Hide Forgot
Description of problem: $ sudo dnf update SELinux is preventing ruby from 'execute' accesses on the file conftest. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that ruby should be allowed execute access on the conftest file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ruby' --raw | audit2allow -M my-ruby # semodule -X 300 -i my-ruby.pp Additional Information: Source Context system_u:system_r:svirt_lxc_net_t:s0:c512,c653 Target Context system_u:object_r:user_home_t:s0 Target Objects conftest [ file ] Source ruby Source Path ruby Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-191.12.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.6.6-300.fc24.x86_64 #1 SMP Wed Aug 10 21:07:35 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-08-23 18:51:43 CEST Last Seen 2016-08-23 18:51:43 CEST Local ID 19929696-816e-49e7-9c99-573e91d56249 Raw Audit Messages type=AVC msg=audit(1471971103.411:498): avc: denied { execute } for pid=8720 comm="ruby" name="conftest" dev="dm-1" ino=10884330 scontext=system_u:system_r:svirt_lxc_net_t:s0:c512,c653 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1 Hash: ruby,svirt_lxc_net_t,user_home_t,file,execute Version-Release number of selected component: selinux-policy-3.13.1-191.12.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.6.7-300.fc24.x86_64 type: libreport
This looks like you are volume mounting conftest from a home directory into a docker container. If you want to have this content accessible and writable by the container you should use :Z or :z on the volume mount command. http://www.projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/