moby: Cannot start docker engine after upgrade of both fedora & docker-engine due to selinux errors

Previously running Fedora 23 with docker-engine{,-selinux} 1.10.3 from Docker repos (not Fedora repos) - working fine for months. Upgraded to Fedora 24, updated to Docker 1.11.2 throws an error:

Re-declaration of boolean virt_sandbox_use_fusefs
Failed to create node
Bad boolean declaration at line 148 of /var/lib/selinux/targeted/tmp/modules/100/virt/cil
/usr/sbin/semodule:  Failed!

Have a colleague with exactly the same problem. Tried uninstalling RPMs & reinstalling but no luck.

Output of docker version:

Client:
 Version:      1.11.2
 API version:  1.23
 Go version:   go1.5.4
 Git commit:   b9f10c9
 Built:        Wed Jun  1 21:31:13 2016
 OS/Arch:      linux/amd64
Cannot connect to the Docker daemon. Is the docker daemon running on this host?

Output of docker info:

Cannot connect to the Docker daemon. Is the docker daemon running on this host?

Additional environment details (AWS, VirtualBox, physical, etc.): Laptop running Fedora 24

Steps to reproduce the issue: Not sure it’s 100% reproducible, but have a couple of colleagues with the same issue.

Describe the results you received: Cannot start docker.

Describe the results you expected: Able to start docker.

About this issue

Original URL
State: closed
Created 8 years ago
Reactions: 5
Comments: 53 (29 by maintainers)

Commits related to this issue

Remove systemd socket file from debs and rpms Fixes #23981 The selinux issue we are seeing in the report is related to the socket file for docker and nothing else. By removing the socket docker sta... — committed to crosbymichael/docker by crosbymichael 8 years ago
Remove docker.socket from rpm based systems Fixes #23981 The selinux issue we are seeing in the report is related to the socket file for docker and nothing else. By removing the socket docker starts... — committed to crosbymichael/docker by crosbymichael 8 years ago
Remove docker.socket from rpm based systems Fixes #23981 The selinux issue we are seeing in the report is related to the socket file for docker and nothing else. By removing the socket docker starts... — committed to tiborvass/docker by crosbymichael 8 years ago
Remove docker.socket from rpm based systems Fixes #23981 The selinux issue we are seeing in the report is related to the socket file for docker and nothing else. By removing the socket docker starts... — committed to rchicoli/docker by crosbymichael 8 years ago
Remove docker.socket from rpm based systems Fixes #23981 The selinux issue we are seeing in the report is related to the socket file for docker and nothing else. By removing the socket docker starts... — committed to liusdu/moby by deleted user 7 years ago

Most upvoted comments

Looks like this is an issue with libsepol that is shipped in f24

If I compare the libsepol that is in Rawhide Versus F24 I see these versions.

latestf24 libsepol
libsepol-2.5-7.fc25.x86_64
libsepol-2.5-3.fc24                       f24                   plautrba

Looking at the changelog of the rawhide version I see.

* Fri May 06 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-6
- Change logic of bounds checking to match change in kernel
- Fix multiple spelling errors

* Mon May 02 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-5
- Only apply bounds checking to source types in rules
- Fix CIL and not add an attribute as a type in the attr_type_map

These changes to the bounds checking would fix the issues you are seeing I believe.

https://bugzilla.redhat.com/show_bug.cgi?id=1357154

rhatdan on Jul 15, 2016

You can reproduce the problem by creating a completely vanilla Fedora 24, then put this in /etc/yum.repos.d/docker.repo (yes, using 23 packages on Fedora 24):

[docker]
baseurl = https://yum.dockerproject.org/repo/main/fedora/23/
enabled = 1
gpgcheck = 1
gpgkey = https://yum.dockerproject.org/gpg
name = Docker Repository

Then sudo dnf install docker-engine which will install these packages:

$ rpm -qa | grep docker
docker-engine-selinux-1.11.2-1.fc23.noarch
docker-engine-1.11.2-1.fc23.x86_64

With SELinux in enforcing mode, you will see this error in audit.log:

type=AVC msg=audit(1467565297.287:719): avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0

With setenforce 0 then the sudo service docker start works and you can use docker-1.11 on Fedora 24.

ksylvan on Jul 3, 2016

@justincormack plus the daemon is not even starting so no way for this code to be hit and cause any type of problem.

crosbymichael on Jul 18, 2016

@rhatdan thanks for the help, i’ll track that bugzilla

crosbymichael on Jul 15, 2016