1595300 – unable to run containers; exec user process caused "permission denied"

Bug 1595300 - unable to run containers; exec user process caused "permission denied"

Summary: unable to run containers; exec user process caused "permission denied"

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	libsemanage
Sub Component:
Version:	27
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Petr Lautrbach
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:	1592488
Blocks:	1595316
TreeView+	depends on / blocked

Reported:	2018-06-26 14:35 UTC by Micah Abbott
Modified:	2018-09-25 14:23 UTC (History)
CC List:	17 users (show)
Fixed In Version:	libsemanage-2.7-3.fc27.x86_64
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1592488
Clones:	1595316 (view as bug list)
Environment:
Last Closed:	2018-09-25 14:23:29 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Micah Abbott 2018-06-26 14:35:47 UTC

Also observed on Fedora 27 Atomic Host

# rpm-ostree status
State: idle; auto updates disabled
Deployments:
● ostree://fedora-atomic:fedora/27/x86_64/testing/atomic-host
                   Version: 27.184 (2018-06-19 16:06:20)
                    Commit: 7680a7dbfe4309c1fe27859505335ad8b5a03761b3ddc6339ff409ad3e3345c1
              GPGSignature: Valid signature by 860E19B0AFA800A1751881A6F55E7430F5282EE4


# docker run --rm -it registry.fedoraproject.org/fedora:28 echo 'hello'
standard_init_linux.go:178: exec user process caused "permission denied"

# journalctl -b | grep 'avc:  denied'
Jun 26 14:32:40 micah-f27ah-vm0626ba.localdomain audit[1253]: AVC avc:  denied  { entrypoint } for  pid=1253 comm="runc:[2:INIT]" path="/usr/bin/echo" dev="dm-0" ino=16780467 scontext=system_u:system_r:container_t:s0:c491,c888 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0

# ls -lZ /var/lib/docker
total 0
drwx------. 2 root root system_u:object_r:unlabeled_t:s0   6 Jun 26 14:32 containers
drwx------. 3 root root system_u:object_r:unlabeled_t:s0  22 Jun 26 14:08 image
drwxr-x---. 3 root root system_u:object_r:unlabeled_t:s0  19 Jun 26 14:08 network
drwx------. 4 root root system_u:object_r:unlabeled_t:s0 112 Jun 26 14:32 overlay2
drwx------. 4 root root system_u:object_r:unlabeled_t:s0  32 Jun 26 14:08 plugins
drwx------. 2 root root system_u:object_r:unlabeled_t:s0   6 Jun 26 14:08 swarm
drwx------. 2 root root system_u:object_r:unlabeled_t:s0   6 Jun 26 14:17 tmp
drwx------. 2 root root system_u:object_r:unlabeled_t:s0   6 Jun 26 14:08 trust
drwx------. 2 root root system_u:object_r:unlabeled_t:s0  25 Jun 26 14:08 volumes




+++ This bug was initially created as a clone of Bug #1592488 +++

Using the latest Fedora Rawhide Atomic Host, I was unable to run a container using `docker`.  It appears SELinux denied the execution of the container:


# rpm-ostree status
rpmState: idle; auto updates disabled
Deployments:
● ostree://rawhide:fedora/rawhide/x86_64/atomic-host
                   Version: Rawhide.20180616.n.0 (2018-06-16 09:30:08)
                    Commit: 1055dea1f99991fb56d5ae9e29cc6ff52fa01970555f82fcc8e929c7f717907f

# rpm -q docker container-selinux selinux-policy
docker-1.13.1-59.gitaf6b32b.fc29.x86_64
container-selinux-2.64-1.gitdfaf8fd.fc29.noarch
selinux-policy-3.14.2-25.fc29.noarch

# docker run -it --rm registry.fedoraproject.org/fedora echo 'hello'
Unable to find image 'registry.fedoraproject.org/fedora:latest' locally
Trying to pull repository registry.fedoraproject.org/fedora ... 
sha256:39994db8f1ee63244dc6baa35cd88988eb4be8ac6c026be0570bd618fd84d5af: Pulling from registry.fedoraproject.org/fedora
bd02462c6d09: Pull complete 
Digest: sha256:39994db8f1ee63244dc6baa35cd88988eb4be8ac6c026be0570bd618fd84d5af
Status: Downloaded newer image for registry.fedoraproject.org/fedora:latest
standard_init_linux.go:178: exec user process caused "permission denied"


