In a Docker container running on an SELinux capable kernel, the fact that /sys is mounted RO is supposed to signal to the container that SELinux is not supported on the inside, so it doesn't try to do things that won't work. The version of libselinux in Ubuntu 12.04 is too old to have the above check, breaking basic functionality like shadow-utils.
RHEL 6 had the same problem; their fix was to update libselinux: https://bugzilla.redhat.com/show_bug.cgi?id=1112748
Previously reported downstream: https://github.com/tianon/docker-brew-ubuntu-core/issues/29
Release: Ubuntu 12.04.5 LTS
Installed package version: 2.1.0-4.1ubuntu1
Expected results:
# useradd test
<success>
# id -Z
id: --context (-Z) works only on an SELinux-enabled kernel
Actual results:
root@b55e77ab9ef4:/# useradd test
useradd: failure while writing changes to /etc/passwd
root@b55e77ab9ef4:/# vipw
vipw: setfscreatecon () failed: Permission denied
vipw: /etc/passwd is unchanged
root@b55e77ab9ef4:/# id -Z
system_u:system_r:svirt_lxc_net_t:s0:c14,c127
Same problem here (in my case the host is an x86_64 Fedora 22 box and the Docker container is running Precise); note that *anything* that tries to update SELinux context will fail due to the Docker-unaware libselinux. This includes a simple "cp -a". Since "cp -a" appears to be used somewhere deep inside dh_install, this breaks package building in a Precise Docker container. Since that's what I use my Docker containers for, this is something of a deal breaker for me!
Looks like the specific patch mentioned above is libselinux-
My temporary workaround in the meantime was to simply replace the Precise libselinux1 package with that from Trusty. Frankly I'm surprised that worked but it does appear to be binary compatible. i.e. my Precise Dockerfile includes the line
RUN wget http://