FixPedia
Linux EACCESHigh

Docker permission denied: causes and 5 proven solutions

This article explains why Docker access errors occur in Linux and offers 5 practical solutions—from adding users to groups to configuring SELinux/AppArmor.

Updated at February 16, 2026
15-30 min
Medium
FixPedia Team
Применимо к:Ubuntu 20.04+Debian 11+CentOS 8+RHEL 8+Fedora 35+

-and ownerroot:docker`."

  • name: "Temporary Solution via sudo" text: "For an urgent start, use sudo docker ..., but this is not recommended for daily work due to security risks." howToTotalTime: "PT15M"

What the permission denied Error Means in Docker

The permission denied error (sometimes with the EACCES code) means that the current Linux user does not have permissions to access the Docker daemon (via the /var/run/docker.sock socket) or the files/directories inside a container/image.

Typical full text:

docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post "http://%2Fvar%2Frun%2Fdocker.sock/v1.41/containers/create": dial unix /var/run/docker.sock: connect: permission denied.

Or when working with files:

docker: Error response from daemon: Get "https://registry-1.docker.io/v2/": dial tcp: lookup registry-1.docker.io: Temporary failure in name resolution.

The error appears when executing any docker command (run, ps, build, pull) as a regular user.

Common Causes

  1. User is not a member of the docker group
    By default, the /var/run/docker.sock socket belongs to the docker group. If the user is not in this group, access is denied.
  2. Incorrect permissions on the /var/run/docker.sock socket
    For example, if the socket is created with permissions 600 (root only) or owned by root:root.
  3. SELinux in enforcing mode (RHEL/CentOS/Fedora)
    SELinux can block Docker's access to the socket or files. Often manifests as avc: denied messages in audit.log.
  4. AppArmor (Ubuntu/Debian)
    AppArmor profiles can restrict Docker. Look for errors in syslog or dmesg.
  5. Attempting to mount a host directory without permissions
    With docker run -v /host/path:/container, if the user lacks read/write permissions on /host/path.
  6. Filesystem mounted with noexec or nosuid options
    Can interfere with executing binaries inside the container.

This is the canonical solution for most distributions.

  1. Add the current user to the docker group:
sudo usermod -aG docker $USER

The -aG (append to group) flag is critical—without it, the user might be removed from other groups.

  1. Apply the changes: log out of the terminal and system (or reboot). In the new session, check:
groups

The docker group should be listed.

  1. Verify commands work without sudo:
docker run hello-world

If the container starts—the issue is resolved.

⚠️ Important: After adding to the group, a new login is required. This is a common oversight.

Solution 2: Temporary Run via sudo (Not for Production)

If you need to start a container urgently and cannot configure groups:

sudo docker run -it ubuntu bash

Drawbacks:

  • The container inherits the host's root privileges (security risk).
  • Files created in the container will be owned by root on the host.
  • Inconvenient for daily work.

Solution 3: Check/Fix Socket Permissions Manually

If the docker group exists but access is still denied:

  1. Check current permissions:
ls -l /var/run/docker.sock

Expected output:

srw-rw---- 1 root docker 0 Feb 16 12:00 /var/run/docker.sock

If the group is not docker or permissions are 600:

  1. Set correct owner and permissions:
sudo chown root:docker /var/run/docker.sock
sudo chmod 660 /var/run/docker.sock
  1. Restart Docker (just in case):
sudo systemctl restart docker

💡 Tip: Socket permissions are reset when Docker restarts. If the problem recurs, check the daemon configuration (/etc/docker/daemon.json) or system unit files.

Solution 4: SELinux Configuration (for RHEL/CentOS/Fedora)

If getenforce returns Enforcing:

  1. Check SELinux logs for denials:
sudo ausearch -m avc -ts recent
  1. Quickest fix (temporary, until reboot):
sudo setenforce 0

Try running Docker. If it works—SELinux is the culprit.

  1. For a permanent fix:
    • Either set SELinux to permissive in /etc/selinux/config (less secure).
    • Or create a proper policy:
sudo semanage permissive -a docker_t
  • Or install the docker-selinux package (if not installed):
sudo yum install docker-selinux
  1. Re-enable enforcing:
sudo setenforce 1

Solution 5: AppArmor Configuration (Ubuntu/Debian)

  1. Check if the Docker profile is loaded:
sudo apparmor_status | grep docker

Should show docker-default (enforced).

  1. If the profile causes issues, you can disable it (temporarily):
sudo aa-disable /etc/apparmor.d/docker

Or for a specific container:

docker run --security-opt apparmor=unconfined ...
  1. For a permanent fix, reinstall Docker (profile will be recreated):
sudo apt-get install --reinstall docker-ce

Prevention

  • Never work as root unnecessarily. Add users to the docker group instead of using sudo.
  • Regularly check /var/run/docker.sock permissions after system or Docker updates.
  • In production, use rootless Docker (if supported by your distro)—this isolates the daemon from root.
  • When mounting host directories ensure the user has permissions on them (e.g., chmod o+rx /host/path for read access).
  • On distributions with SELinux/AppArmor do not disable them entirely—configure policies for Docker.
  • After group changes remind users that a re-login is necessary.

FAQ

Q: Why does the error persist after adding myself to the docker group?
A: Most likely, you didn't log out and back in. Groups are loaded at login. Check with id -nG—if docker is missing, you need a new session.

Q: Can I change the socket group to sudo instead of docker?
A: Technically, sudo chown root:sudo /var/run/docker.sock would work, but it violates the principle of least privilege. The docker group exists specifically for this purpose.

Q: How do I create the docker group if it doesn't exist?
A: The group is created automatically during Docker installation. If missing, reinstall Docker or create it manually: sudo groupadd docker (usually not required).

Q: What's the difference between docker and docker-root groups?
A: Some distributions (e.g., older RHEL) may have a docker-root group. It's used for rootless mode. For standard Docker, you need docker.

Q: Why is chmod 666 /var/run/docker.sock a bad idea?
A: This grants all users full access to the Docker daemon. Any local user could manage containers, including running with --privileged flags, which is equivalent to root access.

Q: How do I check which user is running inside a container?
A: docker exec <container> id. If the uid/gid don't match the host's, there might be permission issues on mounted volumes.

F.A.Q.

Why does Docker require sudo while other commands don't?
Can I ignore the permission denied error and use sudo?
What's the difference between using `usermod` and changing socket permissions (`chmod`)?
Does the error persist after adding to the docker group?

Hints

Add current user to docker group
Apply group changes
Check group membership
Check socket permissions (alternative)

Did this article help you solve the problem?

FixPedia

Free encyclopedia for fixing errors. Step-by-step guides for Windows, Linux, macOS and more.

© 2026 FixPedia. All materials are available for free.

Made with for the community