# journalctl -b | grep 'avc:  denied'
Jun 18 15:56:19 micah-f28ah-vm0618a audit[1280]: AVC avc:  denied  { entrypoint } for  pid=1280 comm="runc:[2:INIT]" path="/usr/bin/echo" dev="dm-0" ino=58724330 scontext=system_u:system_r:container_t:s0:c256,c1017 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0

--- Additional comment from Daniel Walsh on 2018-06-18 15:11:24 EDT ---

I would guess /var/lib/docker is mislabeled
restorecon -R -v /var/lib/docker

--- Additional comment from Micah Abbott on 2018-06-18 15:40:01 EDT ---

Dan, you are correct.  This is a problem if /var/lib/docker is getting relabeled after rebasing to Rawhide:


# rpm-ostree status                                                                                                                                                                    
State: idle; auto updates disabled                                               
Deployments:                                                                    
● ostree://fedora-atomic:fedora/28/x86_64/atomic-host                         
                   Version: 28.20180527.0 (2018-05-27 19:05:29)             
                    Commit: 291ea90da29bc5abe757b5a50813b3de1396b08412939a89b3b671aba9856093                                                                                                                       
              GPGSignature: Valid signature by 128CF232A9371991C8A65695E08E7E629DB62FB1

# ls -lZ /var/lib/docker
total 0
drwx------. 2 root root system_u:object_r:container_var_lib_t:s0  6 Jun 18 19:21 containers
drwx------. 3 root root system_u:object_r:container_var_lib_t:s0 22 Jun 18 19:21 image
drwxr-x---. 3 root root system_u:object_r:container_var_lib_t:s0 19 Jun 18 19:21 network
drwx------. 3 root root system_u:object_r:container_share_t:s0   40 Jun 18 19:21 overlay2
drwx------. 4 root root system_u:object_r:container_var_lib_t:s0 32 Jun 18 19:21 plugins
drwx------. 2 root root system_u:object_r:container_var_lib_t:s0  6 Jun 18 19:21 swarm
drwx------. 2 root root system_u:object_r:container_var_lib_t:s0  6 Jun 18 19:21 tmp
drwx------. 2 root root system_u:object_r:container_var_lib_t:s0  6 Jun 18 19:21 trust
drwx------. 2 root root system_u:object_r:container_var_lib_t:s0 25 Jun 18 19:21 volumes


# rpm-ostree rebase rawhide:fedora/rawhide/x86_64/atomic-host
2244 metadata, 9394 content objects fetched; 365209 KiB transferred in 555 seconds
Copying /etc changes: 20 modified, 0 removed, 50 added
Transaction complete; bootconfig swap: yes; deployment count change: 1
...

# systemctl reboot

$ ssh 10.8.250.36

# rpm-ostree status
lState: idle; auto updates disabled
Deployments:
● ostree://rawhide:fedora/rawhide/x86_64/atomic-host
                   Version: Rawhide.20180616.n.0 (2018-06-16 09:30:08)
                    Commit: 1055dea1f99991fb56d5ae9e29cc6ff52fa01970555f82fcc8e929c7f717907f

  ostree://fedora-atomic:fedora/28/x86_64/atomic-host
                   Version: 28.20180527.0 (2018-05-27 19:05:29)
                    Commit: 291ea90da29bc5abe757b5a50813b3de1396b08412939a89b3b671aba9856093
              GPGSignature: Valid signature by 128CF232A9371991C8A65695E08E7E629DB62FB1
[root@micah-f28ah-vm0618b ~]# ls -lZ /var/lib/docker
total 0
drwx------. 2 root root system_u:object_r:unlabeled_t:s0  6 Jun 18 19:21 containers
drwx------. 3 root root system_u:object_r:unlabeled_t:s0 22 Jun 18 19:21 image
drwxr-x---. 3 root root system_u:object_r:unlabeled_t:s0 19 Jun 18 19:21 network
drwx------. 3 root root system_u:object_r:unlabeled_t:s0 40 Jun 18 19:37 overlay2
drwx------. 4 root root system_u:object_r:unlabeled_t:s0 32 Jun 18 19:21 plugins
drwx------. 2 root root system_u:object_r:unlabeled_t:s0  6 Jun 18 19:21 swarm
drwx------. 2 root root system_u:object_r:unlabeled_t:s0  6 Jun 18 19:21 tmp
drwx------. 2 root root system_u:object_r:unlabeled_t:s0  6 Jun 18 19:21 trust
drwx------. 2 root root system_u:object_r:unlabeled_t:s0 25 Jun 18 19:21 volumes


