Description of problem: SELinux is preventing docker from 'connectto' accesses on the unix_stream_socket /run/docker.sock. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that docker should be allowed connectto access on the docker.sock unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'docker' --raw | audit2allow -M my-docker # semodule -X 300 -i my-docker.pp Additional Information: Source Context system_u:system_r:container_t:s0:c349,c487 Target Context system_u:system_r:container_runtime_t:s0 Target Objects /run/docker.sock [ unix_stream_socket ] Source docker Source Path docker Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.26.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.15.7-300.fc27.x86_64 #1 SMP Wed Feb 28 17:53:39 UTC 2018 x86_64 x86_64 Alert Count 31 First Seen 2018-02-27 14:40:53 IST Last Seen 2018-03-19 10:13:35 IST Local ID 56aedbc4-d6ba-4304-941a-a4a499f604af Raw Audit Messages type=AVC msg=audit(1521447215.481:8893): avc: denied { connectto } for pid=5556 comm="docker" path="/run/docker.sock" scontext=system_u:system_r:container_t:s0:c349,c487 tcontext=system_u:system_r:container_runtime_t:s0 tclass=unix_stream_socket permissive=0 Hash: docker,container_t,container_runtime_t,unix_stream_socket,connectto Version-Release number of selected component: selinux-policy-3.13.1-283.26.fc27.noarch Additional info: component: selinux-policy reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.15.7-300.fc27.x86_64 type: libreport Potential duplicate: bug 1426886
You do know this is a serious security issue. Giving a container access to the docker socket, means you are giving it full root on your system. So SELinux is doing its job. If you need to give container full access to the system then run it as a --privileged container or disable SELinux separation for the container. docker run --security-opt label:disable ...