Description of problem: Run any command in a Debian based Docker container, such as: docker run --rm debian:latest echo Hello World SELinux is preventing runc:[2:INIT] from 'entrypoint' accesses on the file /bin/echo. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /bin/echo default label should be bin_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /bin/echo ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that runc:[2:INIT] should be allowed entrypoint access on the echo file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'runc:[2:INIT]' --raw | audit2allow -M my-runc2INIT # semodule -X 300 -i my-runc2INIT.pp Additional Information: Source Context system_u:system_r:container_t:s0:c73,c380 Target Context system_u:object_r:container_var_lib_t:s0 Target Objects /bin/echo [ file ] Source runc:[2:INIT] Source Path runc:[2:INIT] Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages coreutils-8.29-6.fc28.x86_64 Policy RPM selinux-policy-3.14.1-21.fc28.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.16.4-300.fc28.x86_64 #1 SMP Tue Apr 24 22:15:13 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-29 09:15:04 PDT Last Seen 2018-04-29 09:15:04 PDT Local ID 6dc5df0c-0884-407f-980d-4e2f8d181bf1 Raw Audit Messages type=AVC msg=audit(1525018504.959:707): avc: denied { entrypoint } for pid=32126 comm="runc:[2:INIT]" path="/bin/echo" dev="dm-1" ino=1341736 scontext=system_u:system_r:container_t:s0:c73,c380 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=0 Hash: runc:[2:INIT],container_t,container_var_lib_t,file,entrypoint Version-Release number of selected component: selinux-policy-3.14.1-21.fc28.noarch Additional info: component: selinux-policy reporter: libreport-2.9.4 hashmarkername: setroubleshoot kernel: 4.16.4-300.fc28.x86_64 type: libreport
Previously worked under Fedora 27, broken after clean upgrade to Fedora 28 Beta. $ dnf info docker Installed Packages Name : docker Epoch : 2 Version : 1.13.1 Release : 51.git4032bd5.fc28 Arch : x86_64 Size : 67 M Source : docker-1.13.1-51.git4032bd5.fc28.src.rpm Repo : @System From repo : fedora Summary : Automates deployment of containerized applications URL : https://github.com/projectatomic/docker
Did you switch to a Overlay2 back end? Does restorecon -R -v /var/lib/docker Change the labels in /var/lib/docker/overlay2 And solve this problem?
I did not manually change the back-end, but it appears I am using overlay2. Running restorecon did fix the issue, thanks for that! Is there a chance other people will run into this? I'm happy to try and reproduce the upgrade in a VM or whatever else may be useful. $ docker info ...Storage Driver: overlay2... $ restorecon -R -v /var/lib/docker ... Relabeled /var/lib/docker/tmp/docker-builder601697712/<file> from system_u:object_r:var_lib_t:s0 to system_u:object_r:container_var_lib_t:s0 ...
I am not sure how this can happen. If you were to rm -rf /var/lib/docker, I think everything would get labeled correctly. For some reason during the update you either had an overlay2 directory prexisting, and we did not catch it, or somehow it got mislabeled.
I'm not sure either. I have tried applied custom SELinux policy on this machine before, but nothing Docker related. Unless someone else runs in to this, I'd say this can be closed. Thanks for your help! Random asides: - Based on create date of /var/lib/docker/overlay2/ I installed docker in Feb of 2017, would have been running Fedora 25 back then - Just for kicks I did a clean F27 install and upgraded it, docker worked as expected before and after the upgrade.