Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1595316 - unable to run containers; exec user process caused "permission denied"
Summary: unable to run containers; exec user process caused "permission denied"
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 28
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 1592488 1595300
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-06-26 15:26 UTC by Micah Abbott
Modified: 2018-07-01 02:38 UTC (History)
18 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1595300
Environment:
Last Closed: 2018-06-26 15:45:01 UTC


Attachments (Terms of Use)

Description Micah Abbott 2018-06-26 15:26:39 UTC
+++ This bug was initially created as a clone of Bug #1595300 +++

Also observed on Fedora 27 Atomic Host

# rpm-ostree status
State: idle; auto updates disabled
Deployments:
● ostree://fedora-atomic:fedora/27/x86_64/testing/atomic-host
                   Version: 27.184 (2018-06-19 16:06:20)
                    Commit: 7680a7dbfe4309c1fe27859505335ad8b5a03761b3ddc6339ff409ad3e3345c1
              GPGSignature: Valid signature by 860E19B0AFA800A1751881A6F55E7430F5282EE4


# docker run --rm -it registry.fedoraproject.org/fedora:28 echo 'hello'
standard_init_linux.go:178: exec user process caused "permission denied"

# journalctl -b | grep 'avc:  denied'
Jun 26 14:32:40 micah-f27ah-vm0626ba.localdomain audit[1253]: AVC avc:  denied  { entrypoint } for  pid=1253 comm="runc:[2:INIT]" path="/usr/bin/echo" dev="dm-0" ino=16780467 scontext=system_u:system_r:container_t:s0:c491,c888 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0

# ls -lZ /var/lib/docker
total 0
drwx------. 2 root root system_u:object_r:unlabeled_t:s0   6 Jun 26 14:32 containers
drwx------. 3 root root system_u:object_r:unlabeled_t:s0  22 Jun 26 14:08 image
drwxr-x---. 3 root root system_u:object_r:unlabeled_t:s0  19 Jun 26 14:08 network
drwx------. 4 root root system_u:object_r:unlabeled_t:s0 112 Jun 26 14:32 overlay2
drwx------. 4 root root system_u:object_r:unlabeled_t:s0  32 Jun 26 14:08 plugins
drwx------. 2 root root system_u:object_r:unlabeled_t:s0   6 Jun 26 14:08 swarm
drwx------. 2 root root system_u:object_r:unlabeled_t:s0   6 Jun 26 14:17 tmp
drwx------. 2 root root system_u:object_r:unlabeled_t:s0   6 Jun 26 14:08 trust
drwx------. 2 root root system_u:object_r:unlabeled_t:s0  25 Jun 26 14:08 volumes




+++ This bug was initially created as a clone of Bug #1592488 +++

Using the latest Fedora Rawhide Atomic Host, I was unable to run a container using `docker`.  It appears SELinux denied the execution of the container:


# rpm-ostree status
rpmState: idle; auto updates disabled
Deployments:
● ostree://rawhide:fedora/rawhide/x86_64/atomic-host
                   Version: Rawhide.20180616.n.0 (2018-06-16 09:30:08)
                    Commit: 1055dea1f99991fb56d5ae9e29cc6ff52fa01970555f82fcc8e929c7f717907f

# rpm -q docker container-selinux selinux-policy
docker-1.13.1-59.gitaf6b32b.fc29.x86_64
container-selinux-2.64-1.gitdfaf8fd.fc29.noarch
selinux-policy-3.14.2-25.fc29.noarch

# docker run -it --rm registry.fedoraproject.org/fedora echo 'hello'
Unable to find image 'registry.fedoraproject.org/fedora:latest' locally
Trying to pull repository registry.fedoraproject.org/fedora ... 
sha256:39994db8f1ee63244dc6baa35cd88988eb4be8ac6c026be0570bd618fd84d5af: Pulling from registry.fedoraproject.org/fedora
bd02462c6d09: Pull complete 
Digest: sha256:39994db8f1ee63244dc6baa35cd88988eb4be8ac6c026be0570bd618fd84d5af
Status: Downloaded newer image for registry.fedoraproject.org/fedora:latest
standard_init_linux.go:178: exec user process caused "permission denied"


