rootfs not labeled with SELinux mount label

[bcressey]

In #1966 support was added for obtaining the process and mount labels on an SELinux-enabled system.

This works correctly for labeling the process, and for labeling most mounts. However, the new generateSecurityOpts() function is called from oci.GenerateSpec, which only happens after mounting the rootfs.

As a result, the root filesystem is not mounted with the expected mount label, and may not be writable by the container process, which ends up with a restricted label.

We first observed this in https://github.com/bottlerocket-os/bottlerocket/issues/1187 but one of our developers saw a similar problem with a new Fedora install.

[bcressey]

This may be the root cause for #2295 as well - if the overlayfs is not mounted with a context= override, then the SELinux label will be the same as the underlying directory. If that's unlabeled_t then it may not be valid as an entry point into the container_t domain. With the mount label applied, it would be labeled as container_t and the transition would succeed.

I don't have a quick way to validate that hypothesis at the moment. Happy to have this resolved as a duplicate if it turns out to be the same problem.

[tonistiigi]

@cpuguy83

[aucampia]

I'm getting this error on fedora 34, using Docker version 20.10.8, build 3967b7d

$ cat Dockerfile 
FROM docker.io/alpine:3

RUN cat /etc/os-release
$ DOCKER_BUILDKIT=1 docker build - < Dockerfile 
[+] Building 0.6s (5/5) FINISHED                                                                                                                                             
 => [internal] load build definition from Dockerfile                                                                                                                    0.1s
 => => transferring dockerfile: 159B                                                                                                                                    0.0s
 => [internal] load .dockerignore                                                                                                                                       0.1s
 => => transferring context: 2B                                                                                                                                         0.0s
 => [internal] load metadata for docker.io/library/alpine:3                                                                                                             0.0s
 => CACHED [1/2] FROM docker.io/library/alpine:3                                                                                                                        0.0s
 => ERROR [2/2] RUN cat /etc/os-release                                                                                                                                 0.3s
------                                                                                                                                                                       
 > [2/2] RUN cat /etc/os-release:
#4 0.297 standard_init_linux.go:228: exec user process caused: permission denied
------
executor failed running [/bin/sh -c cat /etc/os-release]: exit code: 1

The following selinux error comes up when this happehns:

Sep 27 16:01:38 iwana-pc00.coop.no setroubleshoot[2169086]: SELinux is preventing runc:[2:INIT] from entrypoint access on the file /bin/busybox. For complete SELinux messages run: sealert -l 440df748-3a56-495b-b17d-037cc6fabc88
Sep 27 16:01:38 iwana-pc00.coop.no setroubleshoot[2169086]: SELinux is preventing runc:[2:INIT] from entrypoint access on the file /bin/busybox.

                                                            *****  Plugin restorecon (54.2 confidence) suggests   ************************

                                                            If you want to fix the label. 
                                                            /bin/busybox default label should be bin_t.
                                                            Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
                                                            Do
                                                            # /sbin/restorecon -v /bin/busybox

                                                            *****  Plugin file (16.6 confidence) suggests   ******************************

                                                            This is caused by a newly created file system.
                                                            Then you need to add labels to it.
                                                            Do
                                                            /sbin/restorecon -R -v /bin/busybox

                                                            *****  Plugin file (16.6 confidence) suggests   ******************************

                                                            If you think this is caused by a badly mislabeled machine.
                                                            Then you need to fully relabel.
                                                            Do
                                                            touch /.autorelabel; reboot