# restorecon -R -v /var/lib/docker
Relabeled /var/lib/docker/tmp from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/containers from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/plugins from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/plugins/tmp from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/plugins/storage from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/plugins/storage/blobs from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/plugins/storage/blobs/tmp from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/overlay2 from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/overlay2/l from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/overlay2/backingFsBlockDev from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/image from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/image/overlay2 from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/image/overlay2/layerdb from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/image/overlay2/imagedb from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/image/overlay2/imagedb/content from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/image/overlay2/imagedb/content/sha256 from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/image/overlay2/imagedb/metadata from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/image/overlay2/imagedb/metadata/sha256 from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/image/overlay2/distribution from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/image/overlay2/repositories.json from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/volumes from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/volumes/metadata.db from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/trust from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/network from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/network/files from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/docker/network/files/local-kv.db from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_lib_t:s0

--- Additional comment from Micah Abbott on 2018-06-18 15:44:36 EDT ---

Unfortunately, even after `restorecon`, containers are just silently dying:

# docker run -it registry.fedoraproject.org/fedora echo 'hello'
# echo $?                                                                                                                                                                              139                                                      
# journalctl -b | grep 'avc:  denied'
Jun 18 19:43:31 micah-f28ah-vm0618b audit[1673]: AVC avc:  denied  { read write } for  pid=1673 comm="echo" path="/1" dev="devpts" ino=4 scontext=system_u:system_r:container_t:s0:c37,c365 tcontext=system_u:object_r:container_file_t:s0:c37,c365 tclass=chr_file permissive=0
Jun 18 19:43:31 micah-f28ah-vm0618b audit[1673]: AVC avc:  denied  { read write } for  pid=1673 comm="echo" path="/1" dev="devpts" ino=4 scontext=system_u:system_r:container_t:s0:c37,c365 tcontext=system_u:object_r:container_file_t:s0:c37,c365 tclass=chr_file permissive=0
Jun 18 19:43:31 micah-f28ah-vm0618b audit[1673]: AVC avc:  denied  { read write } for  pid=1673 comm="echo" path="/1" dev="devpts" ino=4 scontext=system_u:system_r:container_t:s0:c37,c365 tcontext=system_u:object_r:container_file_t:s0:c37,c365 tclass=chr_file permissive=0
Jun 18 19:43:31 micah-f28ah-vm0618b audit[1673]: AVC avc:  denied  { read write } for  pid=1673 comm="echo" path="/1" dev="devpts" ino=4 scontext=system_u:system_r:container_t:s0:c37,c365 tcontext=system_u:object_r:container_file_t:s0:c37,c365 tclass=chr_file permissive=0
Jun 18 19:43:31 micah-f28ah-vm0618b audit[1673]: AVC avc:  denied  { map } for  pid=1673 comm="echo" path="/usr/bin/coreutils" dev="dm-0" ino=58727044 scontext=system_u:system_r:container_t:s0:c37,c365 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0

--- Additional comment from Daniel Walsh on 2018-06-18 16:47:32 EDT ---

This shows you have containers with two different labels,  It looks like the tty of one container is being leaked into the container of a second

--- Additional comment from Slawomir Czarko on 2018-06-20 10:08:50 EDT ---

On Fedora 28 I get this:

# docker run -it --rm  centos /bin/bash
standard_init_linux.go:178: exec user process caused "permission denied"

# echo $?
1

# journalctl -b | grep 'avc:  denied'
Jun 20 16:03:17 fenris audit[29545]: AVC avc:  denied  { entrypoint } for  pid=29545 comm="runc:[2:INIT]" path="/usr/bin/bash" dev="dm-8" ino=20710002 scontext=system_u:system_r:container_t:s0:c612,c807 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0


It works with --privileged

I did:
restorecon -R -v /var/lib/docker

but it didn't change anything

--- Additional comment from Daniel Walsh on 2018-06-20 10:17:35 EDT ---

What storage driver are you using?

Is the foot file system mounted at /var/lib/docker?

--- Additional comment from Slawomir Czarko on 2018-06-20 10:22:51 EDT ---

It turns out I was using custom value for --graph. After resetting to default the problem went away.

--- Additional comment from Daniel Walsh on 2018-06-20 10:27:58 EDT ---

Awesome, BTW Have you looked at podman?

--- Additional comment from Micah Abbott on 2018-06-20 10:44:14 EDT ---

Dan, this was originally opened against Rawhide and it is still an issue there.

--- Additional comment from Micah Abbott on 2018-06-20 11:14:41 EDT ---

Yeah, I even confirmed this on Fedora Server with a fresh install of docker:


# cat /etc/os-release                                                                                                                                                                  
NAME=Fedora                                                                                                                                                                                                       
VERSION="29 (Cloud Edition)"                                                                                                                                                                                      
ID=fedora                                                                                                                                                                                                          VERSION_ID=29                                                                                                                                                                                                     
PLATFORM_ID="platform:f29"                                                                                                                                                                                         PRETTY_NAME="Fedora 29 (Cloud Edition)"                                                                                                                                                                           
ANSI_COLOR="0;34"                                                                                                                                                                                                  CPE_NAME="cpe:/o:fedoraproject:fedora:29"                                                                                                                                                                          
HOME_URL="https://fedoraproject.org/"                                                                                                                                                                              SUPPORT_URL="https://fedoraproject.org/wiki/Communicating_and_getting_help"                                                                                                                                       
BUG_REPORT_URL="https://bugzilla.redhat.com/"                                                                                                                                                                      REDHAT_BUGZILLA_PRODUCT="Fedora"                                                                                                                                                                                  
REDHAT_BUGZILLA_PRODUCT_VERSION=rawhide                                                                                                                                                                           
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=rawhide
PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy"
VARIANT="Cloud Edition"
VARIANT_ID=cloud


# dnf -y install docker
...


# systemctl enable docker --now
Created symlink /etc/systemd/system/multi-user.target.wants/docker.service → /usr/lib/systemd/system/docker.service.                                                                                              

# docker run -it --rm registry.fedoraproject.org/fedora echo 'hello'
Unable to find image 'registry.fedoraproject.org/fedora:latest' locally
Trying to pull repository registry.fedoraproject.org/fedora ...
sha256:39994db8f1ee63244dc6baa35cd88988eb4be8ac6c026be0570bd618fd84d5af: Pulling from registry.fedoraproject.org/fedora                                                                                           
bd02462c6d09: Pull complete
Digest: sha256:39994db8f1ee63244dc6baa35cd88988eb4be8ac6c026be0570bd618fd84d5af
Status: Downloaded newer image for registry.fedoraproject.org/fedora:latest

# echo $?
139

# journalctl -b | grep 'avc:  denied'
Jun 20 15:11:24 micah-f28c-vm0620a audit[2240]: AVC avc:  denied  { read write } for  pid=2240 comm="echo" path="/1" dev="devpts" ino=4 scontext=system_u:system_r:container_t:s0:c104,c514 tcontext=system_u:object_r:container_file_t:s0:c104,c514 tclass=chr_file permissive=0
Jun 20 15:11:24 micah-f28c-vm0620a audit[2240]: AVC avc:  denied  { read write } for  pid=2240 comm="echo" path="/1" dev="devpts" ino=4 scontext=system_u:system_r:container_t:s0:c104,c514 tcontext=system_u:object_r:container_file_t:s0:c104,c514 tclass=chr_file permissive=0
Jun 20 15:11:24 micah-f28c-vm0620a audit[2240]: AVC avc:  denied  { read write } for  pid=2240 comm="echo" path="/1" dev="devpts" ino=4 scontext=system_u:system_r:container_t:s0:c104,c514 tcontext=system_u:object_r:container_file_t:s0:c104,c514 tclass=chr_file permissive=0
Jun 20 15:11:24 micah-f28c-vm0620a audit[2240]: AVC avc:  denied  { read write } for  pid=2240 comm="echo" path="/1" dev="devpts" ino=4 scontext=system_u:system_r:container_t:s0:c104,c514 tcontext=system_u:object_r:container_file_t:s0:c104,c514 tclass=chr_file permissive=0
Jun 20 15:11:24 micah-f28c-vm0620a audit[2240]: AVC avc:  denied  { map } for  pid=2240 comm="echo" path="/usr/bin/coreutils" dev="vda1" ino=656920 scontext=system_u:system_r:container_t:s0:c104,c514 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0


