If you are installing Docker CE on Rocky Linux, AlmaLinux, or RHEL and the installation fails with a container-selinux dependency error, the fix is straightforward. The package exists in the OS repositories but your system either has a stale cache or is missing the repository that provides it.
Updated April 2026 for Rocky Linux 9/10, AlmaLinux 9/10, and RHEL 8/9/10. Also covers legacy CentOS 7.
The Error
The error appears when dnf (or yum on CentOS 7) cannot locate the container-selinux package that Docker CE depends on:
Error:
Problem: package docker-ce-3:27.5.1-1.el9.x86_64 from docker-ce-stable requires container-selinux >= 2:2.74, but none of the providers can be installed
- cannot install the best candidate for the jobOn older systems running CentOS 7, the same error looks like this:
Error: Package: 3:docker-ce-27.5.1-1.el7.x86_64 (docker-ce-stable)
Requires: container-selinux >= 2:2.74Why This Happens
Docker CE requires the container-selinux package to define SELinux policies for containers. This package ships in the OS base repositories (AppStream on RHEL 9/10, extras on CentOS 7), but DNF cannot find it when:
- The AppStream or BaseOS repository is disabled (common on minimal installs or custom repo configurations)
- The DNF cache is stale and does not include the package metadata
- The system was installed from an old ISO without updating repository metadata
- You are running CentOS 7 without the extras repository enabled
Fix on Rocky Linux 9/10, AlmaLinux 9/10, RHEL 9/10
Clean the DNF cache and rebuild it:
sudo dnf clean all
sudo dnf makecacheVerify that the AppStream and BaseOS repositories are enabled:
dnf repolistYou should see both appstream and baseos in the output:
repo id repo name
appstream Rocky Linux 10 - AppStream
baseos Rocky Linux 10 - BaseOSIf either repository is missing, enable it:
sudo dnf config-manager --set-enabled appstream
sudo dnf config-manager --set-enabled baseosOn RHEL systems with subscription-manager, enable the repos through the subscription:
sudo subscription-manager repos --enable=rhel-9-for-x86_64-appstream-rpms --enable=rhel-9-for-x86_64-baseos-rpmsNow install container-selinux explicitly:
sudo dnf install -y container-selinuxConfirm the installed version:
rpm -q container-selinuxOn Rocky Linux 9, this shows something like:
container-selinux-2.240.0-3.el9_7.noarchWith the dependency satisfied, proceed to install Docker CE.
Install Docker CE After the Fix
If you have not already added the Docker repository, set it up first. For Rocky Linux, AlmaLinux, and CentOS Stream, use the CentOS repo URL:
sudo dnf -y install dnf-plugins-core
sudo dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repoFor RHEL systems, use the RHEL-specific repo:
sudo dnf -y install dnf-plugins-core
sudo dnf config-manager --add-repo https://download.docker.com/linux/rhel/docker-ce.repoInstall Docker CE with all required components:
sudo dnf install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-pluginStart and enable the Docker service:
sudo systemctl enable --now dockerVerify Docker is running:
sudo docker run hello-worldThe output confirms Docker is working:
Hello from Docker!
This message shows that your installation appears to be working correctly.Add your user to the docker group so you can run Docker commands without sudo:
sudo usermod -aG docker $USER
newgrp dockerCheck the installed version:
docker version --format '{{.Server.Version}}'Fix on CentOS 7 (Legacy)
CentOS 7 reached end of life in June 2024. If you are still running it, the container-selinux package lives in the extras repository. Migration to Rocky Linux 9 or 10 is strongly recommended.
Clean the cache and verify the extras repo is enabled:
sudo yum clean all
sudo yum -y makecache
yum repolistIf extras is not listed, enable it:
sudo yum -y install yum-utils
sudo yum-config-manager --enable extrasInstall the package and then proceed with Docker CE:
sudo yum install -y container-selinux
sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
sudo yum install -y docker-ce docker-ce-cli containerd.ioTroubleshooting
Error: “container-selinux conflicts with podman”
Rocky Linux and RHEL ship with Podman pre-installed. If you see conflicts during Docker CE installation, remove the conflicting packages first:
sudo dnf remove -y podman buildahThen retry the Docker CE installation. Podman and Docker use the same container runtime components, so they cannot coexist cleanly on the same system.
Error: “Cannot find a valid baseurl for repo: appstream”
This means the system cannot reach the repository mirrors. Check your network connectivity and DNS resolution. On CentOS 8 (which is also EOL), the mirrors were moved to vault.centos.org. If you are still on CentOS 8, migrate to Rocky Linux or AlmaLinux.
container-selinux installs but Docker still fails
If the version of container-selinux in your repos is older than what Docker requires (2.74 or higher), you may need to update your OS packages first:
sudo dnf update -y
sudo dnf install -y container-selinuxThis pulls the latest version from the updated repositories.
FAQ
What does container-selinux do?
The container-selinux package provides SELinux policy definitions that allow container runtimes (Docker, Podman, containerd) to operate under SELinux enforcing mode. Without it, containers would be blocked by SELinux or you would need to disable SELinux entirely, which is a security risk.
Can I disable SELinux instead of installing container-selinux?
Technically yes, but you should not. Disabling SELinux removes an important security layer that isolates containers from the host system. Installing container-selinux is the correct fix. It takes seconds and keeps your system secure.
Does this error happen on Fedora or Ubuntu?
No. Fedora includes container-selinux by default, and Ubuntu/Debian use AppArmor instead of SELinux, so the container-selinux package does not apply. This error is specific to RHEL, Rocky Linux, AlmaLinux, and CentOS systems where the repository providing the package is missing or disabled.
