On 10/09/2015 06:12 AM, Daniel J Walsh wrote:
This looks like docker is running with the wrong context. Make sure
docker-selinux is installed. and /usr/bin/docker has the right label.
restorecon -v /usr/bin/docker
If docker is still labeled bin_t, then check if docker.pp is installed
semodule -l | grep docker
If you don't see docker listed, check if docker-selinux is installed.
yum install docker-selinux
If docker label changes you need to restart the docker daemon
systemctl restart docker
ps -eZ | grep docker
Should be running as docker_t
There could be a conflict between selinux-policy and docker-selinux, I
think selinux-policy has dropped docker.pp from its list of policy
packages, which it should do.
docker-selinux is now supposed to ship it. But it could be
docker-selinux is installed and then selinux-policy gets updated and
removes the docker.pp file.
Just speculating on what could cause this.
It's odd. If I start fresh with an 'older' F23 cloud image I never see
docker.pp installed:
```
[root@f23 ~]# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.13.1-144.fc23.noarch
[root@f23 ~]# semodule -l | grep docker
[root@f23 ~]# dnf install -y docker &> /dev/null
[root@f23 ~]# rpm -q docker-selinux
docker-selinux-1.8.2-5.gitcb216be.fc23.x86_64
[root@f23 ~]# semodule -l | grep docker
[root@f23 ~]# ls -lZ /usr/bin/docker
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 20707376 Sep 21 20:21
/usr/bin/docker
[root@f23 ~]# dnf update selinux-policy-targeted -y &> /dev/null
[root@f23 ~]# semodule -l | grep docker
[root@f23 ~]#
```
If I start with a slightly newer F23 cloud image I see:
```
[root@footest ~]# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.13.1-147.fc23.noarch
[root@footest ~]# semodule -l | grep docker
[root@footest ~]# dnf install -y docker &> /dev/null
[root@footest ~]# rpm -q docker-selinux
docker-selinux-1.8.2-5.gitcb216be.fc23.x86_64
[root@footest ~]# semodule -l | grep docker
docker
[root@footest ~]# ls -lZ /usr/bin/docker
-rwxr-xr-x. 1 root root system_u:object_r:docker_exec_t:s0 20707376 Sep
21 20:21 /usr/bin/docker
[root@footest ~]# dnf update selinux-policy-targeted -y
Last metadata expiration check performed 0:04:49 ago on Fri Oct 9
15:40:48 2015.
Dependencies resolved.
Nothing to do.
Complete!
```
So.. Is there a bug here? Seems like it.
Dusty
_______________________________________________
cloud mailing list
cloud@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/cloud
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct