Bug 1421333 - container-selinux won't install
Summary: container-selinux won't install
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: container-selinux
Version: 26
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lokesh Mandvekar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-11 05:52 UTC by Robin Powell
Modified: 2017-03-02 01:21 UTC (History)
6 users (show)

Fixed In Version: container-selinux-2.9-1.fc25
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-03-02 01:21:23 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Robin Powell 2017-02-11 05:52:43 UTC 
*HUUUUUUUUUUUUUUGE* pile of errors.

Full version is at https://gist.githubusercontent.com/anonymous/f7fa3b89011807a8ea573a4591f1633a/raw/c12a16abb3fd979c833af1addeb097aac61c17c7/-

Here's the first bit:

```
rlpowell@vrici> sudo yum reinstall container-selinux.noarch
Last metadata expiration check: 0:07:57 ago on Fri Feb 10 21:37:36 2017 PST.
Dependencies resolved.
==============================================================================================================================================================================
 Package                                         Arch                                 Version                                     Repository                             Size
==============================================================================================================================================================================
Reinstalling:
 container-selinux                               noarch                               2:2.7-1.fc26                                rawhide                                29 k

Transaction Summary
==============================================================================================================================================================================

Total size: 29 k
Is this ok [y/N]: y
Downloading Packages:
[SKIPPED] container-selinux-2.7-1.fc26.noarch.rpm: Already downloaded
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Reinstalling: container-selinux-2:2.7-1.fc26.noarch                                                                                                                     1/2
Child type container_t exceeds bounds of parent container_runtime_t
  (allow container_t httpd_sys_content_t (lnk_file (read getattr)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:1988
      (allow svirt_sandbox_domain exec_type (lnk_file (read getattr)))
    <root>
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2910
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2913
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:3416
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:3812
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4788
    booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4791
    true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4792
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4793
      (allow svirt_sandbox_domain httpd_sys_content_t (lnk_file (read getattr)))
  (allow container_t httpd_sys_content_t (file (ioctl read getattr lock open)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:1984
      (allow svirt_sandbox_domain exec_type (file (ioctl read getattr lock execute execute_no_trans open)))
    <root>
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2910
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2913
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:3416
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:3812
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4788
    booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4791
    true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4792
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4795
      (allow svirt_sandbox_domain httpd_sys_content_t (file (ioctl read getattr lock open)))
  (allow container_t httpd_sys_content_t (dir (ioctl read lock)))
    <root>
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2910
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2913
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:3416
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:3812
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4788
    booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4791
    true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4792
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4797
      (allow svirt_sandbox_domain httpd_sys_content_t (dir (ioctl read getattr lock search open)))
  (allow container_t httpd_modules_t (file (ioctl read getattr lock execute execute_no_trans open)))
    <root>
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2910
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2913
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:3416
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:3812
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4788
    booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4791
    true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4792
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4798
      (allow svirt_sandbox_domain httpd_modules_t (file (ioctl read getattr lock execute execute_no_trans open)))
  (allow container_t httpd_modules_t (lnk_file (read getattr)))
    <root>
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2910
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2913
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:3416
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:3812
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4788
    booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4791
    true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4792
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4799
      (allow svirt_sandbox_domain httpd_modules_t (lnk_file (read getattr)))
  (allow container_t httpd_modules_t (dir (ioctl read getattr lock search open)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2001
      (allow svirt_sandbox_domain file_type (dir (getattr search open)))
    <root>
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2910
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2913
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:3416
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:3812
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4788
    booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4791
    true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4792
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4800
      (allow svirt_sandbox_domain httpd_modules_t (dir (ioctl read getattr lock search open)))
  (allow container_t fusefs_t (file (ioctl read getattr execute execute_no_trans open)))
    <root>
    booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2737
    true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2738
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2739
      (allow svirt_sandbox_domain fusefs_t (file (ioctl read getattr execute execute_no_trans open)))
    <root>
    booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2737
    true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2738
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2745
      (allow svirt_sandbox_domain fusefs_t (file (ioctl read write create getattr setattr lock append unlink link rename open)))
  (allow container_t fusefs_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename)))
    <root>
    booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2737
    true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2738
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2743
      (allow svirt_sandbox_domain fusefs_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename)))
  (allow container_t fusefs_t (dir (ioctl read lock add_name remove_name)))
    <root>
    booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2737
    true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2738
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2744
      (allow svirt_sandbox_domain fusefs_t (dir (ioctl read write getattr lock add_name remove_name search open)))
    <root>
    booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2737
    true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2738
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2746
      (allow svirt_sandbox_domain fusefs_t (dir (ioctl read write getattr lock add_name remove_name search open)))
    <root>
    booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2737
    true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2738
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2747
      (allow svirt_sandbox_domain fusefs_t (dir (ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open)))
  (allow container_t fusefs_t (file (ioctl read write create getattr setattr lock append unlink link rename open)))
    <root>
    booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2737
    true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2738
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2739
      (allow svirt_sandbox_domain fusefs_t (file (ioctl read getattr execute execute_no_trans open)))
    <root>
    booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2737
    true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2738
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2745
      (allow svirt_sandbox_domain fusefs_t (file (ioctl read write create getattr setattr lock append unlink link rename open)))
  (allow container_t fusefs_t (dir (ioctl read lock add_name remove_name)))
    <root>
    booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2737
    true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2738
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2744
      (allow svirt_sandbox_domain fusefs_t (dir (ioctl read write getattr lock add_name remove_name search open)))
    <root>
    booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2737
    true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2738
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2746
      (allow svirt_sandbox_domain fusefs_t (dir (ioctl read write getattr lock add_name remove_name search open)))
    <root>
    booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2737
    true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2738
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2747
      (allow svirt_sandbox_domain fusefs_t (dir (ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open)))
  (allow container_t fusefs_t (dir (ioctl read create lock unlink link rename add_name remove_name reparent rmdir)))
    <root>
    booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2737
    true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2738
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2744
      (allow svirt_sandbox_domain fusefs_t (dir (ioctl read write getattr lock add_name remove_name search open)))
    <root>
    booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2737
    true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2738
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2746
      (allow svirt_sandbox_domain fusefs_t (dir (ioctl read write getattr lock add_name remove_name search open)))
    <root>
    booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2737
    true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2738
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2747
      (allow svirt_sandbox_domain fusefs_t (dir (ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open)))
  (allow container_t sysctl_fs_t (file (write append)))
    <root>
    booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2857
    true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2858
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2889
      (allow svirt_sandbox_domain sysctl_fs_t (file (ioctl read write getattr lock append open)))
  (allow container_t nfs_t (file (ioctl read getattr execute execute_no_trans open)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:1984
      (allow svirt_sandbox_domain exec_type (file (ioctl read getattr lock execute execute_no_trans open)))
    <root>
    booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2857
    true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2858
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2893
      (allow svirt_sandbox_domain nfs_t (file (ioctl read getattr execute execute_no_trans open)))
    <root>
    booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2857
    true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2858
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2903
      (allow svirt_sandbox_domain nfs_t (file (ioctl read write create getattr setattr lock append unlink link rename open)))
  (allow container_t nfs_t (dir (ioctl read lock)))
    <root>
    booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2857
    true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2858
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2895
      (allow svirt_sandbox_domain nfs_t (dir (ioctl read getattr lock search open)))
    <root>
    booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2857
    true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2858
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2899
      (allow svirt_sandbox_domain nfs_t (dir (ioctl read write getattr lock add_name remove_name search open)))
    <root>
    booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2857
    true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2858
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2902
      (allow svirt_sandbox_domain nfs_t (dir (ioctl read write getattr lock add_name remove_name search open)))
    <root>
    booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2857
    true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2858
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2904
      (allow svirt_sandbox_domain nfs_t (dir (ioctl read write getattr lock add_name remove_name search open)))
    <root>
    booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2857
    true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2858
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2906
      (allow svirt_sandbox_domain nfs_t (dir (ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open)))
```
Comment 1 Robin Powell 2017-02-11 05:53:48 UTC 
Oh, here's the status of other relevant packages on my system:

