moby: runc regression - EPERM running containers from selinux

Trying to run containers on centOS with selinux enforcing on, runc gets a denial trying to access /proc/self/attrs/keycreate.

This happens when selinux-enabled=false on dockerd, which is the default. When selinux-enabled=true all is OK.

Reverting runc to an older commit (which does not mess with this file), everything starts up properly.

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 4
  • Comments: 31 (20 by maintainers)

Most upvoted comments

sudo setenforce Permissive did the trick for me!

Server: Docker Engine - Community Engine: Version: 19.03.8 API version: 1.40 (minimum version 1.12) Go version: go1.12.17 Git commit: afacb8b Built: Wed Mar 11 01:25:42 2020 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.2.13 GitCommit: 7ad184331fa3e55e52b890ea95e65ba581ae3429 runc: Version: 1.0.0-rc10 GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd docker-init: Version: 0.18.0 GitCommit: fec3683

@cpuguy83 thanks for the suggestion. Manual update of the package docker-selinux to 2.99 fixed it, as the version is for whatever reason not available over my repos (RHEL 7.6):

sudo yum install http://mirror.centos.org/centos/7/extras/x86_64/Packages/container-selinux-2.99-1.el7_6.noarch.rpm

Afterwards I’m back to docker-ce latest stable:

rpm -qa |grep docker                                                                                                                                                            
docker-ce-cli-19.03.1-3.el7.x86_64
docker-ce-19.03.1-3.el7.x86_64

That version is vulnerable to a nasty CVE.

Upgrade container-selinux and it will fix the issue.