                                                            *****  Plugin catchall_labels (3.18 confidence) suggests   *******************

                                                            If you want to allow runc:[2:INIT] to have entrypoint access on the busybox file
                                                            Then you need to change the label on /bin/busybox
                                                            Do
                                                            # semanage fcontext -a -t FILE_TYPE '/bin/busybox'
                                                            where FILE_TYPE is one of the following: NetworkManager_exec_t, NetworkManager_initrc_exec_t, abrt_dump_oops_exec_t, abrt_exec_t, abrt_handle_event_exec_t, abrt_helper_exec_t, abrt_initrc_exec_t, abrt_retrace_coredump_exec_t, abrt_retrace_worker_exec_t, abrt_upload_watch_exec_t, abrt_watch_log_exec_t, accountsd_exec_t, acct_exec_t, acct_initrc_exec_t, admin_home_t, admin_passwd_exec_t, afs_bosserver_exec_t, afs_exec_t, afs_fsserver_exec_t, afs_initrc_exec_t, afs_kaserver_exec_t, afs_ptserver_exec_t, afs_vlserver_exec_t, aiccu_exec_t, aiccu_initrc_exec_t, aide_exec_t, ajaxterm_exec_t, ajaxterm_initrc_exec_t, alsa_exec_t, amanda_exec_t, amanda_inetd_exec_t, amanda_recover_exec_t, amtu_exec_t, amtu_initrc_exec_t, anaconda_exec_t, anacron_exec_t, anon_inodefs_t, antivirus_exec_t, antivirus_initrc_exec_t, apcupsd_cgi_script_exec_t, apcupsd_exec_t, apcupsd_initrc_exec_t, apm_exec_t, apmd_exec_t, apmd_initrc_exec_t, arpwatch_exec_t, arpwatch_initrc_exec_t, asterisk_exec_t, asterisk_initrc_exec_t, audisp_exec_t, audisp_remote_exec_t, audit_spool_t, auditctl_exec_t, auditd_exec_t, auditd_initrc_exec_t, auditd_log_t, authconfig_exec_t, autofs_t, automount_exec_t, automount_initrc_exec_t, automount_tmp_t, avahi_exec_t, avahi_initrc_exec_t, awstats_exec_t, awstats_script_exec_t, bacula_admin_exec_t, bacula_exec_t, bacula_initrc_exec_t, bacula_store_t, bacula_unconfined_script_exec_t, bcfg2_exec_t, bcfg2_initrc_exec_t, bin_t, binfmt_misc_fs_t, bitlbee_exec_t, bitlbee_initrc_exec_t, blkmapd_exec_t, blkmapd_initrc_exec_t, blktap_exec_t, blueman_exec_t, bluetooth_exec_t, bluetooth_helper_exec_t, bluetooth_initrc_exec_t, bluetooth_var_lib_t, boinc_exec_t, boinc_initrc_exec_t, boinc_var_lib_t, boltd_exec_t, boot_t, bootloader_exec_t, bpf_t, brctl_exec_t, brltty_exec_t, bugzilla_script_exec_t, bumblebee_exec_t, cachefilesd_exec_t, calamaris_exec_t, callweaver_exec_t, callweaver_initrc_exec_t, canna_exec_t, canna_initrc_exec_t, capifs_t, cardctl_exec_t, cardmgr_exec_t, ccs_exec_t, ccs_initrc_exec_t, cdcc_exec_t, cdrecord_exec_t, certmaster_exec_t, certmaster_initrc_exec_t, certmonger_exec_t, certmonger_initrc_exec_t, certmonger_unconfined_exec_t, certwatch_exec_t, cfengine_execd_exec_t, cfengine_initrc_exec_t, cfengine_monitord_exec_t, cfengine_serverd_exec_t, cgclear_exec_t, cgconfig_exec_t, cgconfig_initrc_exec_t, cgred_exec_t, cgred_initrc_exec_t, cgroup_t, checkpc_exec_t, checkpolicy_exec_t, chfn_exec_t, chkpwd_exec_t, chrome_sandbox_exec_t, chrome_sandbox_nacl_exec_t, chronyc_exec_t, chronyd_exec_t, chronyd_initrc_exec_t, chroot_exec_t, cifs_t, cinder_api_exec_t, cinder_backup_exec_t, cinder_scheduler_exec_t, cinder_volume_exec_t, ciped_exec_t, ciped_initrc_exec_t, clogd_exec_t, cloud_init_exec_t, cluster_exec_t, cluster_initrc_exec_t, clvmd_exec_t, clvmd_initrc_exec_t, cmirrord_exec_t, cmirrord_initrc_exec_t, cobblerd_exec_t, cobblerd_initrc_exec_t, cockpit_session_exec_t, cockpit_ws_exec