dpw
commented
8 years ago Interesting. I'm not sure why you would need :Z. Which distro is this, and which docker version?
Closed robnagler closed 8 years ago
dpw
commented
8 years ago Interesting. I'm not sure why you would need :Z. Which distro is this, and which docker version?
robnagler
commented
8 years ago Docker version 1.9.1, build ee06d03/1.9.1 docker-1.9.1-9.gitee06d03.fc23.x86_64.rpm
Linux apa20b.bivio.biz 4.2.3-300.fc23.x86_64 #1 SMP Mon Oct 5 15:42:54 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
Image is based on Debian Jessie 8.4: https://hub.docker.com/r/jupyter/jupyterhub/~/dockerfile/
dpw
commented
8 years ago I tried to reproduce this in a fedora23 VM, with the same docker version, without initial success: Yoy u example worked for me, with the dockersock selinux module loaded and without the :Z flag.
But then I found that if I try your example with the :Z flag, from that point on the :Z flag becomes necessary, and I can reproduce the problem as you describe.
So my guess is that you tried :Z as a workaround before trying the dockersock module?
If that's the case, then you can restore the selinux context on /run/docker.sock by restarting the docker daemon (restorecon doesn't help here):
# ls -lZ /run/docker.sock
srw-rw----. 1 root root system_u:object_r:svirt_sandbox_file_t:s0:c494,c906 0 Apr 24 18:38 /run/docker.sock
# systemctl restart docker
# ls -lZ /run/docker.sock
srw-rw----. 1 root root system_u:object_r:docker_var_run_t:s0 0 Apr 24 18:43 /run/docker.sockAfter that, things work as I would expect, i.e. the :Z flag isn't needed.
Can you give this a go and see if you get the same result?
robnagler
commented
8 years ago Thanks @dpw! It does indeed work. I will include a docker restart in the script.
Thanks for the SELinux magic! I did run into permission denied:
Unless I run it like this:
This is -Z what ls reports:
Any ideas?