Sharing /dev/ with the container breaks /dev/ptmx on the host about runc HOT 2 CLOSED

This seems to be due to the default SELinux policy for a Fedora system which includes:

$ sudo semanage fcontext -l | grep ptmx
/dev/ptmx character device system_u:object_r:ptmx_t:s0

This omits the Symlink that replaces the character device. The following resolves the condition in my testing:

$ sudo semanage fcontext -a -f l -t ptmx_t /dev/ptmx

I would recommend:

$ diff -up docker.fc.bak docker.fc
--- docker.fc.bak 2016-03-08 11:33:38.894580384 -0500
+++ docker.fc 2016-03-08 11:33:52.348740405 -0500
@@ -1,5 +1,7 @@
/root/.docker gen_context(system_u:object_r:docker_home_t,s0)

+/dev/ptmx -l gen_context(system_u:object_r:ptmx_t:s0)
+
/usr/bin/docker -- gen_context(system_u:object_r:docker_exec_t,s0)

/usr/lib/systemd/system/docker.service -- gen_context(system_u:object_r:docker_unit_file_t,s0)

Ninja edit>
Had to edit the above so that the correct "ptmx_t" context was included in the patch.

• Kyle

from runc.

moby/moby#21808 is hitting this issue again.

#96 (comment) introduced setupDev := len(config.Devices) != 0 for this issue.

But I'm not sure there is any path that sets setupDev to false, because config.Devices seems to be always set to non-empty(3baae2d, #536) in spec_linux.go: createDevices().

• createDevices:

  runc/libcontainer/specconv/spec_linux.go

  Line 456 in 6c88a52

  config.Devices = []*configs.Device{

• CreateLibcontainerConfig:

  runc/libcontainer/specconv/spec_linux.go

  Line 200 in 6c88a52

  if err := createDevices(spec, config); err != nil {

• createContainer:

  runc/utils.go

  Line 178 in 6c88a52

  config, err := specconv.CreateLibcontainerConfig(&specconv.CreateOpts{

• startContainer:

  runc/start.go

  Line 118 in 6c88a52

  container, err := createContainer(context, id, spec)

from runc.