# journalctl -b | grep 'avc:  denied'
Jun 18 15:56:19 micah-f28ah-vm0618a audit[1280]: AVC avc:  denied  { entrypoint } for  pid=1280 comm="runc:[2:INIT]" path="/usr/bin/echo" dev="dm-0" ino=58724330 scontext=system_u:system_r:container_t:s0:c256,c1017 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0

--- Additional comment from Daniel Walsh on 2018-06-18 15:11:24 EDT ---

I would guess /var/lib/docker is mislabeled
restorecon -R -v /var/lib/docker

--- Additional comment from Micah Abbott on 2018-06-18 15:40:01 EDT ---

Dan, you are correct.  This is a problem if /var/lib/docker is getting relabeled after rebasing to Rawhide:


# rpm-ostree status                                                                                                                                                                    
State: idle; auto updates disabled                                               
Deployments:                                                                    
● ostree://fedora-atomic:fedora/28/x86_64/atomic-host                         
                   Version: 28.20180527.0 (2018-05-27 19:05:29)             
                    Commit: 291ea90da29bc5abe757b5a50813b3de1396b08412939a89b3b671aba9856093                                                                                                                       
              GPGSignature: Valid signature by 128CF232A9371991C8A65695E08E7E629DB62FB1

# ls -lZ /var/lib/docker
total 0
drwx------. 2 root root system_u:object_r:container_var_lib_t:s0  6 Jun 18 19:21 containers
drwx------. 3 root root system_u:object_r:container_var_lib_t:s0 22 Jun 18 19:21 image
drwxr-x---. 3 root root system_u:object_r:container_var_lib_t:s0 19 Jun 18 19:21 network
drwx------. 3 root root system_u:object_r:container_share_t:s0   40 Jun 18 19:21 overlay2
drwx------. 4 root root system_u:object_r:container_var_lib_t:s0 32 Jun 18 19:21 plugins
drwx------. 2 root root system_u:object_r:container_var_lib_t:s0  6 Jun 18 19:21 swarm
drwx------. 2 root root system_u:object_r:container_var_lib_t:s0  6 Jun 18 19:21 tmp
drwx------. 2 root root system_u:object_r:container_var_lib_t:s0  6 Jun 18 19:21 trust
drwx------. 2 root root system_u:object_r:container_var_lib_t:s0 25 Jun 18 19:21 volumes


# rpm-ostree rebase rawhide:fedora/rawhide/x86_64/atomic-host
2244 metadata, 9394 content objects fetched; 365209 KiB transferred in 555 seconds
Copying /etc changes: 20 modified, 0 removed, 50 added
Transaction complete; bootconfig swap: yes; deployment count change: 1
...

# systemctl reboot

$ ssh 10.8.250.36

# rpm-ostree status
lState: idle; auto updates disabled
Deployments:
● ostree://rawhide:fedora/rawhide/x86_64/atomic-host
                   Version: Rawhide.20180616.n.0 (2018-06-16 09:30:08)
                    Commit: 1055dea1f99991fb56d5ae9e29cc6ff52fa01970555f82fcc8e929c7f717907f

  ostree://fedora-atomic:fedora/28/x86_64/atomic-host
                   Version: 28.20180527.0 (2018-05-27 19:05:29)
                    Commit: 291ea90da29bc5abe757b5a50813b3de1396b08412939a89b3b671aba9856093
              GPGSignature: Valid signature by 128CF232A9371991C8A65695E08E7E629DB62FB1
[root@micah-f28ah-vm0618b ~]# ls -lZ /var/lib/docker
total 0
drwx------. 2 root root system_u:object_r:unlabeled_t:s0  6 Jun 18 19:21 containers
drwx------. 3 root root system_u:object_r:unlabeled_t:s0 22 Jun 18 19:21 image
drwxr-x---. 3 root root system_u:object_r:unlabeled_t:s0 19 Jun 18 19:21 network
drwx------. 3 root root system_u:object_r:unlabeled_t:s0 40 Jun 18 19:37 overlay2
drwx------. 4 root root system_u:object_r:unlabeled_t:s0 32 Jun 18 19:21 plugins
drwx------. 2 root root system_u:object_r:unlabeled_t:s0  6 Jun 18 19:21 swarm
drwx------. 2 root root system_u:object_r:unlabeled_t:s0  6 Jun 18 19:21 tmp
drwx------. 2 root root system_u:object_r:unlabeled_t:s0  6 Jun 18 19:21 trust
drwx------. 2 root root system_u:object_r:unlabeled_t:s0 25 Jun 18 19:21 volumes


