profile
viewpoint

Ask questionsrunc regression - EPERM running containers from selinux

Trying to run containers on centOS with selinux enforcing on, runc gets a denial trying to access /proc/self/attrs/keycreate.

This happens when selinux-enabled=false on dockerd, which is the default. When selinux-enabled=true all is OK.

Reverting runc to an older commit (which does not mess with this file), everything starts up properly.

moby/moby

Answer questions kolyshkin

Oh OK I got it!

yum downgrade container-selinux
....
Installed:
  container-selinux.noarch 2:2.74-1.el7                                                                                                                                                                                                       

Complete!
[root@kir-ce75-gd ~]# docker run hello-world
docker: Error response from daemon: OCI runtime create failed: container_linux.go:345: starting container process caused "process_linux.go:430: container init caused \"write /proc/self/attr/keycreate: permission denied\"": unknown.
ERRO[0000] error waiting for container: context canceled 

Related questions

start container failed with "failed to umount /var/lib/docker/containers/.../shm: no such file or directory" hot 65
start container failed with "failed to umount /var/lib/docker/containers/.../shm: no such file or directory" hot 29
upgrade docker-18.09.2-ce , shim.sock: bind: address already in use: unknown hot 27
Error response from daemon: rpc error: code = DeadlineExceeded desc = context deadline exceeded hot 14
Windows Server 2019 publish ports in swarm not working hot 14
"docker stack deploy">"rpc error: code = 3 desc = name must be valid as a DNS name component" hot 13
Swarm restarts all containers hot 11
integration: "error reading the kernel parameter" errors during CI hot 10
write unix /var/run/docker.sock->@: write: broken pipe hot 10
hcsshim::PrepareLayer failed in Win32: The parameter is incorrect hot 10
OCI runtime exec failed: exec failed: cannot exec a container that has stopped: unknown hot 9
Docker 18.09.1 doesn't work with iptables v1.8.2 hot 9
dockerd stopped responding to API requests; no installed keys could decrypt message hot 9
manifest invalid error when pushing image to quay.io hot 8
Containers on overlay network cannot reach other containers hot 7
Github User Rank List