Description of problem: Use docker-compose with host volumes and let the docker container try to access the host volume. SELinux is preventing java from 'open' accesses on the file /dbscripts/V1.14.3__Atualiza_status_tarefas_anteriores.sql. This happens when using docker-compose with host volumes. Within the Docker container, Java can't access the host volume. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /dbscripts/V1.14.3__Atualiza_status_tarefas_anteriores.sql default label should be default_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /dbscripts/V1.14.3__Atualiza_status_tarefas_anteriores.sql ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that java should be allowed open access on the V1.14.3__Atualiza_status_tarefas_anteriores.sql file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'java' --raw | audit2allow -M my-java # semodule -X 300 -i my-java.pp Additional Information: Source Context system_u:system_r:container_t:s0:c415,c847 Target Context unconfined_u:object_r:user_home_t:s0 Target Objects /dbscripts/V1.14.3__Atualiza_status_tarefas_anteri ores.sql [ file ] Source java Source Path java Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-260.3.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.11.11-300.fc26.x86_64 #1 SMP Mon Jul 17 16:32:11 UTC 2017 x86_64 x86_64 Alert Count 2 First Seen 2017-08-03 14:54:18 -03 Last Seen 2017-08-03 14:54:21 -03 Local ID 6d7cbef6-295f-40fb-bbcb-afd4a01b1a6f Raw Audit Messages type=AVC msg=audit(1501782861.607:742): avc: denied { open } for pid=23714 comm="java" path="/dbscripts/V1.14.3__Atualiza_status_tarefas_anteriores.sql" dev="dm-3" ino=2625999 scontext=system_u:system_r:container_t:s0:c415,c847 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 Hash: java,container_t,user_home_t,file,open Version-Release number of selected component: selinux-policy-3.13.1-260.3.fc26.noarch Additional info: component: selinux-policy reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.11.11-300.fc26.x86_64 type: libreport
Looks like you are volume mounting in /dbscripts from your homedir without setting the :Z option on your volume mount docker run ... -v /home/*ATHTO/dbscripts:/dbscripts:Z ... Should fix this error. http://www.projectatomic.io/blog/2016/03/dwalsh_selinux_containers/