rlpowell@vrici> sudo yum list installed '*docker*' '*selinux*'
Last metadata expiration check: 0:15:57 ago on Fri Feb 10 21:37:36 2017 PST.
Installed Packages
container-selinux.noarch             2:2.7-1.fc26                       @rawhide
docker.x86_64                        2:1.12.6-17.git037a2f5.fc26        @rawhide
docker-common.x86_64                 2:1.12.6-17.git037a2f5.fc26        @rawhide
docker-rhel-push-plugin.x86_64       2:1.12.6-17.git037a2f5.fc26        @rawhide
libselinux.x86_64                    2.5-16.fc26                        @rawhide
libselinux-devel.x86_64              2.5-16.fc26                        @rawhide
libselinux-python.x86_64             2.5-16.fc26                        @rawhide
libselinux-python3.x86_64            2.5-16.fc26                        @rawhide
libselinux-ruby.x86_64               2.5-16.fc26                        @rawhide
libselinux-utils.x86_64              2.5-16.fc26                        @rawhide
rpm-plugin-selinux.x86_64            4.13.0-11.fc26                     @rawhide
selinux-policy.noarch                3.13.1-236.fc26                    @rawhide
selinux-policy-devel.noarch          3.13.1-236.fc26                    @rawhide
selinux-policy-doc.noarch            3.13.1-236.fc26                    @rawhide
selinux-policy-targeted.noarch       3.13.1-236.fc26                    @rawhide
Comment 2 Robin Powell 2017-02-11 06:36:19 UTC 
I'm getting all kinds of badness like basic network operations don't work:

type=AVC msg=audit(1486794909.326:6236599): avc:  denied  { create } for  pid=14174 comm="dnf" scontext=system_u:system_r:container_t:s0:c352,c747 tcontext=system_u:system_r:container_t:s0:c352,c747 tclass=udp_socket permissive=0
type=AVC msg=audit(1486794909.327:6236600): avc:  denied  { create } for  pid=14174 comm="dnf" scontext=system_u:system_r:container_t:s0:c352,c747 tcontext=system_u:system_r:container_t:s0:c352,c747 tclass=udp_socket permissive=0
type=AVC msg=audit(1486794909.327:6236601): avc:  denied  { create } for  pid=14174 comm="dnf" scontext=system_u:system_r:container_t:s0:c352,c747 tcontext=system_u:system_r:container_t:s0:c352,c747 tclass=udp_socket permissive=0
type=AVC msg=audit(1486794909.335:6236602): avc:  denied  { create } for  pid=14174 comm="dnf" scontext=system_u:system_r:container_t:s0:c352,c747 tcontext=system_u:system_r:container_t:s0:c352,c747 tclass=udp_socket permissive=0

I assume that this is a side effect of this same issue.
Comment 3 Daniel Walsh 2017-02-12 05:55:05 UTC 
Please update to selinux-policy-3.13.1-238.fc26
And then   container-selinux-2.8-1.fc26

See if that works for you.
Comment 4 Robin Powell 2017-02-14 00:58:21 UTC 
Uh.  My rawhide doesn't have that.
Comment 5 Robin Powell 2017-02-14 01:10:30 UTC 
Oh, you meant koji, I guess.

No joy.

rlpowell@vrici> sudo yum list installed '*selinux*'
Last metadata expiration check: 0:10:48 ago on Mon Feb 13 16:59:13 2017 PST.
Installed Packages
container-selinux.noarch                 2:2.8-1.fc26              @@commandline
libselinux.x86_64                        2.5-16.fc26               @rawhide
libselinux-devel.x86_64                  2.5-16.fc26               @rawhide
libselinux-python.x86_64                 2.5-16.fc26               @rawhide
libselinux-python3.x86_64                2.5-16.fc26               @rawhide
libselinux-ruby.x86_64                   2.5-16.fc26               @rawhide
libselinux-utils.x86_64                  2.5-16.fc26               @rawhide
rpm-plugin-selinux.x86_64                4.13.0-11.fc26            @rawhide
selinux-policy.noarch                    3.13.1-238.fc26           @@commandline
selinux-policy-devel.noarch              3.13.1-238.fc26           @@commandline
selinux-policy-doc.noarch                3.13.1-238.fc26           @@commandline
selinux-policy-targeted.noarch           3.13.1-238.fc26           @@commandline
rlpowell@vrici> sudo yum reinstall container-selinux-2.8-1.fc26.noarch.rpm
Last metadata expiration check: 0:08:12 ago on Mon Feb 13 16:59:13 2017 PST.
Dependencies resolved.
==============================================================================================================================================================================
 Package                                        Arch                                Version                                   Repository                                 Size
==============================================================================================================================================================================
Reinstalling:
 container-selinux                              noarch                              2:2.8-1.fc26                              @commandline                               29 k

Transaction Summary
==============================================================================================================================================================================

Total size: 29 k
Is this ok [y/N]: y
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Reinstalling: container-selinux-2:2.8-1.fc26.noarch                                                                                                                     1/2
Child type container_t exceeds bounds of parent container_runtime_t
  (allow container_t httpd_sys_content_t (lnk_file (read getattr)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:1986
      (allow svirt_sandbox_domain exec_type (lnk_file (read getattr)))
    <root>
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2836
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2839
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:3342
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:3738
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4714
    booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4717
    true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4718
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4719
      (allow svirt_sandbox_domain httpd_sys_content_t (lnk_file (read getattr)))
  (allow container_t httpd_sys_content_t (file (ioctl read getattr lock open)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:1982
      (allow svirt_sandbox_domain exec_type (file (ioctl read getattr lock execute execute_no_trans open)))
    <root>
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2836
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2839
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:3342
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:3738
    optional at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4714
    booleanif at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4717
    true at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4718
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:4721
      (allow svirt_sandbox_domain httpd_sys_content_t (file (ioctl read getattr lock open)))
Comment 6 Daniel Walsh 2017-02-14 14:45:42 UTC 
Do you have the unconfined domain disabled?
Comment 7 Robin Powell 2017-02-14 16:28:58 UTC 
Did I forgot to mention that?  I did.  Sorry.

Yes, unconfined is disabled.

However, in case it matters, I kind of gave up a bit and:

rlpowell@vrici> sudo semanage permissive -l

Customized Permissive Types

container_runtime_t
container_t
Comment 8 Fedora Update System 2017-02-27 17:19:06 UTC 
container-selinux-2.9-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-018d2c13f7
Comment 9 Fedora End Of Life 2017-02-28 11:15:12 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle.
Changing version to '26'.
Comment 10 Fedora Update System 2017-03-01 02:53:11 UTC 
container-selinux-2.9-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-018d2c13f7
Comment 11 Fedora Update System 2017-03-02 01:21:23 UTC 
container-selinux-2.9-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.