# restorecon -R -v /var/lib/docker
Relabeled /var/lib/docker/tmp from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/containers from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/plugins from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/plugins/tmp from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/plugins/storage from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/plugins/storage/blobs from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/plugins/storage/blobs/tmp from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/overlay2 from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/overlay2/l from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/overlay2/backingFsBlockDev from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/image from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/image/overlay2 from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/image/overlay2/layerdb from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/image/overlay2/imagedb from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/image/overlay2/imagedb/content from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/image/overlay2/imagedb/content/sha256 from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/image/overlay2/imagedb/metadata from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/image/overlay2/imagedb/metadata/sha256 from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/image/overlay2/distribution from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/image/overlay2/repositories.json from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/volumes from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/volumes/metadata.db from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/trust from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/network from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/network/files from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/network/files/local-kv.db from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0

--- Additional comment from Micah Abbott on 2018-06-18 15:44:36 EDT ---

Unfortunately, even after `restorecon`, containers are just silently dying:

# docker run -it registry.fedoraproject.org/fedora echo 'hello'
# echo $?                                                                                                                                                                              139                                                      
# journalctl -b | grep 'avc:  denied'
Jun 18 19:43:31 micah-f28ah-vm0618b audit[1673]: AVC avc:  denied  { read write } for  pid=1673 comm="echo" path="/1" dev="devpts" ino=4 scontext=system_u:system_r:container_t:s0:c37,c365 tcontext=system_u:object_r:container_file_t:s0:c37,c365 tclass=chr_file permissive=0
Jun 18 19:43:31 micah-f28ah-vm0618b audit[1673]: AVC avc:  denied  { read write } for  pid=1673 comm="echo" path="/1" dev="devpts" ino=4 scontext=system_u:system_r:container_t:s0:c37,c365 tcontext=system_u:object_r:container_file_t:s0:c37,c365 tclass=chr_file permissive=0
Jun 18 19:43:31 micah-f28ah-vm0618b audit[1673]: AVC avc:  denied  { read write } for  pid=1673 comm="echo" path="/1" dev="devpts" ino=4 scontext=system_u:system_r:container_t:s0:c37,c365 tcontext=system_u:object_r:container_file_t:s0:c37,c365 tclass=chr_file permissive=0
Jun 18 19:43:31 micah-f28ah-vm0618b audit[1673]: AVC avc:  denied  { read write } for  pid=1673 comm="echo" path="/1" dev="devpts" ino=4 scontext=system_u:system_r:container_t:s0:c37,c365 tcontext=system_u:object_r:container_file_t:s0:c37,c365 tclass=chr_file permissive=0
Jun 18 19:43:31 micah-f28ah-vm0618b audit[1673]: AVC avc:  denied  { map } for  pid=1673 comm="echo" path="/usr/bin/coreutils" dev="dm-0" ino=58727044 scontext=system_u:system_r:container_t:s0:c37,c365 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0

--- Additional comment from Daniel Walsh on 2018-06-18 16:47:32 EDT ---

This shows you have containers with two different labels,  It looks like the tty of one container is being leaked into the container of a second

--- Additional comment from Slawomir Czarko on 2018-06-20 10:08:50 EDT ---

On Fedora 28 I get this:

# docker run -it --rm  centos /bin/bash
standard_init_linux.go:178: exec user process caused "permission denied"

# echo $?
1

# journalctl -b | grep 'avc:  denied'
Jun 20 16:03:17 fenris audit[29545]: AVC avc:  denied  { entrypoint } for  pid=29545 comm="runc:[2:INIT]" path="/usr/bin/bash" dev="dm-8" ino=20710002 scontext=system_u:system_r:container_t:s0:c612,c807 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0


It works with --privileged

I did:
restorecon -R -v /var/lib/docker

but it didn't change anything

--- Additional comment from Daniel Walsh on 2018-06-20 10:17:35 EDT ---

What storage driver are you using?

Is the foot file system mounted at /var/lib/docker?

--- Additional comment from Slawomir Czarko on 2018-06-20 10:22:51 EDT ---

It turns out I was using custom value for --graph. After resetting to default the problem went away.

--- Additional comment from Daniel Walsh on 2018-06-20 10:27:58 EDT ---

Awesome, BTW Have you looked at podman?

--- Additional comment from Micah Abbott on 2018-06-20 10:44:14 EDT ---

Dan, this was originally opened against Rawhide and it is still an issue there.

--- Additional comment from Micah Abbott on 2018-06-20 11:14:41 EDT ---

Yeah, I even confirmed this on Fedora Server with a fresh install of docker:


# cat /etc/os-release                                                                                                                                                                  
NAME=Fedora                                                                                                                                                                                                       
VERSION="29 (Cloud Edition)"                                                                                                                                                                                      
ID=fedora                                                                                                                                                                                                          VERSION_ID=29                                                                                                                                                                                                     
PLATFORM_ID="platform:f29"                                                                                                                                                                                         PRETTY_NAME="Fedora 29 (Cloud Edition)"                                                                                                                                                                           
ANSI_COLOR="0;34"                                                                                                                                                                                                  CPE_NAME="cpe:/o:fedoraproject:fedora:29"                                                                                                                                                                          
HOME_URL="https://fedoraproject.org/"                                                                                                                                                                              SUPPORT_URL="https://fedoraproject.org/wiki/Communicating_and_getting_help"                                                                                                                                       
BUG_REPORT_URL="https://bugzilla.redhat.com/"                                                                                                                                                                      REDHAT_BUGZILLA_PRODUCT="Fedora"                                                                                                                                                                                  
REDHAT_BUGZILLA_PRODUCT_VERSION=rawhide                                                                                                                                                                           
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=rawhide
PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy"
VARIANT="Cloud Edition"
VARIANT_ID=cloud


# dnf -y install docker
...


# systemctl enable docker --now
Created symlink /etc/systemd/system/multi-user.target.wants/docker.service → /usr/lib/systemd/system/docker.service.                                                                                              

# docker run -it --rm registry.fedoraproject.org/fedora echo 'hello'
Unable to find image 'registry.fedoraproject.org/fedora:latest' locally
Trying to pull repository registry.fedoraproject.org/fedora ...
sha256:39994db8f1ee63244dc6baa35cd88988eb4be8ac6c026be0570bd618fd84d5af: Pulling from registry.fedoraproject.org/fedora                                                                                           
bd02462c6d09: Pull complete
Digest: sha256:39994db8f1ee63244dc6baa35cd88988eb4be8ac6c026be0570bd618fd84d5af
Status: Downloaded newer image for registry.fedoraproject.org/fedora:latest

