var/lib/mysql -d sampre/jbotcan_mariadb
This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle. Changing version to '26'.
This message is a reminder that Fedora 26 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '26'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 26 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Confirmed fixed on Fedora 27.