Docker namespaces and SELinux not working

Question

My system:

Debian 9 Stretch
Docker version 17.06.0-ce, build 02c1d87
SELinux

This is just running fine.

But, if I also activate Namespace Remapping (default, using the dockremap User), I can't run or start any of my Containers.

 # docker run hello-world
nsenter: failed to unshare namespaces: Operation not permitted
container_linux.go:262: starting container process caused "process_linux.go:247: running exec setns process for init caused \"exit status 34\""
docker: Error response from daemon: oci runtime error: container_linux.go:262: starting container process caused "process_linux.go:247: running exec setns process for init caused \"exit status 34\"".

If I disable SELinux enforcing, (or namespaces), everything is just fine again.

Using audit2allow did not work.

Does someone have some tips & tricks for me to get the whole thing working?

What's the output from audit2allow when you set SELinux to permissive before firing up the container? — desasteralex, Sep 14 '18 at 19:10

score 0 · Answer 1 · answered Sep 14 '18 at 19:01

0

Hard to troubleshoot on Debian, but this definitely works on Fedora/RHEL/CentOS. The SELinux policies are designed for containers and mapping works. I just did it today with podman rootless containers.

answered Sep 14 '18 at 19:01

fatherlinux

146
1
6

Docker namespaces and SELinux not working

1 Answers1