# rpm -q container-selinux docker selinux-policy
container-selinux-2.64-1.gitdfaf8fd.fc29.noarch
docker-1.13.1-59.gitaf6b32b.fc29.x86_64
selinux-policy-3.14.2-25.fc29.noarch


# ls -lZ /var/lib/docker
total 36
drwx------. 2 root root system_u:object_r:var_lib_t:s0 4096 Jun 20 15:11 containers
drwx------. 3 root root system_u:object_r:var_lib_t:s0 4096 Jun 20 15:10 image
drwxr-x---. 3 root root system_u:object_r:var_lib_t:s0 4096 Jun 20 15:10 network
drwx------. 4 root root system_u:object_r:var_lib_t:s0 4096 Jun 20 15:11 overlay2
drwx------. 4 root root system_u:object_r:var_lib_t:s0 4096 Jun 20 15:10 plugins
drwx------. 2 root root system_u:object_r:var_lib_t:s0 4096 Jun 20 15:10 swarm
drwx------. 2 root root system_u:object_r:var_lib_t:s0 4096 Jun 20 15:11 tmp
drwx------. 2 root root system_u:object_r:var_lib_t:s0 4096 Jun 20 15:10 trust
drwx------. 2 root root system_u:object_r:var_lib_t:s0 4096 Jun 20 15:10 volumes



I did notice this during the install of docker/container-selinux:

...
  Installing       : policycoreutils-python-utils-2.8-3.fc29.noarch                                                                                                                                          18/27
  Installing       : container-selinux-2:2.64-1.gitdfaf8fd.fc29.noarch                                                                                                                                       19/27
  Running scriptlet: container-selinux-2:2.64-1.gitdfaf8fd.fc29.noarch                                                                                                                                       19/27
neverallow check failed at /var/lib/selinux/targeted/tmp/modules/100/base/cil:9194                                                                                                                                
  (neverallow base_typeattr_7 unlabeled_t (file (entrypoint)))                                                                                                                                                    
    <root>                                                                                                                                                                                                        
    allow at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1554
      (allow spc_t unlabeled_t (file (entrypoint)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/100/sandboxX/cil:866
      (allow sandbox_x_domain exec_type (file (entrypoint)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:1678
      (allow virtd_lxc_t exec_type (file (entrypoint)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2069
      (allow svirt_sandbox_domain exec_type (file (entrypoint)))

Failed to generate binary
/usr/sbin/semodule:  Failed!
  Installing       : python3-pytoml-0.1.16-1.fc29.noarch                                                                                                                                                     20/27
  Installing       : atomic-registries-1.22.1-22.git5a342e3.fc29.x86_64                                                                   
...

Comment 1 Micah Abbott 2018-06-26 14:43:24 UTC

This probably an error with container-selinux...

From the Atomic Host compose log:

https://kojipkgs.fedoraproject.org//work/tasks/3712/27853712/runroot.log

<snip>
Installing packages: 60%
setsebool:  SELinux is disabled.
neverallow check failed at /var/lib/selinux/targeted/tmp/modules/100/base/cil:9014
  (neverallow base_typeattr_7 unlabeled_t (file (entrypoint)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1489
      (allow spc_t unlabeled_t (file (entrypoint)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/100/sandboxX/cil:866
      (allow sandbox_x_domain exec_type (file (entrypoint)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:1673
      (allow virtd_lxc_t exec_type (file (entrypoint)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2064
      (allow svirt_sandbox_domain exec_type (file (entrypoint)))

Failed to generate binary
/usr/sbin/semodule:  Failed!
<snip>

Comment 2 Daniel Walsh 2018-06-26 16:02:51 UTC

Libsemanage should not be turning on the expand-check variable, this is causing policy to not be able to be compiled, and is breaking things.  This check should only be turned on when building selinux-policy, not for layered products installing software.

Comment 3 Micah Abbott 2018-06-27 15:36:06 UTC

This appears to be fixed by 'libsemanage-2.7-3.fc27.x86_64' attached to the following update:

https://bodhi.fedoraproject.org/updates/FEDORA-2018-76f1fc8358

Note You need to log in before you can comment on or make changes to this bug.