_t, collectd_exec_t, collectd_initrc_exec_t, collectd_script_exec_t, colord_exec_t, comsat_exec_t, condor_collector_exec_t, condor_initrc_exec_t, condor_master_exec_t, condor_negotiator_exec_t, condor_procd_exec_t, condor_schedd_exec_t, condor_startd_exec_t, conman_exec_t, conman_unconfined_script_exec_t, conntrackd_exec_t, conntrackd_initrc_exec_t, consolehelper_exec_t, consolekit_exec_t, container_auth_exec_t, container_file_t, container_ro_file_t, container_runtime_exec_t, container_var_lib_t, couchdb_exec_t, couchdb_initrc_exec_t, courier_authdaemon_exec_t, courier_exec_t, courier_pcp_exec_t, courier_pop_exec_t, courier_sqwebmail_exec_t, courier_tcpd_exec_t, cpucontrol_exec_t, cpufreqselector_exec_t, cpuplug_exec_t, cpuplug_initrc_exec_t, cpuspeed_exec_t, crack_exec_t, crond_exec_t, crond_initrc_exec_t, crontab_exec_t, ctdbd_exec_t, ctdbd_initrc_exec_t, cups_pdf_exec_t, cupsd_config_exec_t, cupsd_exec_t, cupsd_initrc_exec_t, cupsd_lpd_exec_t, cvs_exec_t, cvs_initrc_exec_t, cvs_script_exec_t, cyphesis_exec_t, cyphesis_initrc_exec_t, cyrus_exec_t, cyrus_initrc_exec_t, dbskkd_exec_t, dbusd_exec_t, dcc_client_exec_t, dcc_dbclean_exec_t, dccd_exec_t, dccifd_exec_t, dccm_exec_t, dcerpcd_exec_t, ddclient_exec_t, ddclient_initrc_exec_t, debugfs_t, debuginfo_exec_t, default_t, deltacloudd_exec_t, denyhosts_exec_t, denyhosts_initrc_exec_t, device_t, devicekit_disk_exec_t, devicekit_exec_t, devicekit_power_exec_t, devpts_t, dhcpc_exec_t, dhcpc_helper_exec_t, dhcpd_exec_t, dhcpd_initrc_exec_t, dictd_exec_t, dictd_initrc_exec_t, dirsrv_exec_t, dirsrv_snmp_exec_t, dirsrvadmin_exec_t, dirsrvadmin_script_exec_t, dirsrvadmin_unconfined_script_exec_t, disk_munin_plugin_exec_t, dkim_milter_exec_t, dlm_controld_exec_t, dlm_controld_initrc_exec_t, dmesg_exec_t, dmidecode_exec_t, dnsmasq_exec_t, dnsmasq_initrc_exec_t, dnssec_t, dnssec_trigger_exec_t, dosfs_t, dovecot_auth_exec_t, dovecot_deliver_exec_t, dovecot_exec_t, dovecot_initrc_exec_t, drbd_exec_t, drbd_initrc_exec_t, dspam_exec_t, dspam_initrc_exec_t, dspam_script_exec_t, ecryptfs_t, efivarfs_t, entropyd_exec_t, entropyd_initrc_exec_t, eventlogd_exec_t, evtchnd_exec_t, exim_exec_t, exim_initrc_exec_t, fail2ban_client_exec_t, fail2ban_exec_t, fail2ban_initrc_exec_t, fcoemon_exec_t, fcoemon_initrc_exec_t, fenced_exec_t, fetchmail_exec_t, fetchmail_initrc_exec_t, fingerd_exec_t, firewalld_exec_t, firewalld_initrc_exec_t, firewallgui_exec_t, firstboot_exec_t, flatpak_helper_exec_t, foghorn_exec_t, foghorn_initrc_exec_t, fprintd_exec_t, freeipmi_bmc_watchdog_exec_t, freeipmi_ipmidetectd_exec_t, freeipmi_ipmiseld_exec_t, freqset_exec_t, fsadm_exec_t, fsdaemon_exec_t, fsdaemon_initrc_exec_t, ftpd_exec_t, ftpd_initrc_exec_t, ftpdctl_exec_t, fusefs_t, fusermount_exec_t, fwupd_exec_t, fwupd_var_lib_t, games_exec_t, gconfd_exec_t, gconfdefaultsm_exec_t, gdomap_exec_t, gdomap_initrc_exec_t, geoclue_exec_t, getty_exec_t, gfs_controld_exec_t, git_script_exec_t, gitd_exec_t, gitosis_exec_t, gkeyringd_exec_t, glance_api_exec_t, glance_api_initrc_exec_t, glance_registry_exec_t, glance_registry_initrc_exec_t, glance_scrubber_exec_t, glance_scrubber_initrc_exec_t, glusterd_exec_t, glusterd_initrc_exec_t, gnome_atspi_exec_t, gnomesystemmm_exec_t, gpg_agent_exec_t, gpg_exec_t, gpg_helper_exec_t, gpm_exec_t, gpm_initrc_exec_t, gpsd_exec_t, gpsd_initrc_exec_t, greylist_milter_exec_t, groupadd_exec_t, groupd_exec_t, gssd_exec_t, gssproxy_exec_t, haproxy_exec_t, hddtemp_exec_t, hddtemp_initrc_exec_t, home_root_t, hostapd_exec_t, hostname_exec_t, hsqldb_exec_t, httpd_exec