moby: Docker 1.12 RC4: Unable to start container with SELinux enabled on Oracle Linux 7.2
Output of docker version:
# docker version
Client:
Version: 1.12.0-rc4
API version: 1.24
Go version: go1.6.2
Git commit: a0f42b4
Built:
OS/Arch: linux/amd64
Server:
Version: 1.12.0-rc4
API version: 1.24
Go version: go1.6.2
Git commit: a0f42b4
Built:
OS/Arch: linux/amd64
Output of docker info:
# docker info
Containers: 2
Running: 0
Paused: 0
Stopped: 2
Images: 5
Server Version: 1.12.0-rc4
Storage Driver: devicemapper
Pool Name: docker-251:0-34815383-pool
Pool Blocksize: 65.54 kB
Base Device Size: 10.74 GB
Backing Filesystem: xfs
Data file: /dev/loop0
Metadata file: /dev/loop1
Data Space Used: 1.128 GB
Data Space Total: 107.4 GB
Data Space Available: 5.712 GB
Metadata Space Used: 1.274 MB
Metadata Space Total: 2.147 GB
Metadata Space Available: 2.146 GB
Thin Pool Minimum Free Space: 10.74 GB
Udev Sync Supported: true
Deferred Removal Enabled: false
Deferred Deletion Enabled: false
Deferred Deleted Device Count: 0
Data loop file: /var/lib/docker/devicemapper/devicemapper/data
WARNING: Usage of loopback devices is strongly discouraged for production use. Use `--storage-opt dm.thinpooldev` to specify a custom block storage device.
Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
Library Version: 1.02.107-RHEL7 (2015-10-14)
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: overlay null bridge host
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: seccomp
Kernel Version: 4.1.12-50.el7uek.netns.x86_64
Operating System: Oracle Linux Server 7.2
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 485.6 MiB
Name: localhost.localdomain
ID: Z4H2:K5TB:VIPY:FV57:JFSI:JM7M:DXE6:CTHJ:BYWP:KBFL:7QYF:T5RU
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Insecure Registries:
127.0.0.0/8
Output of sestatus:
[root@localhost ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 29
Description of the problem: Unable to start containers with SELinux enabled. Containers start fine with SELinux in permissive mode
Steps to reproduce the issue:
- Create a container with SELinux enabled on the host
# docker run -it --rm oraclelinux:6.8 /bin/bash
Describe the results you received:
# docker run -it --rm oraclelinux:6.8 /bin/bash
standard_init_linux.go:175: exec user process caused "permission denied"
Describe the results you expected:
# docker run -it --rm oraclelinux:6.8 /bin/bash
[root@aab5f3f067db /]#
Additional information you deem important (e.g. issue happens only occasionally):
Changing the selinux context type for /usr/bin/docker* to docker_exec_t seems to fix the problem.
SELinux context before fix:
# ls -Z /usr/bin/docker*
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/docker
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/docker-containerd
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/docker-containerd-ctr
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/docker-containerd-shim
-rwxr-xr-x. root root system_u:object_r:docker_exec_t:s0 /usr/bin/dockerd
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/docker-proxy
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/docker-runc
SELinux context that is working:
# ls -Z /usr/bin/docker*
-rwxr-xr-x. root root system_u:object_r:docker_exec_t:s0 /usr/bin/docker
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/docker-containerd
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/docker-containerd-ctr
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/docker-containerd-shim
-rwxr-xr-x. root root system_u:object_r:docker_exec_t:s0 /usr/bin/dockerd
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/docker-proxy
-rwxr-xr-x. root root system_u:object_r:docker_exec_t:s0 /usr/bin/docker-runc
docker/contrib/docker-engine-selinux/docker.fc has context only defined for dockerd
/usr/bin/dockerd -- gen_context(system_u:object_r:docker_exec_t,s0)
I guess the context with docker_exec_t type needs to be defined for other /usr/bin/docker* binaries as well.
About this issue
- Original URL
- State: closed
- Created 8 years ago
- Comments: 38 (31 by maintainers)
Commits related to this issue
- Add Oracle Linux distro specific selinux policy With the latest OL7.2, selinux policy that is shipped might not be the latest for it to work or build with selinux policy for docker-1.12. To be able ... — committed to thtanaka/docker by thtanaka 8 years ago
- Add Oracle Linux distro specific selinux policy With the latest OL7.2, selinux policy that is shipped might not be the latest for it to work or build with selinux policy for docker-1.12. To be able ... — committed to tiborvass/docker by thtanaka 8 years ago
- Add Oracle Linux distro specific selinux policy With the latest OL7.2, selinux policy that is shipped might not be the latest for it to work or build with selinux policy for docker-1.12. To be able ... — committed to resouer/docker by thtanaka 8 years ago
Seeing this on RHEL with latest 1.12 - did this fix not make 1.12.0 ? Edit – see milestone has been update to 1.12.1. The SELinux policy mods above didn’t fix for me on RHEL 7.2. Had to rollback to 1.11
@crosbymichael I shouldn’t review issues at 4:30am. @sweekarp is on our QA team and logged this after internal 1.12-RC4 testing.