I followed your instructions and it works. It does not mention that you need to logout/login after you run the usermod command to add the user to the docker group. The group changes take effect on next login.
Ah, for me the it is docker service itself that won’t start.
i.e. systemctl start docker.
So that bit doesn’t even rely on me being in the docker group.
Interesting that it worked for you guys.
I must have messed something up.
I’ll keep digging.
EDIT: I think it’s probably because that repo “9” is centos stream which will be different to Rocky 9. Or different enough. At least that is my understanding. I should have a look at podman.
You can use the selinux tools to resolve selinux issues without having to turn selinux into permissive mode. Once the problem occurs, you can then from the console do:
audit2allow -a /var/log/audit/audit.log
based on the results, you can then follow the command suggested to create a policy. Obviously the command I gave would then allow all violations. Once you view the output, and let’s say the suggested violation is named docker_t, then what you can do is this to filter even more:
Thanks a lot for the quick response. I will definitely give the custom selinux policy a shot and report back here.
Still, the question remains why this is apparently necessary on Rocky 9 and not on RHEL 9, with both having the same versions of docker-ce (3:20.10.17-3.el9) and container-selinux (3:2.179.1-1.el9_0) installed.
I don’t have an RHEL9 to hand, but you could compare the content of each files within that container-selinux package to see if there are any differences. I see 20 files in that package in total, but not all of them will have an effect on selinux itself, so could be easy enough to nail it down. The copy both files to your system and do a diff between them. Theoretically there shouldn’t be any differences, but it could be one way to find out.
This is likely due to the container-selinux package being built in an incorrect order when we bootstrapped 9.0. We are pushing an update over the weekend that should hopefully address this (as well as podman.service issues that were reported at our bug tracker).