Description of problem: This issue can be reproduced when using either s2i builder images for dotnet core or using microsoft provided dotnet core images. The following are example commands to reporduce. > docker run --rm -it microsoft/dotnet:latest bash -c "dotnet new console; dotnet run" > docker run --rm registry.access.redhat.com/dotnet/dotnet-20-rhel7:latest bash -c "dotnet new console; dotnet run" This also occurs when using "s2i build" commands. An upstream bugreport is already filed for the dotnet container. [https://github.com/dotnet/dotnet-docker/issues/343] The following coredump was associated with this issue. > Stack trace of thread 103: > #0 0x00007fd4db95dfcf n/a (/lib/x86_64-linux-gnu/libc-2.24.so) > #1 0x00007fd4db17cbcb n/a (/usr/share/dotnet/shared/Microsoft.NETCore.App/2.0.3/libcoreclr.so) > #2 0x00007fd4daee58a8 n/a (/usr/share/dotnet/shared/Microsoft.NETCore.App/2.0.3/libcoreclr.so) > #3 0x00007fd4daee5959 n/a (/usr/share/dotnet/shared/Microsoft.NETCore.App/2.0.3/libcoreclr.so) > #4 0x00007fd4dae562d9 n/a (/usr/share/dotnet/shared/Microsoft.NETCore.App/2.0.3/libcoreclr.so) > #5 0x00007fd461d33d3a n/a (n/a) > #6 0x00007fd461d32eb8 n/a (n/a) > #7 0x00007fd4daef2067 n/a (/usr/share/dotnet/shared/Microsoft.NETCore.App/2.0.3/libcoreclr.so) > #8 0x00007fd4dae02e40 n/a (/usr/share/dotnet/shared/Microsoft.NETCore.App/2.0.3/libcoreclr.so) > #9 0x00007fd4daf13db4 n/a (/usr/share/dotnet/shared/Microsoft.NETCore.App/2.0.3/libcoreclr.so) > #10 0x00007fd4daf14033 n/a (/usr/share/dotnet/shared/Microsoft.NETCore.App/2.0.3/libcoreclr.so) > #11 0x00007fd4dad4550b n/a (/usr/share/dotnet/shared/Microsoft.NETCore.App/2.0.3/libcoreclr.so) > #12 0x00007fd4dad1fe86 n/a (/usr/share/dotnet/shared/Microsoft.NETCore.App/2.0.3/libcoreclr.so) > #13 0x00007fd4db43e433 n/a (/usr/share/dotnet/shared/Microsoft.NETCore.App/2.0.3/libhostpolicy.so) > #14 0x00007fd4db4330d8 n/a (/usr/share/dotnet/shared/Microsoft.NETCore.App/2.0.3/libhostpolicy.so) > #15 0x00007fd4db433772 n/a (/usr/share/dotnet/shared/Microsoft.NETCore.App/2.0.3/libhostpolicy.so) > #16 0x00007fd4db6f38f4 n/a (/usr/share/dotnet/host/fxr/2.0.3/libhostfxr.so) > #17 0x00007fd4db6fd978 n/a (/usr/share/dotnet/host/fxr/2.0.3/libhostfxr.so) > #18 0x00007fd4db6fc8f7 n/a (/usr/share/dotnet/host/fxr/2.0.3/libhostfxr.so) > #19 0x00007fd4db6fdfac n/a (/usr/share/dotnet/host/fxr/2.0.3/libhostfxr.so) > #20 0x00007fd4db6f3975 n/a (/usr/share/dotnet/host/fxr/2.0.3/libhostfxr.so) > #21 0x000000000040c42a _Z3runiPPKc (dotnet) > #22 0x000000000040c597 main (dotnet) > #23 0x00007fd4db94b2b1 n/a (/lib/x86_64-linux-gnu/libc-2.24.so) SELinux is preventing dotnet from 'map' accesses on the chr_file /dev/zero. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that dotnet should be allowed map access on the zero chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'dotnet' --raw | audit2allow -M my-dotnet # semodule -X 300 -i my-dotnet.pp Additional Information: Source Context system_u:system_r:container_t:s0:c438,c767 Target Context system_u:object_r:container_file_t:s0:c438,c767 Target Objects /dev/zero [ chr_file ] Source dotnet Source Path dotnet Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.16.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.13.13-300.fc27.x86_64 #1 SMP Wed Nov 15 15:47:50 UTC 2017 x86_64 x86_64 Alert Count 3 First Seen 2017-11-27 23:52:15 NZDT Last Seen 2017-11-27 23:52:17 NZDT Local ID 7be0d4e5-5bbe-4bb9-a183-641d8471e131 Raw Audit Messages type=AVC msg=audit(1511779937.59:5619): avc: denied { map } for pid=26481 comm="dotnet" path="/dev/zero" dev="tmpfs" ino=1615430 scontext=system_u:system_r:container_t:s0:c438,c767 tcontext=system_u:object_r:container_file_t:s0:c438,c767 tclass=chr_file permissive=0 Hash: dotnet,container_t,container_file_t,chr_file,map Version-Release number of selected component: selinux-policy-3.13.1-283.16.fc27.noarch Additional info: component: selinux-policy reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.13.13-300.fc27.x86_64 type: libreport
rpm -q container-selinux
> $ rpm -q container-selinux > container-selinux-2.29-1.fc27.noarch
I just put container-selinux-2.36 into fedora 27 updates. Should fix this issue.
Thanks Dan!
Please test it and update karma.
Updated https://bodhi.fedoraproject.org/updates/FEDORA-2017-27cf1ada3a The fix was locally verified. > $ sudo dnf info container-selinux > Last metadata expiration check: 1:10:00 ago on Sun 03 Dec 2017 12:36:30 NZDT. > Installed Packages > Name : container-selinux > Epoch : 2 > Version : 2.36 > Release : 1.fc27 > Arch : noarch > Size : 35 k > Source : container-selinux-2.36-1.fc27.src.rpm > Repo : @System > From repo : @commandline > Summary : SELinux policies for container runtimes > URL : https://github.com/projectatomic/container-selinux > License : GPLv2 > Description : SELinux policy modules for use with container runtimes. > > $ docker run --rm registry.access.redhat.com/dotnet/dotnet-20-rhel7:latest bash -c "dotnet new console; dotnet run" > Getting ready... > The template "Console Application" was created successfully. > > Processing post-creation actions... > Running 'dotnet restore' on /opt/app-root/src/src.csproj... > Restoring packages for /opt/app-root/src/src.csproj... > Installing Microsoft.NETCore.DotNetAppHost 2.0.0. > Installing Microsoft.NETCore.DotNetHostResolver 2.0.0. > Installing Microsoft.NETCore.App 2.0.0. > Installing NETStandard.Library 2.0.0. > Installing Microsoft.NETCore.DotNetHostPolicy 2.0.0. > Installing Microsoft.NETCore.Platforms 2.0.0. > Generating MSBuild file /opt/app-root/src/obj/src.csproj.nuget.g.props. > Generating MSBuild file /opt/app-root/src/obj/src.csproj.nuget.g.targets. > Restore completed in 8.77 sec for /opt/app-root/src/src.csproj. > > > Restore succeeded. > > Hello World!