Skip to content
Allow containers to access docker.sock under Fedora and RHEL
Makefile
Branch: master
Clone or download
Latest commit 240caff Apr 24, 2016
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore Initial commit Feb 2, 2015
LICENSE Add license Mar 25, 2015
Makefile Say how to unload the module Apr 24, 2016
README.md Say how to unload the module Apr 24, 2016
dockersock.te Initial commit Feb 2, 2015

README.md

selinux-dockersock

A nice trick with docker is to mount the docker daemon's unix socket into a container, so that container can act as a client to the docker daemon it is running under, e.g.:

docker run ... -v /var/run/docker.sock:/var/run/docker.sock

But this doesn't work with Fedora or RHEL as the host because of their use of SELinux to harden containers. When the docker client attempts to access /var/run/docker.sock within the container, you'll get "Permission denied" errors.

This repo contains a small SELinux module that fixes this issue, allowing containers to access the socket.

Usage

Make sure you have the prerequisite SELinux utilities by doing (on RHEL/CentOS/Fedora/etc.):

yum install policycoreutils policycoreutils-python checkpolicy

Then as root, just do

make

Or if you are paranoid, without being root you can do

make dockersock.pp

to build the SELinux policy module package, and then load it as root with

semodule -i dockersock.pp

Should you ever wish to remove the module, do

semodule -r dockersock
You can’t perform that action at this time.