I'm aware rkt support is a work in progress, so these may all be fixed somewhere, but: This is everything in my audit log with "dontaudit off", "setenforce 0" when running: rkt run --insecure-options=image --interactive docker://busybox type=NETFILTER_CFG msg=audit(1461174117.702:6110): table=nat family=2 entries=80 type=NETFILTER_CFG msg=audit(1461174117.715:6111): table=nat family=2 entries=82 type=NETFILTER_CFG msg=audit(1461174117.735:6112): table=nat family=2 entries=83 type=NETFILTER_CFG msg=audit(1461174117.738:6113): table=nat family=2 entries=84 type=LOGIN msg=audit(1461174118.307:6114): pid=3231 uid=0 subj=staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 old-auid=1000 auid=4294967295 old-ses=19 ses=4294967295 res=1 type=USER_AVC msg=audit(1461174118.323:6115): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe=" /usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1461174118.327:6116): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe=" /usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1461174118.340:6117): avc: denied { entrypoint } for pid=3232 comm="systemd-nspawn" path="/usr/lib/systemd/systemd" dev="overlay" ino=263237 scontext=sy stem_u:system_r:svirt_lxc_net_t:s0:c142,c457 tcontext=staff_u:object_r:rkt_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1461174118.341:6118): avc: denied { read } for pid=3232 comm="systemd" name="libselinux.so.1" dev="vda2" ino=927328 scontext=system_u:system_r:svirt_lxc _net_t:s0:c142,c457 tcontext=staff_u:object_r:rkt_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1461174118.341:6119): avc: denied { open } for pid=3232 comm="systemd" path="/usr/lib/libselinux.so.1" dev="overlay" ino=263274 scontext=system_u:system _r:svirt_lxc_net_t:s0:c142,c457 tcontext=staff_u:object_r:rkt_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1461174118.341:6120): avc: denied { getattr } for pid=3232 comm="systemd" path="/usr/lib/libselinux.so.1" dev="vda2" ino=927328 scontext=system_u:system _r:svirt_lxc_net_t:s0:c142,c457 tcontext=staff_u:object_r:rkt_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1461174118.341:6121): avc: denied { execute } for pid=3232 comm="systemd" path="/usr/lib/libselinux.so.1" dev="overlay" ino=263274 scontext=system_u:sys tem_r:svirt_lxc_net_t:s0:c142,c457 tcontext=staff_u:object_r:rkt_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1461174118.343:6122): avc: denied { write } for pid=3232 comm="systemd" name="core_pattern" dev="proc" ino=262870 scontext=system_u:system_r:svirt_lxc_n et_t:s0:c142,c457 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=1 type=AVC msg=audit(1461174118.345:6123): avc: denied { write } for pid=3232 comm="systemd" name="machine-id" dev="vda2" ino=927446 scontext=system_u:system_r:svirt_lxc_net _t:s0:c142,c457 tcontext=staff_u:object_r:rkt_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1461174118.345:6124): avc: denied { write } for pid=3232 comm="systemd" name="max_dgram_qlen" dev="proc" ino=262883 scontext=system_u:system_r:svirt_lxc _net_t:s0:c142,c457 tcontext=system_u:object_r:sysctl_net_unix_t:s0 tclass=file permissive=1 type=AVC msg=audit(1461174118.345:6125): avc: denied { read } for pid=3232 comm="systemd" name="usr" dev="vda2" ino=927290 scontext=system_u:system_r:svirt_lxc_net_t:s0:c1 42,c457 tcontext=staff_u:object_r:rkt_var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1461174118.352:6126): avc: denied { execute_no_trans } for pid=3242 comm="(journald)" path="/usr/lib/systemd/systemd-journald" dev="overlay" ino=263244 scontext=system_u:system_r:svirt_lxc_net_t:s0:c142,c457 tcontext=staff_u:object_r:rkt_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1461174118.445:6131): avc: denied { write } for pid=3248 comm="prepare-app" name="dev" dev="vda2" ino=541319 scontext=system_u:system_r:svirt_lxc_net_t: s0:c142,c457 tcontext=staff_u:object_r:rkt_var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1461174118.445:6132): avc: denied { relabelto } for pid=3248 comm="prepare-app" name="#ffff88001a575840" dev="vda2" ino=927464 scontext=system_u:system_ r:svirt_lxc_net_t:s0:c142,c457 tcontext=staff_u:object_r:rkt_var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1461174118.445:6133): avc: denied { setattr } for pid=3248 comm="prepare-app" name="#ffff88001a575840" dev="vda2" ino=927464 scontext=system_u:system_r: svirt_lxc_net_t:s0:c142,c457 tcontext=staff_u:object_r:rkt_var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1461174118.445:6134): avc: denied { rename } for pid=3248 comm="prepare-app" name="#ffff88001a575840" dev="vda2" ino=927464 scontext=system_u:system_r:s virt_lxc_net_t:s0:c142,c457 tcontext=staff_u:object_r:rkt_var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1461174118.445:6135): avc: denied { reparent } for pid=3248 comm="prepare-app" name="#ffff88001a575840" dev="vda2" ino=927464 scontext=system_u:system_r :svirt_lxc_net_t:s0:c142,c457 tcontext=staff_u:object_r:rkt_var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1461174118.445:6136): avc: denied { add_name } for pid=3248 comm="prepare-app" name="net" scontext=system_u:system_r:svirt_lxc_net_t:s0:c142,c457 tconte xt=staff_u:object_r:rkt_var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1461174118.445:6137): avc: denied { create } for pid=3248 