_t, httpd_helper_exec_t, httpd_initrc_exec_t, httpd_passwd_exec_t, httpd_php_exec_t, httpd_rotatelogs_exec_t, httpd_suexec_exec_t, httpd_sys_content_t, httpd_sys_script_exec_t, httpd_unconfined_script_exec_t, httpd_user_script_exec_t, httpd_var_run_t, hugetlbfs_t, hwclock_exec_t, hwloc_dhwd_exec_t, hypervkvp_exec_t, hypervkvp_initrc_exec_t, hypervvssd_exec_t, ibacm_exec_t, iceauth_exec_t, icecast_exec_t, icecast_initrc_exec_t, ifconfig_exec_t, ifconfig_var_run_t, inetd_child_exec_t, inetd_exec_t, init_exec_t, initrc_exec_t, initrc_tmp_t, innd_exec_t, innd_initrc_exec_t, install_exec_t, iodined_exec_t, iodined_initrc_exec_t, iotop_exec_t, ipa_custodia_dmldap_exec_t, ipa_custodia_exec_t, ipa_custodia_pki_tomcat_exec_t, ipa_custodia_ra_agent_exec_t, ipa_dnskey_exec_t, ipa_helper_exec_t, ipa_ods_exporter_exec_t, ipa_otpd_exec_t, ipmievd_exec_t, ipmievd_helper_exec_t, ipsec_exec_t, ipsec_initrc_exec_t, ipsec_mgmt_exec_t, iptables_exec_t, iptables_initrc_exec_t, irc_exec_t, irqbalance_exec_t, irqbalance_initrc_exec_t, irssi_exec_t, iscsid_exec_t, isnsd_exec_t, isnsd_initrc_exec_t, iso9660_t, iwhd_exec_t, iwhd_initrc_exec_t, jabberd_exec_t, jabberd_initrc_exec_t, jabberd_router_exec_t, jetty_exec_t, jockey_exec_t, journalctl_exec_t, kadmind_exec_t, kdump_exec_t, kdump_initrc_exec_t, kdumpctl_exec_t, kdumpgui_exec_t, keepalived_exec_t, keepalived_unconfined_script_exec_t, kerberos_initrc_exec_t, keyboardd_exec_t, keystone_cgi_script_exec_t, keystone_exec_t, keystone_initrc_exec_t, kismet_exec_t, kismet_initrc_exec_t, klogd_exec_t, kmod_exec_t, kmscon_exec_t, kpatch_exec_t, kpropd_exec_t, krb5kdc_exec_t, ksmtuned_exec_t, ksmtuned_initrc_exec_t, ktalkd_exec_t, l2tpd_exec_t, l2tpd_initrc_exec_t, ldconfig_exec_t, likewise_initrc_exec_t, lircd_exec_t, lircd_initrc_exec_t, livecd_exec_t, lldpad_exec_t, lldpad_initrc_exec_t, load_policy_exec_t, loadkeys_exec_t, locate_exec_t, lockdev_exec_t, login_exec_t, logrotate_exec_t, logwatch_exec_t, lpd_exec_t, lpr_exec_t, lsassd_exec_t, lsmd_exec_t, lsmd_plugin_exec_t, lttng_sessiond_exec_t, lvm_exec_t, lwiod_exec_t, lwregd_exec_t, lwsmd_exec_t, mail_munin_plugin_exec_t, mail_spool_t, mailman_cgi_exec_t, mailman_mail_exec_t, mailman_queue_exec_t, man2html_script_exec_t, mandb_exec_t, mcelog_exec_t, mcelog_initrc_exec_t, mdadm_exec_t, mdadm_initrc_exec_t, mediawiki_script_exec_t, memcached_exec_t, memcached_initrc_exec_t, mencoder_exec_t, minidlna_exec_t, minidlna_initrc_exec_t, minissdpd_exec_t, minissdpd_initrc_exec_t, mip6d_exec_t, mirrormanager_exec_t, mnt_t, mock_build_exec_t, mock_exec_t, mock_tmp_t, mock_var_lib_t, modemmanager_exec_t, mojomojo_script_exec_t, mon_procd_exec_t, mon_statd_exec_t, mon_statd_initrc_exec_t, mongod_exec_t, mongod_initrc_exec_t, motion_exec_t, mount_ecryptfs_exec_t, mount_exec_t, mozilla_exec_t, mozilla_plugin_config_exec_t, mozilla_plugin_exec_t, mpd_exec_t, mpd_initrc_exec_t, mplayer_exec_t, mqueue_spool_t, mrtg_exec_t, mrtg_initrc_exec_t, mscan_exec_t, mscan_initrc_exec_t, mtrr_device_t, munin_exec_t, munin_initrc_exec_t, munin_script_exec_t, mysqld_exec_t, mysqld_initrc_exec_t, mysqld_safe_exec_t, mysqlmanagerd_exec_t, mysqlmanagerd_initrc_exec_t, mythtv_script_exec_t, naemon_exec_t, naemon_initrc_exec_t, nagios_admin_plugin_exec_t, nagios_checkdisk_plugin_exec_t, nagios_eventhandler_plugin_exec_t, nagios_exec_t, nagios_initrc_exec_t, nagios_mail_plugin_exec_t, nagios_openshift_plugin_exec_t, nagios_script_exec_t, nagios_services_plugin_exec_t, nagios_system_plugin_exec_t, nagios_unconfined_plugin_exec_t, named_checkconf_exec_t, named_conf_t, named_exec_t, named_initrc_exec_t, namespace_init_exec_t, ncftool_exec_t, ndc_exec_t, netlabel_mgmt_exec_t, netlogond_exec_t, netutils_exec_t, neutron_exec_t, neutron_initrc_exec_t, newrole_exec_t, news_spool_t, nfs_t, nfsd_exec_t, nfsd_fs_t, nfsd_initrc_exec_t, ninfod_exec_t, nis_initrc_exec_t, nmbd_exec_t, nova_exec_t, nrpe_exec_t, nscd_exec_t, nscd_initrc_exec_t, nsd_exec_t, nslcd_exec_t, nslcd_initrc_exec_t, ntop_exec_t, ntop_initrc_exec_t, ntpd_exec_t, ntpd_initrc_exec_t, ntpdate_exec_t, numad_exec_t, nut_upsd_exec_t, nut_upsdrvctl_exec_t, nut_upsmon_exec_t, nutups_cgi_script_exec_t, nx_server_exec_t, obex_exec_t, oddjob_exec_t, oddjob_mkhomedir_exec_t, onload_fs_t, opafm_exec_t, openct_exec_t, openct_initrc_exec_t, opendnssec_exec_t, openfortivpn_exec_t, openhpid_exec_t, openhpid_initrc_exec_t, openshift_app_tmp_t, openshift_cgroup_read_exec_t, openshift_cron_exec_t, openshift_initrc_exec_t, openshift_net_read_exec_t, openshift_script_exec_t, openshift_tmp_t, openshift_var_lib_t, opensm_exec_t, openvpn_exec_t, openvpn_initrc_exec_t, openvpn_unconfined_script_exec_t, openvswitch_exec_t, openwsman_exec_t, oracleasm_exec_t, oracleasm_initrc_exec_t, oracleasmfs_t, osad_exec_t, osad_initrc_exec_t, osbuild_exec_t, pads_exec_t, pads_initrc_exec_t, pam_console_exec_t, pam_timestamp_exec_t, passenger_exec_t, passwd_exec_t, pcp_plugin_exec_t, pcp_plugin_initrc_exec_t, pcp_pmcd_exec_t, pcp_pmcd_initrc_exec_t, pcp_pmie_exec_t, pcp_pmie_initrc_exec_t, pcp_pmlogger_exec_t, pcp_pmlogger_initrc_exec_t, pcp_pmproxy_exec_t, pcp_pmproxy_initrc_exec_t, pcscd_exec_t, pcscd_initrc_exec_t, pdns_control_exec_t, pdns_exec_t, pegasus_exec_t, pegasus_openlmi_account_exec_t, pegasus_openlmi_admin_exec_t, pegasus_openlmi_logicalfile_exec_t, pegasus_openlmi_services_exec_t, pegasus_openlmi_storage_exec_t, pegasus_openlmi_system_exec_t, pegasus_openlmi_unconfined_exec_t, pesign_exec_t, phc2sys_exec_t, pinentry_exec_t, ping_exec_t, pingd_exec_t, pingd_initrc_exec_t, piranha_fos_exec_t, piranha_lvs_exec_t, piranha_pulse_exec_t, piranha_pulse_initrc_exec_t, piranha_web_exec_t, pkcs11proxyd_exec_t, pkcs_slotd_exec_t, pkcs_slotd_initrc_exec_t, pki_ra_exec_t, pki_ra_script_exec_t, pki_tomcat_exec_t, pki_tps_exec_t, pki_tps_script_exec_t, plymouth_exec_t, plymouthd_exec_t, podsleuth_exec_t, policykit_auth_exec_t, policykit_exec_t, policykit_grant_exec_t, policykit_resolve_exec_t, polipo_exec_t, polipo_initrc_exec_t, portmap_exec_t, portmap_helper_exec_t, portmap_initrc_exec_t, portreserve_exec_t, portreserve_initrc_exec_t, postfix_bounce_exec_t, postfix_cleanup_exec_t, postfix_exec_t, postfix_initrc_exec_t, postfix_local_exec_t, postfix_map_exec_t, postfix_master_exec_t, postfix_pickup_exec_t, postfix_pipe_exec_t, postfix_postdrop_exec_t, postfix_postdrop_t, postfix_postqueue_exec_t, postfix_qmgr_exec_t, postfix_showq_exec_t, postfix_smtp_exec_t, postfix_smtpd_exec_t, postfix_virtual_exec_t, postgresql_exec_t, postgresql_initrc_exec_t, postgrey_exec_t, postgrey_initrc_exec_t, pppd_exec_t, pppd_initrc_exec_t, pptp_exec_t, prelink_cron_system_exec_t, prelink_exec_t, prelude_audisp_exec_t, prelude_correlator_exec_t, prelude_exec_t, prelude_initrc_exec_t, prelude_lml_exec_t, preupgrade_exec_t, prewikka_script_exec_t, privoxy_exec_t, privoxy_initrc_exec_t, proc_t, proc_xen_t, procmail_exec_t, prosody_exec_t, psad_exec_t, psad_initrc_exec_t, pstore_t, ptal_exec_t, ptchown_exec_t, ptp4l_exec_t, public_content_rw_t, public_content_t, publicfile_exec_t, pulseaudio_exec_t, puppetagent_exec_t, puppetagent_initrc_exec_t, puppetca_exec_t, puppetmaster_exec_t, puppetmaster_initrc_exec_t, pwauth_exec_t, pyicqt_exec_t, qdiskd_exec_t, qemu_dm_exec_t, qemu_exec_t, qmail_clean_exec_t, qmail_inject_exec_t, qmail_local_exec_t, qmail_lspawn_exec_t, qmail_queue_exec_t, qmail_remote_exec_t, qmail_rspawn_exec_t, qmail_send_exec_t, qmail_smtpd_exec_t, qmail_splogger_exec_t, qmail_start_exec_t, qmail_tcp_env_exec_t, qpidd_exec_t, qpidd_initrc_exec_t, quota_exec_t, quota_nld_exec_t, rabbitmq_exec_t, rabbitmq_initrc_exec_t, racoon_exec_t, radiusd_exec_t, radiusd_initrc_exec_t, radvd_exec_t, radvd_initrc_exec_t, ramfs_t, random_seed_t, rasdaemon_exec_t, rdisc_exec_t, readahead_exec_t, realmd_exec_t, redis_exec_t, redis_initrc_exec_t, regex_milter_exec_t, removable_t, restorecond_exec_t, rhev_agentd_exec_t, rhgb_exec_t, rhnsd_exec_t, rhnsd_initrc_exec_t, rhsmcertd_exec_t, rhsmcertd_initrc_exec_t, ricci_exec_t, ricci_initrc_exec_t, ricci_modcluster_exec_t, ricci_modclusterd_exec_t, ricci_modlog_exec_t, ricci_modrpm_exec_t, ricci_modservice_exec_t, ricci_modstorage_exec_t, rkt_exec_t, rlogind_exec_t, rngd_exec_t, rngd_initrc_exec_t, rolekit_exec_t, root_t, roundup_exec_t, roundup_initrc_exec_t, rpc_pipefs_t, rpcbind_exec_t, rpcbind_initrc_exec_t, rpcd_exec_t, rpcd_initrc_exec_t, rpm_exec_t, rpm_script_exec_t, rpmdb_exec_t, rrdcached_exec_t, rshd_exec_t, rssh_chroot_helper_exec_t, rssh_exec_t, rsync_exec_t, rtas_errd_exec_t, rtkit_daemon_exec_t, rtkit_daemon_initrc_exec_t, run_init_exec_t, rwho_exec_t, rwho_initrc_exec_t, samba_initrc_exec_t, samba_net_exec_t, samba_unconfined_script_exec_t, sambagui_exec_t, sandbox_exec_t, sanlk_resetd_exec_t, sanlock_exec_t, sanlock_initrc_exec_t, saslauthd_exec_t, saslauthd_initrc_exec_t, sbd_exec_t, sblim_gatherd_exec_t, sblim_initrc_exec_t, sblim_reposd_exec_t, sblim_sfcbd_exec_t, screen_exec_t, sectoolm_exec_t, security_t, selinux_munin_plugin_exec_t, semanage_exec_t, sendmail_exec_t, sendmail_initrc_exec_t, sensord_exec_t, sensord_initrc_exec_t, services_munin_plugin_exec_t, setfiles_exec_t, setkey_exec_t, setrans_exec_t, setrans_initrc_exec_t, setroubleshoot_fixit_exec_t, setroubleshootd_exec_t, setsebool_exec_t, seunshare_exec_t, sge_execd_exec_t, sge_job_exec_t, sge_shepherd_exec_t, shell_exec_t, shorewall_exec_t, shorewall_initrc_exec_t, shorewall_var_lib_t, showmount_exec_t, slapd_exec_t, slapd_initrc_exec_t, slpd_exec_t, slpd_initrc_exec_t, smbcontrol_exec_t, smbd_exec_t, smbmount_exec_t, smokeping_cgi_script_exec_t, smokeping_exec_t, smokeping_initrc_exec_t, smoltclient_exec_t, smsd_exec_t, smsd_initrc_exec_t, snapperd_exec_t, snmpd_exec_t, snmpd_initrc_exec_t, snort_exec_t, snort_initrc_exec_t, sosreport_exec_t, soundd_exec_t, soundd_initrc_exec_t, spamass_milter_exec_t, spamc_exec_t, spamd_exec_t, spamd_initrc_exec_t, spamd_update_exec_t, speech_dispatcher_exec_t, spufs_t, squid_cron_exec_t, squid_exec_t, squid_initrc_exec_t, squid_script_exec_t, src_t, srvsvcd_exec_t, ssh_agent_exec_t, ssh_exec_t, ssh_keygen_exec_t, ssh_keysign_exec_t, sshd_exec_t, sshd_initrc_exec_t, sshd_keygen_exec_t, sslh_exec_t, sslh_initrc_exec_t, sssd_exec_t, sssd_initrc_exec_t, sssd_selinux_manager_exec_t, stapserver_exec_t, stratisd_exec_t, stunnel_exec_t, su_exec_t, sudo_exec_t, sulogin_exec_t, svc_multilog_exec_t, svc_run_exec_t, svc_start_exec_t, svnserve_exec_t, svnserve_initrc_exec_t, swat_exec_t, swift_exec_t, swtpm_exec_t, sysctl_fs_t, sysctl_t, sysfs_t, syslogd_exec_t, syslogd_initrc_exec_t, sysstat_exec_t, sysstat_initrc_exec_t, system_munin_plugin_exec_t, systemd_bootchart_exec