Closed robnagler closed 8 years ago
Interesting. I'm not sure why you would need :Z
. Which distro is this, and which docker version?
Docker version 1.9.1, build ee06d03/1.9.1 docker-1.9.1-9.gitee06d03.fc23.x86_64.rpm
Linux apa20b.bivio.biz 4.2.3-300.fc23.x86_64 #1 SMP Mon Oct 5 15:42:54 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
Image is based on Debian Jessie 8.4: https://hub.docker.com/r/jupyter/jupyterhub/~/dockerfile/
I tried to reproduce this in a fedora23 VM, with the same docker version, without initial success: Yoy u example worked for me, with the dockersock
selinux module loaded and without the :Z
flag.
But then I found that if I try your example with the :Z
flag, from that point on the :Z
flag becomes necessary, and I can reproduce the problem as you describe.
So my guess is that you tried :Z
as a workaround before trying the dockersock
module?
If that's the case, then you can restore the selinux context on /run/docker.sock
by restarting the docker daemon (restorecon
doesn't help here):
# ls -lZ /run/docker.sock
srw-rw----. 1 root root system_u:object_r:svirt_sandbox_file_t:s0:c494,c906 0 Apr 24 18:38 /run/docker.sock
# systemctl restart docker
# ls -lZ /run/docker.sock
srw-rw----. 1 root root system_u:object_r:docker_var_run_t:s0 0 Apr 24 18:43 /run/docker.sock
After that, things work as I would expect, i.e. the :Z
flag isn't needed.
Can you give this a go and see if you get the same result?
Thanks @dpw! It does indeed work. I will include a docker restart in the script.
Thanks for the SELinux magic! I did run into permission denied:
Unless I run it like this:
This is -Z what ls reports:
Any ideas?