runc regression - EPERM running containers from selinux

Trying to run containers on centOS with selinux enforcing on, runc gets a denial trying to access /proc/self/attrs/keycreate.

This happens when selinux-enabled=false on dockerd, which is the default. When selinux-enabled=true all is OK.

Reverting runc to an older commit (which does not mess with this file), everything starts up properly.


Answer questions kolyshkin

Oh OK I got it!

yum downgrade container-selinux
  container-selinux.noarch 2:2.74-1.el7                                                                                                                                                                                                       

[root@kir-ce75-gd ~]# docker run hello-world
docker: Error response from daemon: OCI runtime create failed: container_linux.go:345: starting container process caused "process_linux.go:430: container init caused \"write /proc/self/attr/keycreate: permission denied\"": unknown.
ERRO[0000] error waiting for container: context canceled 

