*HUUUUUUUUUUUUUUGE* pile of errors. Full version is at https://gist.githubusercontent.com/anonymous/f7fa3b89011807a8ea573a4591f1633a/raw/c12a16abb3fd979c833af1addeb097aac61c17c7/- Here's the first bit: ``` rlpowell@vrici> sudo yum reinstall container-selinux.noarch Last metadata expiration check: 0:07:57 ago on Fri Feb 10 21:37:36 2017 PST. Dependencies resolved. ============================================================================================================================================================================== Package Arch Version Repository Size ============================================================================================================================================================================== Reinstalling: container-selinux noarch 2:2.7-1.fc26 rawhide 29 k Transaction Summary ============================================================================================================================================================================== Total size: 29 k Is this ok [y/N]: y Downloading Packages: [SKIPPED] container-selinux-2.7-1.fc26.noarch.rpm: Already downloaded Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Reinstalling: container-selinux-2:2.7-1.fc26.noarch 1/2 Child type container_t exceeds bounds of parent container_runtime_t (allow container_t httpd_sys_content_t (lnk_file (read getattr))) <root> allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:1988 (allow svirt_sandbox_domain exec_type (lnk_file (read getattr))) <root> optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2910 optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2913 optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:3416 optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:3812 optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4788 booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4791 true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4792 allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4793 (allow svirt_sandbox_domain httpd_sys_content_t (lnk_file (read getattr))) (allow container_t httpd_sys_content_t (file (ioctl read getattr lock open))) <root> allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:1984 (allow svirt_sandbox_domain exec_type (file (ioctl read getattr lock execute execute_no_trans open))) <root> optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2910 optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2913 optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:3416 optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:3812 optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4788 booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4791 true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4792 allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4795 (allow svirt_sandbox_domain httpd_sys_content_t (file (ioctl read getattr lock open))) (allow container_t httpd_sys_content_t (dir (ioctl read lock))) <root> optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2910 optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2913 optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:3416 optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:3812 optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4788 booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4791 true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4792 allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4797 (allow svirt_sandbox_domain httpd_sys_content_t (dir (ioctl read getattr lock search open))) (allow container_t httpd_modules_t (file (ioctl read getattr lock execute execute_no_trans open))) <root> optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2910 optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2913 optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:3416 optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:3812 optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4788 booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4791 true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4792 allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4798 (allow svirt_sandbox_domain httpd_modules_t (file (ioctl read getattr lock execute execute_no_trans open))) (allow container_t httpd_modules_t (lnk_file (read getattr))) <root> optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2910 optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2913 optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:3416 optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:3812 optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4788 booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4791 true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4792 allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4799 (allow svirt_sandbox_domain httpd_modules_t (lnk_file (read getattr))) (allow container_t httpd_modules_t (dir (ioctl read getattr lock search open))) <root> allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2001 (allow svirt_sandbox_domain file_type (dir (getattr search open))) <root> optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2910 optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2913 optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:3416 optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:3812 optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4788 booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4791 true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4792 allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4800 (allow svirt_sandbox_domain httpd_modules_t (dir (ioctl read getattr lock search open))) (allow container_t fusefs_t (file (ioctl read getattr execute execute_no_trans open))) <root> booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2737 true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2738 allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2739 (allow svirt_sandbox_domain fusefs_t (file (ioctl read getattr execute execute_no_trans open))) <root> booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2737 true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2738 allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2745 (allow svirt_sandbox_domain fusefs_t (file (ioctl read write create getattr setattr lock append unlink link rename open))) (allow container_t fusefs_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename))) <root> booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2737 true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2738 allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2743 (allow svirt_sandbox_domain fusefs_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename))) (allow container_t fusefs_t (dir (ioctl read lock add_name remove_name))) <root> booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2737 true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2738 allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2744 (allow svirt_sandbox_domain fusefs_t (dir (ioctl read write getattr lock add_name remove_name search open))) <root> booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2737 true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2738 allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2746 (allow svirt_sandbox_domain fusefs_t (dir (ioctl read write getattr lock add_name remove_name search open))) <root> booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2737 true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2738 allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2747 (allow svirt_sandbox_domain fusefs_t (dir (ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open))) (allow container_t fusefs_t (file (ioctl read write create getattr setattr lock append unlink link rename open))) <root> booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2737 true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2738 allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2739 (allow svirt_sandbox_domain fusefs_t (file (ioctl read getattr execute execute_no_trans open))) <root> booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2737 true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2738 allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2745 (allow svirt_sandbox_domain fusefs_t (file (ioctl read write create getattr setattr lock append unlink link rename open))) (allow container_t fusefs_t (dir (ioctl read lock add_name remove_name))) <root> booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2737 true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2738 allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2744 (allow svirt_sandbox_domain fusefs_t (dir (ioctl read write getattr lock add_name remove_name search open))) <root> booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2737 true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2738 allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2746 (allow svirt_sandbox_domain fusefs_t (dir (ioctl read write getattr lock add_name remove_name search open))) <root> booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2737 true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2738 allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2747 (allow svirt_sandbox_domain fusefs_t (dir (ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open))) (allow container_t fusefs_t (dir (ioctl read create lock unlink link rename add_name remove_name reparent rmdir))) <root> booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2737 true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2738 allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2744 (allow svirt_sandbox_domain fusefs_t (dir (ioctl read write getattr lock add_name remove_name search open))) <root> booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2737 true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2738 allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2746 (allow svirt_sandbox_domain fusefs_t (dir (ioctl read write getattr lock add_name remove_name search open))) <root> booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2737 true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2738 allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2747 (allow svirt_sandbox_domain fusefs_t (dir (ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open))) (allow container_t sysctl_fs_t (file (write append))) <root> booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2857 true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2858 allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2889 (allow svirt_sandbox_domain sysctl_fs_t (file (ioctl read write getattr lock append open))) (allow container_t nfs_t (file (ioctl read getattr execute execute_no_trans open))) <root> allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:1984 (allow svirt_sandbox_domain exec_type (file (ioctl read getattr lock execute execute_no_trans open))) <root> booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2857 true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2858 allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2893 (allow svirt_sandbox_domain nfs_t (file (ioctl read getattr execute execute_no_trans open))) <root> booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2857 true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2858 allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2903 (allow svirt_sandbox_domain nfs_t (file (ioctl read write create getattr setattr lock append unlink link rename open))) (allow container_t nfs_t (dir (ioctl read lock))) <root> booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2857 true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2858 allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2895 (allow svirt_sandbox_domain nfs_t (dir (ioctl read getattr lock search open))) <root> booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2857 true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2858 allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2899 (allow svirt_sandbox_domain nfs_t (dir (ioctl read write getattr lock add_name remove_name search open))) <root> booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2857 true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2858 allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2902 (allow svirt_sandbox_domain nfs_t (dir (ioctl read write getattr lock add_name remove_name search open))) <root> booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2857 true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2858 allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2904 (allow svirt_sandbox_domain nfs_t (dir (ioctl read write getattr lock add_name remove_name search open))) <root> booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2857 true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2858 allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2906 (allow svirt_sandbox_domain nfs_t (dir (ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open))) ```
Oh, here's the status of other relevant packages on my system: rlpowell@vrici> sudo yum list installed '*docker*' '*selinux*' Last metadata expiration check: 0:15:57 ago on Fri Feb 10 21:37:36 2017 PST. Installed Packages container-selinux.noarch 2:2.7-1.fc26 @rawhide docker.x86_64 2:1.12.6-17.git037a2f5.fc26 @rawhide docker-common.x86_64 2:1.12.6-17.git037a2f5.fc26 @rawhide docker-rhel-push-plugin.x86_64 2:1.12.6-17.git037a2f5.fc26 @rawhide libselinux.x86_64 2.5-16.fc26 @rawhide libselinux-devel.x86_64 2.5-16.fc26 @rawhide libselinux-python.x86_64 2.5-16.fc26 @rawhide libselinux-python3.x86_64 2.5-16.fc26 @rawhide libselinux-ruby.x86_64 2.5-16.fc26 @rawhide libselinux-utils.x86_64 2.5-16.fc26 @rawhide rpm-plugin-selinux.x86_64 4.13.0-11.fc26 @rawhide selinux-policy.noarch 3.13.1-236.fc26 @rawhide selinux-policy-devel.noarch 3.13.1-236.fc26 @rawhide selinux-policy-doc.noarch 3.13.1-236.fc26 @rawhide selinux-policy-targeted.noarch 3.13.1-236.fc26 @rawhide
I'm getting all kinds of badness like basic network operations don't work: type=AVC msg=audit(1486794909.326:6236599): avc: denied { create } for pid=14174 comm="dnf" scontext=system_u:system_r:container_t:s0:c352,c747 tcontext=system_u:system_r:container_t:s0:c352,c747 tclass=udp_socket permissive=0 type=AVC msg=audit(1486794909.327:6236600): avc: denied { create } for pid=14174 comm="dnf" scontext=system_u:system_r:container_t:s0:c352,c747 tcontext=system_u:system_r:container_t:s0:c352,c747 tclass=udp_socket permissive=0 type=AVC msg=audit(1486794909.327:6236601): avc: denied { create } for pid=14174 comm="dnf" scontext=system_u:system_r:container_t:s0:c352,c747 tcontext=system_u:system_r:container_t:s0:c352,c747 tclass=udp_socket permissive=0 type=AVC msg=audit(1486794909.335:6236602): avc: denied { create } for pid=14174 comm="dnf" scontext=system_u:system_r:container_t:s0:c352,c747 tcontext=system_u:system_r:container_t:s0:c352,c747 tclass=udp_socket permissive=0 I assume that this is a side effect of this same issue.
