Just updated docker on my CentOS 7 server to version 1.11 from 1.10.x and my containers will no longer start. They are getting permission denied when trying to open /dev/null
The issue is that the /dev mount inside the container appears to be labeled as docker_tmpfs_t and the context the container run in (svirt_lxc_net_t) is not allowed to access resources with that label.
I can work around this by patching my local SELinux policy directly, but this feels like a bug to me.
Labeling systems like SELinux require that proper labels are placed on volume
content mounted into a container. Without a label, the security system might
prevent the processes running inside the container from using the content. By
default, Docker does not change the labels set by the OS.
To change a label in the container context, you can add either of two suffixes
:z or :Z to the volume mount. These suffixes tell Docker to relabel file
objects on the shared volumes. The z option tells Docker that two containers
share the volume content. As a result, Docker labels the content with a shared
content label. Shared volume labels allow all containers to read/write content.
The Z option tells Docker to label the content with a private unshared label.
Only the current container can use a private volume.
Notice that the current directory ‘.’ is labeled as docker_tmpfs_t as are most of the relevant device files and links zero, full, null, urandom, stderr, stdout, stdin, and so on.
I believe this is an incorrect labeling, but I’m not sure why it is happening. The issue is that the SELinux policy that comes with centos 7 does not allow processes in docker containers to access file labeled with docker_tmpfs_t as those are supposed to be temporary files for the docker daemon itself not containers.