_t, systemd_coredump_exec_t, systemd_gpt_generator_exec_t, systemd_hostnamed_exec_t, systemd_hwdb_exec_t, systemd_importd_exec_t, systemd_initctl_exec_t, systemd_journal_upload_exec_t, systemd_localed_exec_t, systemd_logger_exec_t, systemd_logind_exec_t, systemd_machined_exec_t, systemd_modules_load_exec_t, systemd_networkd_exec_t, systemd_networkd_var_run_t, systemd_notify_exec_t, systemd_passwd_agent_exec_t, systemd_resolved_exec_t, systemd_resolved_var_run_t, systemd_rfkill_exec_t, systemd_sleep_exec_t, systemd_sysctl_exec_t, systemd_systemctl_exec_t, systemd_timedated_exec_t, systemd_tmpfiles_exec_t, systemd_userdbd_exec_t, sysv_t, tangd_exec_t, targetd_exec_t, tcpd_exec_t, tcsd_exec_t, tcsd_initrc_exec_t, telepathy_gabble_exec_t, telepathy_idle_exec_t, telepathy_logger_exec_t, telepathy_mission_control_exec_t, telepathy_msn_exec_t, telepathy_salut_exec_t, telepathy_sofiasip_exec_t, telepathy_stream_engine_exec_t, telepathy_sunshine_exec_t, telnetd_exec_t, tftpd_exec_t, tgtd_exec_t, tgtd_initrc_exec_t, thin_aeolus_configserver_exec_t, thin_exec_t, thumb_exec_t, timedatex_exec_t, timemaster_exec_t, tlp_exec_t, tmp_t, tmpfs_t, tmpreaper_exec_t, tomcat_exec_t, tor_exec_t, tor_initrc_exec_t, tor_var_lib_t, tor_var_log_t, tor_var_run_t, tracefs_t, traceroute_exec_t, tuned_exec_t, tuned_initrc_exec_t, tvtime_exec_t, udev_exec_t, udev_helper_exec_t, ulogd_exec_t, ulogd_initrc_exec_t, uml_exec_t, uml_switch_exec_t, unconfined_exec_t, unconfined_munin_plugin_exec_t, updfstab_exec_t, updpwd_exec_t, usbfs_t, usbmodules_exec_t, usbmuxd_exec_t, user_home_dir_t, user_home_t, user_tmp_t, useradd_exec_t, userhelper_exec_t, usernetctl_exec_t, usr_t, utempter_exec_t, uucpd_exec_t, uucpd_initrc_exec_t, uuidd_exec_t, uuidd_initrc_exec_t, uux_exec_t, var_lib_nfs_t, var_lib_t, var_lock_t, var_log_t, var_run_t, var_t, varnishd_exec_t, varnishd_initrc_exec_t, varnishlog_exec_t, varnishlog_initrc_exec_t, vdagent_exec_t, vdagentd_initrc_exec_t, vhostmd_exec_t, vhostmd_initrc_exec_t, virsh_exec_t, virt_bridgehelper_exec_t, virt_image_t, virt_qemu_ga_exec_t, virt_qemu_ga_unconfined_exec_t, virt_var_lib_t, virtd_exec_t, virtd_initrc_exec_t, virtd_lxc_exec_t, virtiofs_t, virtlogd_exec_t, virtlogd_initrc_exec_t, vlock_exec_t, vmblock_t, vmtools_exec_t, vmtools_helper_exec_t, vmtools_unconfined_exec_t, vmware_exec_t, vmware_host_exec_t, vnc_session_exec_t, vnstat_exec_t, vnstatd_exec_t, vnstatd_initrc_exec_t, vnstatd_var_lib_t, vpnc_exec_t, w3c_validator_script_exec_t, watchdog_exec_t, watchdog_initrc_exec_t, watchdog_unconfined_exec_t, wdmd_exec_t, wdmd_initrc_exec_t, webalizer_exec_t, webalizer_script_exec_t, winbind_exec_t, winbind_helper_exec_t, wine_exec_t, wireshark_exec_t, wpa_cli_exec_t, xauth_exec_t, xdm_exec_t, xdm_unconfined_exec_t, xenconsoled_exec_t, xend_exec_t, xend_var_lib_t, xend_var_run_t, xenfs_t, xenstored_exec_t, xenstored_var_lib_t, xserver_exec_t, xsession_exec_t, ypbind_exec_t, ypbind_initrc_exec_t, yppasswdd_exec_t, ypserv_exec_t, ypxfr_exec_t, zabbix_agent_exec_t, zabbix_agent_initrc_exec_t, zabbix_exec_t, zabbix_initrc_exec_t, zabbix_script_exec_t, zarafa_deliver_exec_t, zarafa_gateway_exec_t, zarafa_ical_exec_t, zarafa_indexer_exec_t, zarafa_monitor_exec_t, zarafa_server_exec_t, zarafa_spooler_exec_t, zebra_exec_t, zebra_initrc_exec_t, zoneminder_exec_t, zoneminder_initrc_exec_t, zoneminder_script_exec_t, zos_remote_exec_t.
                                                            Then execute:
                                                            restorecon -v '/bin/busybox'