Please update to selinux-policy-3.13.1-238.fc26 And then container-selinux-2.8-1.fc26 See if that works for you.
Uh. My rawhide doesn't have that.
Oh, you meant koji, I guess. No joy. rlpowell@vrici> sudo yum list installed '*selinux*' Last metadata expiration check: 0:10:48 ago on Mon Feb 13 16:59:13 2017 PST. Installed Packages container-selinux.noarch 2:2.8-1.fc26 @@commandline libselinux.x86_64 2.5-16.fc26 @rawhide libselinux-devel.x86_64 2.5-16.fc26 @rawhide libselinux-python.x86_64 2.5-16.fc26 @rawhide libselinux-python3.x86_64 2.5-16.fc26 @rawhide libselinux-ruby.x86_64 2.5-16.fc26 @rawhide libselinux-utils.x86_64 2.5-16.fc26 @rawhide rpm-plugin-selinux.x86_64 4.13.0-11.fc26 @rawhide selinux-policy.noarch 3.13.1-238.fc26 @@commandline selinux-policy-devel.noarch 3.13.1-238.fc26 @@commandline selinux-policy-doc.noarch 3.13.1-238.fc26 @@commandline selinux-policy-targeted.noarch 3.13.1-238.fc26 @@commandline rlpowell@vrici> sudo yum reinstall container-selinux-2.8-1.fc26.noarch.rpm Last metadata expiration check: 0:08:12 ago on Mon Feb 13 16:59:13 2017 PST. Dependencies resolved. ============================================================================================================================================================================== Package Arch Version Repository Size ============================================================================================================================================================================== Reinstalling: container-selinux noarch 2:2.8-1.fc26 @commandline 29 k Transaction Summary ============================================================================================================================================================================== Total size: 29 k Is this ok [y/N]: y Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Reinstalling: container-selinux-2:2.8-1.fc26.noarch 1/2 Child type container_t exceeds bounds of parent container_runtime_t (allow container_t httpd_sys_content_t (lnk_file (read getattr))) <root> allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:1986 (allow svirt_sandbox_domain exec_type (lnk_file (read getattr))) <root> optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2836 optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2839 optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:3342 optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:3738 optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4714 booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4717 true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4718 allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4719 (allow svirt_sandbox_domain httpd_sys_content_t (lnk_file (read getattr))) (allow container_t httpd_sys_content_t (file (ioctl read getattr lock open))) <root> allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:1982 (allow svirt_sandbox_domain exec_type (file (ioctl read getattr lock execute execute_no_trans open))) <root> optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2836 optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2839 optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:3342 optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:3738 optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4714 booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4717 true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4718 allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4721 (allow svirt_sandbox_domain httpd_sys_content_t (file (ioctl read getattr lock open)))
Do you have the unconfined domain disabled?
Did I forgot to mention that? I did. Sorry. Yes, unconfined is disabled. However, in case it matters, I kind of gave up a bit and: rlpowell@vrici> sudo semanage permissive -l Customized Permissive Types container_runtime_t container_t
container-selinux-2.9-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-018d2c13f7
This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle. Changing version to '26'.
container-selinux-2.9-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-018d2c13f7
container-selinux-2.9-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.