Description of problem: SELinux is preventing start-boinc.sh from 'write' accesses on the directory /opt/appdata/boinc. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow start-boinc.sh to have write access on the boinc directory Then you need to change the label on /opt/appdata/boinc Do # semanage fcontext -a -t FILE_TYPE '/opt/appdata/boinc' where FILE_TYPE is one of the following: container_file_t, container_var_lib_t, nfs_t, svirt_home_t, tmpfs_t, virt_home_t. Then execute: restorecon -v '/opt/appdata/boinc' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that start-boinc.sh should be allowed write access on the boinc directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'start-boinc.sh' --raw | audit2allow -M my-startboincsh # semodule -X 300 -i my-startboincsh.pp Additional Information: Source Context system_u:system_r:container_t:s0:c313,c596 Target Context system_u:object_r:usr_t:s0 Target Objects /opt/appdata/boinc [ dir ] Source start-boinc.sh Source Path start-boinc.sh Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM <Unknown> Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.15.17-300.fc27.x86_64 #1 SMP Thu Apr 12 18:19:17 UTC 2018 x86_64 x86_64 Alert Count 6 First Seen 2018-04-22 14:40:09 MDT Last Seen 2018-04-22 14:40:13 MDT Local ID d11f4a4c-fbf5-4d84-b429-bf49186b612c Raw Audit Messages type=AVC msg=audit(1524429613.394:5883): avc: denied { write } for pid=588 comm="boinc" name="boinc" dev="dm-0" ino=4343940 scontext=system_u:system_r:container_t:s0:c313,c596 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0 Hash: start-boinc.sh,container_t,usr_t,dir,write Additional info: component: selinux-policy reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.15.17-300.fc27.x86_64 type: libreport
This looks like you are volume mounting content into the container that you want the container to write. You should add :Z to the end of your volume command.