Description of problem: Since the most recent docker and docker-selinux updates: docker-1.8.2-1.gitf1db8f2.fc22.x86_64 docker-selinux-1.8.2-1.gitf1db8f2.fc22.x86_64 When I go to rebuild some of my docker containers, I get an error similar to this for what looks like any RUN line in my Dockerfile. I'm running SELinux in enforcing mode and using the overlayfs storage driver for Docker. Before the upgrades above, this setup was able to generate containers without issues. If I disable SELinux, containers build fine. Since the most recent docker and docker-selinux updates: docker-1.8.2-1.gitf1db8f2.fc22.x86_64 docker-selinux-1.8.2-1.gitf1db8f2.fc22.x86_64 When I go to rebuild some of my docker containers, I get an error similar to this for what looks like any RUN line in my Dockerfile. I'm running SELinux in enforcing mode and using the overlayfs storage driver for Docker. Before the upgrades above, this setup was able to generate containers without issues. If I disable SELinux, containers build fine. SELinux is preventing exe from 'entrypoint' accesses on the file /bin/dash. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /bin/dash default label should be shell_exec_t. Then you can run restorecon. Do # /sbin/restorecon -v /bin/dash ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that exe should be allowed entrypoint access on the dash file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep exe /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:spc_t:s0 Target Context system_u:object_r:docker_var_lib_t:s0 Target Objects /bin/dash [ file ] Source exe Source Path exe Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-128.13.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.1.7-200.fc22.x86_64 #1 SMP Mon Sep 14 20:19:24 UTC 2015 x86_64 x86_64 Alert Count 2 First Seen 2015-09-25 12:32:29 AEST Last Seen 2015-09-25 13:57:00 AEST Local ID 0e25455e-2d8a-4519-85fe-b412c7a9bb82 Raw Audit Messages type=AVC msg=audit(1443153420.130:1111): avc: denied { entrypoint } for pid=11334 comm="exe" path="/bin/dash" dev="dm-1" ino=3935470 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:object_r:docker_var_lib_t:s0 tclass=file permissive=0 Hash: exe,spc_t,docker_var_lib_t,file,entrypoint Version-Release number of selected component: selinux-policy-3.13.1-128.13.fc22.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.1.7-200.fc22.x86_64 type: libreport
Should be fixed in docker-1.8.2-4.gitcb216be.fc22 yum update docker --enable=updates-testing
selinux-policy-3.13.1-128.18.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-946cd8d690
selinux-policy-3.13.1-128.18.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update selinux-policy' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-946cd8d690
selinux-policy-3.13.1-128.18.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.