It is a great pleasure to join this forum after spending some time reading posts and exploring some of the (very helpful!) Docker guides.
My question pertains to Docker-CE which appears to be restricted by Fapolicyd.
I have used Docker to run a few apps on Linux and everything went smoothly, from the initial “docker run hello-world” to the installation and use of these apps.
The error message is as follows: docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: can't copy bootstrap data to pipe: write init-p: broken pipe: unknown
Configuration:
Oracle Linux 9.5 (Red Hat compatible)
Docker-CE installed from package, version 28.0.2, build 0442a73
Could someone help and recommend please the rules to be added so that Docker can operate ?
Hello!
To resolve Docker-CE’s “broken pipe” error with Fapolicyd, you need to allow Docker’s runtime binaries. Identify Docker executables like docker, runc, and docker-containerd, then create Fapolicyd rules using either file paths or, more securely, SHA256 hashes. Place these rules in /etc/fapolicyd/rules.d/, update Fapolicyd with fapolicyd-cli --update, and restart both Fapolicyd and Docker services. Hash-based rules are strongly recommended for security, and remember to update rules after Docker updates.
Hi @james015sims, many thanks for joining the thread!
Well, that’s actually the process that I have followed, but the issue is to find out the proper rules, as it looks there aren’t many threads about this topic. One exception is another post on the Docker forum (cf DSTIG and Docker), but it wasn’t answered. On other websites, I only found one thread on Reddit but no response or solution either.
Would it be possible to know please what these recommended rules are, a bit like this was answered on Github for that other application ? https://github.com/rancher/rke2/issues/2848