standard_init_linux.go:178: exec user process caused "permission denied"

[rhoerbe]

Seems to be realted to #24612 which is closed.

Description
After running the most recent Centos7 update, starting a container fails with
"standard_init_linux.go:178: exec user process caused "permission denied".

The reason seems to be:
ls -Z /usr/bin/docker*
-rwxr-xr-x. root root system_u:object_r:docker_exec_t:s0 /usr/bin/docker
-rwxr-xr-x. root root unconfined_u:object_r:bin_t:s0 /usr/bin/docker-compose
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/docker-containerd
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/docker-containerd-ctr
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/docker-containerd-shim
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/dockerd
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/docker-proxy
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/docker-runc

Workaround:
chcon -t docker_exec_t /usr/bin/docker*

Steps to reproduce the issue:
(except the system update which would be some work to reproduce)

1. docker run 02nginx

Describe the results you received:
container did not start. /var/log/audit/audit.log contains:
type=SYSCALL msg=audit(1484225519.082:1472): arch=c000003e syscall=59 success=no exit=-13 a0=c8200efe20 a1=c8200efe30 a2=c8200956d0 a3=0 items=0 ppid=16257 pid=16272 auid=4294967295 uid=8002 gid=8002 euid=8002 suid=8002 fsuid=8002 egid=8002 sgid=8002 fsgid=8002 tty=pts1 ses=4294967295 comm="exe" exe="/usr/bin/docker-runc" subj=system_u:system_r:unconfined_service_t:s0 key=(null)

Describe the results you expected:
container would start.

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

Client:
 Version:      1.12.6
 API version:  1.24
 Go version:   go1.6.4
 Git commit:   78d1802
 Built:        Tue Jan 10 20:20:01 2017
 OS/Arch:      linux/amd64

Server:
 Version:      1.12.6
 API version:  1.24
 Go version:   go1.6.4
 Git commit:   78d1802
 Built:        Tue Jan 10 20:20:01 2017
 OS/Arch:      linux/amd64

Output of docker info:

Containers: 15
 Running: 12
 Paused: 0
 Stopped: 3
Images: 704
Server Version: 1.12.6
Storage Driver: devicemapper
 Pool Name: docker-253:1-523975-pool
 Pool Blocksize: 65.54 kB
 Base Device Size: 10.74 GB
 Backing Filesystem: ext4
 Data file: /dev/loop0
 Metadata file: /dev/loop1
 Data Space Used: 27.02 GB
 Data Space Total: 107.4 GB
 Data Space Available: 80.35 GB
 Metadata Space Used: 35.95 MB
 Metadata Space Total: 2.147 GB
 Metadata Space Available: 2.112 GB
 Thin Pool Minimum Free Space: 10.74 GB
 Udev Sync Supported: true
 Deferred Removal Enabled: false
 Deferred Deletion Enabled: false
 Deferred Deleted Device Count: 0
 Data loop file: /var/lib/docker/devicemapper/devicemapper/data
 Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
 Library Version: 1.02.135-RHEL7 (2016-09-28)
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: null bridge host overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: seccomp selinux
Kernel Version: 3.10.0-514.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 5.671 GiB
Name: netcup8
ID: 2633:DTUO:CEO7:JQZU:4VPY:7WRI:VFJC:U2KO:XEUC:I22Y:7O2V:22I2
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Username: rhoerbe
Registry: https://index.docker.io/v1/
Insecure Registries:
 127.0.0.0/8

Additional environment details (AWS, VirtualBox, physical, etc.):
KVM

[cpuguy83]

Thanks, working on packaging issues with the selinux policy in #29960

[crosbymichael]

@cpuguy83 has this been resolved?

[cpuguy83]

Yes, though no fix made it to 1.12 (for the record).

[YuLimin]

setenforce 0

to Permissive

if getenforce is Enforcing

then

sestatus

to check it.