Docker error with /var/run/docker.sock

barn · August 8, 2019, 2:46am

Having trouble with this container: jwilder/nginx-proxy. I havnt had any issues on other distros.

dockergen.1 | 2019/08/08 02:39:50 Error retrieving docker server version info: Get http://unix.sock/version: dial unix /tmp/docker.sock: connect: permission denied

Here is a sample launch script:

sudo docker run --detach
–name nginx-proxy
–publish 80:80
–publish 443:443
–volume /etc/nginx/certs
–volume /etc/nginx/vhost.d
–volume /usr/share/nginx/html
–volume /var/run/docker.sock:/tmp/docker.sock:ro
jwilder/nginx-proxy

Obviously its a permission issue. But i haven’t had luck getting around yet.

refi64 · August 8, 2019, 4:39am

I’m guessing this is due to the normal interactions between Docker and SELinux. In most cases, you can automatically change the SELinux label of a volume you’re mounting via the :z and :Z modifiers, but in this case you probably don’t want to relabel the Docker socket. As a workaround therefore, you can try disabling SELinux label enforcement for this container via --security-opt label=disable.

miabbott · August 9, 2019, 3:52pm

Is the docker service started? systemctl status docker

What do the permissions + SELinux labels look like on the socket? ls -laZ /tmp/docker.sock

Are there any errors in the journal about docker? journalctl -b | grep docker

Additionally, any SELinux denials? journalctl -b | grep 'avc: denied'

barn · August 10, 2019, 2:56pm

Yup, this works. Whats a more permanent fix?

barn · August 10, 2019, 2:57pm

I think you and refi64 are right on. The suggestion to disable SELinux worked. Here is the info you requested:

Is the docker service started?

…yes.

What do the permissions + SELinux labels look like on the socket?

$ ls -laZ /var/run/docker.sock
srw-rw----. 1 root root system_u:object_r:container_var_run_t:s0 0 Aug 5 21:50 /var/run/docker.sock

Are there any errors in the journal about docker ?
Additionally, any SELinux denials?

Yes, this is the top error which includes avc denial:

Aug 10 09:32:41 mediabarn audit[13556]: AVC avc: denied { connectto } for pid=13556 comm=“docker-gen” path=“/run/docker.sock” scontext=system_u:system_r:container_t:s0:c179,c1019 tcontext=system_u:system_r:container_runtime_t:s0 tclass=unix_stream_socket permissive=0

refi64 · August 11, 2019, 4:15am

Afaik there isn’t really one, you could disable selinux system-wide or Docker-wide, but that would mess with the security of all your other containers with little benefit…

You could try relabeling the socket with :z, but it would likely mess stuff up.

Topic		Replies	Views
Docker container permissions broken after upgrade Ask Fedora f42	4	327	April 18, 2025
Disabling SELinux breaks docker overlayfs Project Discussion coreos-wg	0	2121	May 30, 2020
Fedora update broke docker Ask Fedora f36 , docker , selinux	0	470	September 16, 2022
SELinux preventing read on files copied during Docker build Ask Fedora docker , selinux , coreos	4	595	March 31, 2025
Mounting volumes in Docker and SELinux Ask Fedora docker , selinux	1	1966	July 2, 2019

Docker error with /var/run/docker.sock

Related topics