Rocky Linux 安装docker失败【selinux导致】

问题描述

我使用官方的二进制包进行安装 ，手动启动没有问题 /usr/bin/dockerd 看是能启动成功的，但是使用 systemctl start docker 启动失败了 ，配置如下

# 创建systemd服务文件
sudo tee /etc/systemd/system/docker.service > /dev/null <<EOF
[Unit]
Description=Docker Application Container Engine

[Service]
Type=notify
ExecStart=/usr/bin/dockerd
Restart=always

[Install]
WantedBy=multi-user.target
EOF

# 启动服务
sudo systemctl daemon-reload
sudo systemctl enable docker
sudo systemctl start docker

错误信息： [root@localhost ~]# systemctl start docker Warning: The unit file, source configuration file or drop-ins of docker.service changed on disk. Run 'systemctl daemon-reload' to reload units. Job for docker.service failed because the control process exited with error code. See "systemctl status docker.service" and "journalctl -xeu docker.service" for details.

后面查到是selinux导致的

[root@localhost ~]# sudo ausearch -m avc -ts recent
----sh
time->Thu Jun 26 23:35:34 2025
type=PROCTITLE msg=audit(1750995334.312:483): proctitle="(dockerd)"
type=SYSCALL msg=audit(1750995334.312:483): arch=c000003e syscall=21 success=no exit=-13 a0=7ffc6288d900 a1=1 a2=0 a3=3 items=0 ppid=1 pid=39593 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(dockerd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1750995334.312:483): avc:  denied  { execute } for  pid=39593 comm="(dockerd)" name="dockerd" dev="sda4" ino=540385146 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
----
time->Thu Jun 26 23:35:34 2025
type=PROCTITLE msg=audit(1750995334.571:487): proctitle="(dockerd)"
type=SYSCALL msg=audit(1750995334.571:487): arch=c000003e syscall=21 success=no exit=-13 a0=7ffc6288d900 a1=1 a2=0 a3=3 items=0 ppid=1 pid=39597 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(dockerd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1750995334.571:487): avc:  denied  { execute } for  pid=39597 comm="(dockerd)" name="dockerd" dev="sda4" ino=540385146 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
----
time->Thu Jun 26 23:35:34 2025
type=PROCTITLE msg=audit(1750995334.820:491): proctitle="(dockerd)"
type=SYSCALL msg=audit(1750995334.820:491): arch=c000003e syscall=21 success=no exit=-13 a0=7ffc6288d900 a1=1 a2=0 a3=3 items=0 ppid=1 pid=39598 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(dockerd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1750995334.820:491): avc:  denied  { execute } for  pid=39598 comm="(dockerd)" name="dockerd" dev="sda4" ino=540385146 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
----
time->Thu Jun 26 23:35:35 2025
type=PROCTITLE msg=audit(1750995335.069:495): proctitle="(dockerd)"
type=SYSCALL msg=audit(1750995335.069:495): arch=c000003e syscall=21 success=no exit=-13 a0=7ffc6288d900 a1=1 a2=0 a3=3 items=0 ppid=1 pid=39599 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(dockerd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1750995335.069:495): avc:  denied  { execute } for  pid=39599 comm="(dockerd)" name="dockerd" dev="sda4" ino=540385146 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
----

解决方案

1 . 临时关闭

[root@localhost ~]# sudo setenforce 0
[root@localhost ~]# sudo systemctl start docker
[root@localhost ~]# systemctl status docker
● docker.service - Docker Application Container Engine
     Loaded: loaded (/etc/systemd/system/docker.service; enabled; preset: disabled)
     Active: active (running) since Thu 2025-06-26 23:41:24 EDT; 10min ago
   Main PID: 39926 (dockerd)
      Tasks: 27
     Memory: 33.0M
        CPU: 656ms
     CGroup: /system.slice/docker.service
             ├─39926 /usr/bin/dockerd
             └─39938 containerd --config /var/run/docker/containerd/containerd.toml

# 看状态已经启动成功了 

2. 永久关闭 SELinux（需重启生效）

sudo vi /etc/selinux/config

# 修改项目
SELINUX=disabled  # 彻底关闭（或设为 permissive 仅记录不阻止)