This investigation is too long for a comment. As @jpetazzo indicated, this problem is likely due to lack of the CAP_AUDIT_WRITE capability. Which apparently affects some versions of Docker and Linux, but not others. So here I'll try to investigate the evolution of this.

• #3015 (2013-12-13, 0.7.2) introduced cap dropping for lxc daemon and included AUDIT_WRITE in the list of dropped capabilities
• #5810 (2014-05-16, 0.12.0) made container library drop all capabilities except for whitelisted ones
• #6527 (2014-06-19, 1.0.1) moved from blacklist to whitelist and didn't include AUDIT_WRITE in that
• #7179 (2014-07-24, 1.2.0) added the AUDIT_WRITE capability to a whitelist
• #20662 (2016-03-19, 1.11.0) moved files around so the setting is now in oci/defaults_linux.go

So it would seem as though all versions before 0.7.2 and also all versions since 1.2.0 should keep CAP_AUDIT_WRITE. As I'm seeing pam_loginuid-related problems with 1.12.5 there might be some other capability involved here.

pam_loginuid is used to set the loginuid audit attribute of a process when a user logs in through SSH, X, or anything like that. This attribute can then be used by the audit framework for various purposes.

However, setting this audit attributes requires some audit-related capabilities to be enabled; and by default, Docker drops them, so the audit_setloginuid call will fail.

When the PAM module is configured to required, such failures are fatal (and PAM prevents the login from going on); while optional means "go on anyway".

I might be wrong, but I believe that while pam_loginuid is available in previous versions (I tested with 12.04) it wasn't enabled anyway; so that's why 13.10 and higher require this special setting.