root@vrici# cat /tmp/crap2.txt | audit2allow -R require { type svirt_lxc_net_t; type rkt_var_lib_t; class file entrypoint; } #============= svirt_lxc_net_t ============== #!!!! The file '/usr/lib/systemd/systemd' is mislabeled on your system. #!!!! Fix with $ restorecon -R -v /usr/lib/systemd/systemd allow svirt_lxc_net_t rkt_var_lib_t:file entrypoint; OK, fine, I'll run the command, but it doesn't do anything: root@vrici# ls -lZ /usr/lib/systemd/systemd -rwxr-xr-x. 1 root root system_u:object_r:init_exec_t:s0 1641144 Apr 18 19:37 /usr/lib/systemd/systemd root@vrici# restorecon -R -v /usr/lib/systemd/systemd root@vrici# ls -lZ /usr/lib/systemd/systemd -rwxr-xr-x. 1 root root system_u:object_r:init_exec_t:s0 1641144 Apr 18 19:37 /usr/lib/systemd/systemd root@vrici# The AVC in question: root@vrici# cat /tmp/crap2.txt type=AVC msg=audit(1461174118.340:6117): avc: denied { entrypoint } for pid=3232 comm="systemd-nspawn" path="/usr/lib/systemd/systemd" dev="overlay" ino=263237 scontext=system_u:system_r:svirt_lxc_net_t:s0:c142,c457 tcontext=staff_u:object_r:rkt_var_lib_t:s0 tclass=file permissive=1 root@vrici#
THis /usr/lib/systemd/systemd is under /var/lib/rkt I believe the problem is this content should be labele svirt_sandbox_file_t. If you allow this rule, does the container work?
Ah! I think you must be correct. In fact, with --no-overlay (per the other ticket), this doesn't even come up, and it's certainly not an issue with my actual systemd, so nevermind, sorry about that.
Hi Robin, So everything working now? Can we close this BZ?