Disabling SELinux breaks docker overlayfs

Hi everyone,

I just installed CoreOS for the first time and tried deploying a couple of docker containers.
However since I had some permission issues with mounts and the containers won’t run in production anyways I disabled SELinux in /etc/selinux/config.

After rebooting I noticed the containers were not starting anymore, dmesg shows this:
[ 17.613759] overlayfs: unrecognized mount option "context="system_u:object_r:container_file_t:s0:c123" or missing value
[ 17.613844] overlayfs: unrecognized mount option "context="system_u:object_r:container_file_t:s0:c25" or missing value

I tried removing --selinux-enabled from /etc/sysconfig/docker, but that didn’t help, only setting SELinux to permissive fixed the issue, which causes a lot of audit message spam in the logs however.

I only found this stale bug report https://bugzilla.kernel.org/show_bug.cgi?id=199257 describing the same issue, apparently since the selinux-context isn’t intercepted by SELinux anymore, the option is getting passed to the FS which is complaining about the unknown mount option.

Is there a way to fix this? I know I could just set up SELinux correctly, but for a quick and easy development VM it would still be nice to be able to just disable SELinux.

Update: To anyone coming here with a similar issue - maybe it’s just easiest to set it up correctly.
Run containers that need access to /var/run/docker.sock with --privileged (https://danwalsh.livejournal.com/78373.html)
Mount other files/folders with :z and :Z according to https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label

2 Likes