comm="prepare-app" name="net" scontext=system_u:system_r:svirt_lxc_net_t:s0:c142,c457 tcontext =system_u:object_r:rkt_var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1461174118.446:6138): avc: denied { create } for pid=3248 comm="prepare-app" name="hosts" scontext=system_u:system_r:svirt_lxc_net_t:s0:c142,c457 tconte xt=system_u:object_r:rkt_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1461174118.446:6139): avc: denied { write open } for pid=3248 comm="prepare-app" path="/opt/stage2/busybox/rootfs/etc/hosts" dev="overlay" ino=262927 sc ontext=system_u:system_r:svirt_lxc_net_t:s0:c142,c457 tcontext=system_u:object_r:rkt_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1461174118.446:6140): avc: denied { getattr } for pid=3248 comm="prepare-app" name="hosts" dev="vda2" ino=927474 scontext=system_u:system_r:svirt_lxc_net_t:s0:c142,c457 tcontext=system_u:object_r:rkt_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1461174118.447:6141): avc: denied { write } for pid=3248 comm="prepare-app" name="net" dev="vda2" ino=927465 scontext=system_u:system_r:svirt_lxc_net_t:s0:c142,c457 tcontext=system_u:object_r:rkt_var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1461174118.447:6142): avc: denied { add_name } for pid=3248 comm="prepare-app" name="tun" scontext=system_u:system_r:svirt_lxc_net_t:s0:c142,c457 tcontext=system_u:object_r:rkt_var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1461174118.447:6143): avc: denied { create } for pid=3248 comm="prepare-app" name="ptmx" scontext=system_u:system_r:svirt_lxc_net_t:s0:c142,c457 tcontext=system_u:object_r:rkt_var_lib_t:s0 tclass=lnk_file permissive=1 type=AVC msg=audit(1461174118.475:6144): avc: denied { append } for pid=3254 comm="appexec" path="/rkt/env/keep_env" dev="overlay" ino=263546 scontext=system_u:system_r:svirt_lxc_net_t:s0:c142,c457 tcontext=system_u:object_r:rkt_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1461174118.475:6145): avc: denied { read } for pid=3254 comm="appexec" name="keep_env" dev="vda2" ino=927485 scontext=system_u:system_r:svirt_lxc_net_t:s0:c142,c457 tcontext=system_u:object_r:rkt_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1461174118.476:6146): avc: denied { ioctl } for pid=3254 comm="sh" path="/etc/passwd" dev="overlay" ino=262098 ioctlcmd=5401 scontext=system_u:system_r:svirt_lxc_net_t:s0:c142,c457 tcontext=staff_u:object_r:rkt_var_lib_t:s0 tclass=file permissive=1 type=USER_AVC msg=audit(1461174121.606:6147): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1461174121.607:6148): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Note that running that stuff past audit2allow is how I hit https://bugzilla.redhat.com/show_bug.cgi?id=1328956 , so that may also be relevant.
I think rkt right now will only work without overlayfs. Since overlayfs does not properly support SELInux labeling.
Ah, OK; yes, it works fine with --no-overlay (running as root/unconfined_t). While it seems implausible, let me know if there's anything I can do to help.
FWIW, here's the AVCs I get in that case (launching rkt as root/unconfined_t, dontaudit off, setenforce 0 (although note that it works just fine with setenforce 1 AFAICT, that was just to get AVCs)): type=NETFILTER_CFG msg=audit(1461307931.081:11296): table=nat family=2 entries=20 type=NETFILTER_CFG msg=audit(1461307931.083:11297): table=nat family=2 entries=22 type=NETFILTER_CFG msg=audit(1461307931.085:11298): table=nat family=2 entries=23 type=NETFILTER_CFG msg=audit(1461307931.087:11299): table=nat family=2 entries=24 type=LOGIN msg=audit(1461307931.613:11300): pid=25523 uid=0 subj=staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 old-auid=1000 auid=4294967295 old-ses=233 ses=4294967295 res=1 type=USER_AVC msg=audit(1461307931.625:11301): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1461307931.628:11302): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1461307931.643:11303): avc: denied { write } for pid=25524 comm="systemd" name="core_pattern" dev="proc" ino=596807 scontext=system_u:system_r:svirt_lxc_net_t:s0:c180,c298 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=1 type=AVC msg=audit(1461307931.645:11304): avc: denied { write } for pid=25524 comm="systemd" name="max_dgram_qlen" dev="proc" ino=596822 scontext=system_u:system_r:svirt_lxc_net_t:s0:c180,c298 tcontext=system_u:object_r:sysctl_net_unix_t:s0 tclass=file permissive=1 type=USER_AVC msg=audit(1461307939.220:11306): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1461307939.222:11307): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' None of these seem to be causing any serious issues, and systemd is in fact running in the container.
This is a kernel issue, which we have existing bugzilla for it. https://bugzilla.redhat.com/show_bug.cgi?id=1178944 *** This bug has been marked as a duplicate of bug 1178944 ***
I find it mildly annoying that the only non-duplicate bug in that chain, I can't actually see (Access Denied), so I've no way to get notified when it's fixed.
... Also, Firefox helpfully "remembered" that I'd closed a previous bug as NOTABUG, and made this bug one too when I commented. -____- Sorry about that. *** This bug has been marked as a duplicate of bug 1178944 ***
Robin sorry about that, but be assured that if we get this to work and merged in to upstream kernel, we will make a lot of noise.