# Description of problem: I use docker-compose to orchestrate containers, e.g. a database and a web application. The web application container must wait until the database is up before running. I use https://github.com/vishnubob/wait-for-it to do the waiting and bind-mount the script into the container. Since installing container-selinux-2.5-1.fc25 docker fails to execute the wait script because access is denied by SELinux. The behavior is the same on two machines tested (all running Fedora 25 patched to latest). Version-Release number of selected component (if applicable): container-selinux-2.5-1.fc25 container-selinux-2.2-2.fc25 works. # How reproducible: Every time, downgrading to 2.2-2 removes the error. # Steps to Reproduce: The simplest way to reproduce is to emulate docker-compose with a docker invocation. 1. git clone https://github.com/vishnubob/wait-for-it.git /usr/local/src/wait-for-it 2. docker run --entrypoint="/wait-for-it.sh" -v /usr/local/src/wait-for-it/wait-for-it.sh:/wait-for-it.sh:ro agross/stress (agross/stress is just an example image) # Actual results (docker run output): panic: standard_init_linux.go:178: exec user process caused "permission denied" [recovered] panic: standard_init_linux.go:178: exec user process caused "permission denied" # Expected results (docker run output): Error: you need to provide a host and port to test. Usage: wait-for-it.sh host:port [-s] [-t timeout] [-- command args] -h HOST | --host=HOST Host or IP under test -p PORT | --port=PORT TCP port under test Alternatively, you specify the host and port as host:port -s | --strict Only execute subcommand if the test succeeds -q | --quiet Don't output any status messages -t TIMEOUT | --timeout=TIMEOUT Timeout in seconds, zero for no timeout -- COMMAND ARGS Execute command with args after the test finishes # Additional info: $ audit2why < /var/log/audit/audit.log type=AVC msg=audit(1486244245.275:7129): avc: denied { entrypoint } for pid=20532 comm="exe" path="/wait-for-it.sh" dev="dm-0" ino=50618329 scontext=system_u:system_r:container_t:s0:c116,c857 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file permissive=0 Was caused by: Unknown - would be allowed by active policy Possible mismatch between this policy and the one under which the audit message was generated. Possible mismatch between current in-memory boolean settings vs. permanent ones. $ ls /usr/local/src/wait-for-it/wait-for-it.sh -laZ -rwxr-xr-x. 1 root root unconfined_u:object_r:usr_t:s0 3658 Aug 25 20:25 /usr/local/src/wait-for-it/wait-for-it.sh As suggested (https://bodhi.fedoraproject.org/updates/container-selinux-2.5-1.fc25#comment-557261) I also tried to chcon wait-for-it.sh and bind-mounting with the "Z" flag, but to no avail.
Add this to policy: typebounds container_runtime_exec_t usr_t;
Fixed in container-selinux-2.8 in updates testing. Please update to this package and if it fixes your problem, update the karma
Seems like container-selinux-2.8 is not available (yet?) dnf update --enablerepo=updates-testing container-selinux ... Upgrading: container-selinux noarch 2:2.6-1.fc25 updates-testing https://bodhi.fedoraproject.org/updates/?packages=container-selinux
Ok I just fired off a build https://koji.fedoraproject.org/koji/taskinfo?taskID=18096916
container-selinux-2.9-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-018d2c13f7
container-selinux 2.9 is still not available for me on testing, but I can confirm that 2.6 also works on two machines.
container-selinux-2.9-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-018d2c13f7
container-selinux-2.9-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.