# echo $?
139

# journalctl -b | grep 'avc:  denied'
Jun 20 15:11:24 micah-f28c-vm0620a audit[2240]: AVC avc:  denied  { read write } for  pid=2240 comm="echo" path="/1" dev="devpts" ino=4 scontext=system_u:system_r:container_t:s0:c104,c514 tcontext=system_u:object_r:container_file_t:s0:c104,c514 tclass=chr_file permissive=0
Jun 20 15:11:24 micah-f28c-vm0620a audit[2240]: AVC avc:  denied  { read write } for  pid=2240 comm="echo" path="/1" dev="devpts" ino=4 scontext=system_u:system_r:container_t:s0:c104,c514 tcontext=system_u:object_r:container_file_t:s0:c104,c514 tclass=chr_file permissive=0
Jun 20 15:11:24 micah-f28c-vm0620a audit[2240]: AVC avc:  denied  { read write } for  pid=2240 comm="echo" path="/1" dev="devpts" ino=4 scontext=system_u:system_r:container_t:s0:c104,c514 tcontext=system_u:object_r:container_file_t:s0:c104,c514 tclass=chr_file permissive=0
Jun 20 15:11:24 micah-f28c-vm0620a audit[2240]: AVC avc:  denied  { read write } for  pid=2240 comm="echo" path="/1" dev="devpts" ino=4 scontext=system_u:system_r:container_t:s0:c104,c514 tcontext=system_u:object_r:container_file_t:s0:c104,c514 tclass=chr_file permissive=0
Jun 20 15:11:24 micah-f28c-vm0620a audit[2240]: AVC avc:  denied  { map } for  pid=2240 comm="echo" path="/usr/bin/coreutils" dev="vda1" ino=656920 scontext=system_u:system_r:container_t:s0:c104,c514 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0


# rpm -q container-selinux docker selinux-policy
container-selinux-2.64-1.gitdfaf8fd.fc29.noarch
docker-1.13.1-59.gitaf6b32b.fc29.x86_64
selinux-policy-3.14.2-25.fc29.noarch


# ls -lZ /var/lib/docker
total 36
drwx------. 2 root root system_u:object_r:var_lib_t:s0 4096 Jun 20 15:11 containers
drwx------. 3 root root system_u:object_r:var_lib_t:s0 4096 Jun 20 15:10 image
drwxr-x---. 3 root root system_u:object_r:var_lib_t:s0 4096 Jun 20 15:10 network
drwx------. 4 root root system_u:object_r:var_lib_t:s0 4096 Jun 20 15:11 overlay2
drwx------. 4 root root system_u:object_r:var_lib_t:s0 4096 Jun 20 15:10 plugins
drwx------. 2 root root system_u:object_r:var_lib_t:s0 4096 Jun 20 15:10 swarm
drwx------. 2 root root system_u:object_r:var_lib_t:s0 4096 Jun 20 15:11 tmp
drwx------. 2 root root system_u:object_r:var_lib_t:s0 4096 Jun 20 15:10 trust
drwx------. 2 root root system_u:object_r:var_lib_t:s0 4096 Jun 20 15:10 volumes



I did notice this during the install of docker/container-selinux:

...
  Installing       : policycoreutils-python-utils-2.8-3.fc29.noarch                                                                                                                                          18/27
  Installing       : container-selinux-2:2.64-1.gitdfaf8fd.fc29.noarch                                                                                                                                       19/27
  Running scriptlet: container-selinux-2:2.64-1.gitdfaf8fd.fc29.noarch                                                                                                                                       19/27
neverallow check failed at /var/lib/selinux/targeted/tmp/modules/100/base/cil:9194                                                                                                                                
  (neverallow base_typeattr_7 unlabeled_t (file (entrypoint)))                                                                                                                                                    
    <root>                                                                                                                                                                                                        
    allow at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1554
      (allow spc_t unlabeled_t (file (entrypoint)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/100/sandboxX/cil:866
      (allow sandbox_x_domain exec_type (file (entrypoint)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:1678
      (allow virtd_lxc_t exec_type (file (entrypoint)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2069
      (allow svirt_sandbox_domain exec_type (file (entrypoint)))

Failed to generate binary
/usr/sbin/semodule:  Failed!
  Installing       : python3-pytoml-0.1.16-1.fc29.noarch                                                                                                                                                     20/27
  Installing       : atomic-registries-1.22.1-22.git5a342e3.fc29.x86_64                                                                   
...

--- Additional comment from Micah Abbott on 2018-06-26 10:43:24 EDT ---

This probably an error with container-selinux...

