SELinux: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock

[rbellamy]

Putting this here for others.

In the runner:

root@50a4dc272487:/actions-runner# docker ps
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.40/containers/json: dial unix /var/run/docker.sock: connect: permission denied

On the host:

----
time->Sat Mar  7 21:21:39 2020
type=PROCTITLE msg=audit(1583616099.890:863): proctitle=646F636B6572007073
type=SYSCALL msg=audit(1583616099.890:863): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=c00056f290 a2=17 a3=0 items=0 ppid=3254 pid=3267 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="docker" exe="/usr/bin/docker" subj=system_u:system_r:container_t:s0:c36,c702 key=(null)
type=AVC msg=audit(1583616099.890:863): avc:  denied  { connectto } for  pid=3267 comm="docker" path="/run/docker.sock" scontext=system_u:system_r:container_t:s0:c36,c702 tcontext=system_u:system_r:container_runtime_t:s0 tclass=unix_stream_socket permissive=0

If you're running the default Docker package from Centos or RH it doesn't disable SELinux at the daemon. Start the container with --security-opt=label=disable.

function github-runner {
    name=github-runner-${1//\//-}
    org=$(dirname $1)
    repo=$(basename $1)
    tag=${3:-latest}
    docker rm -f $name
    docker run -d --restart=always \
        --security-opt=label=disable \
        -e REPO_URL="https://github.com/${org}/${repo}" \
        -e RUNNER_TOKEN="$2" \
        -e RUNNER_NAME="linux-${repo}" \
        -e RUNNER_WORKDIR="/tmp/github-runner" \
        -v /var/run/docker.sock:/var/run/docker.sock \
        -v /tmp/github-runner:/tmp/github-runner \
        --name=$name myoung34/github-runner:${tag}
}

https://bugzilla.redhat.com/show_bug.cgi?id=1669728

[myoung34]

I'll add this to the readme. Nice catch!