Can docker container by design be started on a ubuntu host with smack security enabled?

The ubuntu is 16.04.1 LTS, with “security=smack” added to the kernel start command line. The docker.io version is 1.12.1 from the stock ubuntu. It looks the docker daemon runs. But when issue “docker run” or “docker start”, it hangs forever. The “docker images” or “docker ps -a” command work well. Using strace shows it hangs at a call to futex(0x12fe988, FUTEX_WAIT, 0, NULL, notice that there is no closing parentheses, it stopped running there till I hit control-C to break.

The docker engine documentation mentions the options “–cap-add=MAC_OVERRIDE” and “–cap-add=MAC_ADMIN” for smack. So it looks that is should work. What other configurations or options is needed to get this to work?