From the Atomic Host compose log:

https://kojipkgs.fedoraproject.org//work/tasks/3712/27853712/runroot.log

<snip>
Installing packages: 60%
setsebool:  SELinux is disabled.
neverallow check failed at /var/lib/selinux/targeted/tmp/modules/100/base/cil:9014
  (neverallow base_typeattr_7 unlabeled_t (file (entrypoint)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1489
      (allow spc_t unlabeled_t (file (entrypoint)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/100/sandboxX/cil:866
      (allow sandbox_x_domain exec_type (file (entrypoint)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:1673
      (allow virtd_lxc_t exec_type (file (entrypoint)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2064
      (allow svirt_sandbox_domain exec_type (file (entrypoint)))

Failed to generate binary
/usr/sbin/semodule:  Failed!
<snip>

Comment 1 Daniel Walsh 2018-06-26 15:40:54 UTC
Is this only Fedora 29? Only, since the errors you are showing are on F29.  I think there was a selinux-policy/libsemange constraint that is starting to be enforced that is causing this issue.

Comment 2 Micah Abbott 2018-06-26 15:45:01 UTC
Oops...this actually doesn't seem to affect F28.  The other BZs for Rawhide + F27 should still be valid.


# ls -lZ /var/lib/docker           
total 0                                                                                     
drwx------. 2 root root system_u:object_r:container_var_lib_t:s0  6 Jun 26 15:36 containers
drwx------. 3 root root system_u:object_r:container_var_lib_t:s0 22 Jun 26 15:36 image            
drwxr-x---. 3 root root system_u:object_r:container_var_lib_t:s0 19 Jun 26 15:36 network
drwx------. 3 root root system_u:object_r:container_share_t:s0   40 Jun 26 15:36 overlay2                                                                                                                          
drwx------. 4 root root system_u:object_r:container_var_lib_t:s0 32 Jun 26 15:36 plugins                                                                                                                           
drwx------. 2 root root system_u:object_r:container_var_lib_t:s0  6 Jun 26 15:36 swarm                                                                                                                             
drwx------. 2 root root system_u:object_r:container_var_lib_t:s0  6 Jun 26 15:36 tmp                                                                                                                               
drwx------. 2 root root system_u:object_r:container_var_lib_t:s0  6 Jun 26 15:36 trust                                                                                                                             
drwx------. 2 root root system_u:object_r:container_var_lib_t:s0 25 Jun 26 15:36 volumes                                                                                                                           

# docker run -it --rm registry.fedoraproject.org/fedora:28 echo 'hello'                                                                                                                
Unable to find image 'registry.fedoraproject.org/fedora:28' locally                                                                                                                                                
Trying to pull repository registry.fedoraproject.org/fedora ...                                                                                                                                                    
sha256:39994db8f1ee63244dc6baa35cd88988eb4be8ac6c026be0570bd618fd84d5af: Pulling from registry.fedoraproject.org/fedora                                                                                            
bd02462c6d09: Pull complete                                                                                                                                                                                        
Digest: sha256:39994db8f1ee63244dc6baa35cd88988eb4be8ac6c026be0570bd618fd84d5af                                                                                                                                    
Status: Downloaded newer image for registry.fedoraproject.org/fedora:28                                                                                                                                            
hello                                                                                                             

# rpm -q container-selinux docker selinux-policy
container-selinux-2.61-1.git9b55129.fc28.noarch
docker-1.13.1-51.git4032bd5.fc28.x86_64
selinux-policy-3.14.1-29.fc28.noarch

Comment 3 Fedora Update System 2018-06-26 20:31:50 UTC
libsemanage-2.7-3.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-76f1fc8358

Comment 4 Fedora Update System 2018-06-26 20:33:05 UTC
libsemanage-2.8-2.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0ba4adc4cb

Comment 5 Fedora Update System 2018-06-28 12:32:04 UTC
libsemanage-2.7-3.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-76f1fc8358

Comment 6 Fedora Update System 2018-06-28 15:04:02 UTC
libsemanage-2.8-2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0ba4adc4cb

Comment 7 Fedora Update System 2018-07-01 01:35:05 UTC
libsemanage-2.7-3.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2018-07-01 02:38:21 UTC
libsemanage-2.8-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.