Greetings,
Since a week I'm trying to setup a FCOS (Fedora CoreOS) and running a Docker Swarm along with SELinux (this is my first experience with SELinux)
Containers is running great but when I'm trying to use the /var/run/docker.socket I'm always getting permission denied
portainer_agent.0.k9c6uqifwohk@localhost | 2020/03/14 13:24:11 [ERROR] [main,docker] [message: Unable to retrieve information from Docker] [error: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.24/info: dial unix /var/run/docker.sock: connect: permission denied]
I've already tried to disable SELinux (setenforce 0) to ensure the problem comes from SELinux,
docker.socket
srw-rw----. 1 root docker system_u:object_r:container_var_run_t:s0 0 Mar 14 13:14 /var/run/docker.sock
Here a docker-compose.yaml I'm using for my tests
version: '3.2'
services:
agent:
image: portainer/agent
volumes:
- /var/run/docker.sock:/var/run/docker.sock:z
- /var/lib/docker/volumes:/var/lib/docker/volumes:z
networks:
- agent_network
deploy:
mode: global
placement:
constraints: [node.platform.os == linux]
networks:
agent_network:
driver: overlay
attachable: true
Thanks for you help!
I've finally succeeded, using dockersock.te from this GitHub
Here the function I use in my installation script:
function fix_socket_permission()
{
echo "Downloading docker socket policy"
sudo rpm-ostree install policycoreutils-python-utils
echo "Need reboot"
# need to reboot
curl https://raw.githubusercontent.com/dpw/selinux-dockersock/master/dockersock.te -o /tmp/dockersock.te
echo "Applying policy to system"
checkmodule -M -m -o dockersock.mod /tmp/dockersock.te
semodule_package -o dockersock.pp -m dockersock.mod
sudo semodule -i dockersock.pp
rm -rf /tmp/dockersock.te
}