                                                            *****  Plugin catchall (1.03 confidence) suggests   **************************

                                                            If you believe that runc:[2:INIT] should be allowed entrypoint access on the busybox file by default.
                                                            Then you should report this as a bug.
                                                            You can generate a local policy module to allow this access.
                                                            Do
                                                            allow this access for now by executing:
                                                            # ausearch -c 'runc:[2:INIT]' --raw | audit2allow -M my-runc2INIT
                                                            # semodule -X 300 -i my-runc2INIT.pp

sealert output:

# sealert -l 440df748-3a56-495b-b17d-037cc6fabc88
SELinux is preventing runc:[2:INIT] from entrypoint access on the file /bin/busybox.

*****  Plugin restorecon (68.9 confidence) suggests   ************************

If you want to fix the label. 
/bin/busybox default label should be bin_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /bin/busybox

*****  Plugin file (21.0 confidence) suggests   ******************************

If you think this is caused by a badly mislabeled machine.
Then you need to fully relabel.
Do
touch /.autorelabel; reboot

*****  Plugin file (21.0 confidence) suggests   ******************************

If you think this is caused by a badly mislabeled machine.
Then you need to fully relabel.
Do
touch /.autorelabel; reboot

*****  Plugin catchall_labels (3.92 confidence) suggests   *******************

If you want to allow runc:[2:INIT] to have entrypoint access on the busybox file
Then you need to change the label on /bin/busybox
Do
# semanage fcontext -a -t FILE_TYPE '/bin/busybox'
where FILE_TYPE is one of the following: NetworkManager_exec_t, NetworkManager_initrc_exec_t, abrt_dump_oops_exec_t, abrt_exec_t, abrt_handle_event_exec_t, abrt_helper_exec_t, abrt_initrc_exec_t, abrt_retrace_coredump_exec_t, abrt_retrace_worker_exec_t, abrt_upload_watch_exec_t, abrt_watch_log_exec_t, accountsd_exec_t, acct_exec_t, acct_initrc_exec_t, admin_home_t, admin_passwd_exec_t, afs_bosserver_exec_t, afs_exec_t, afs_fsserver_exec_t, afs_initrc_exec_t, afs_kaserver_exec_t, afs_ptserver_exec_t, afs_vlserver_exec_t, aiccu_exec_t, aiccu_initrc_exec_t, aide_exec_t, ajaxterm_exec_t, ajaxterm_initrc_exec_t, alsa_exec_t, amanda_exec_t, amanda_inetd_exec_t, amanda_recover_exec_t, amtu_exec_t, amtu_initrc_exec_t, anaconda_exec_t, anacron_exec_t, anon_inodefs_t, antivirus_exec_t, antivirus_initrc_exec_t, apcupsd_cgi_script_exec_t, apcupsd_exec_t, apcupsd_initrc_exec_t, apm_exec_t, apmd_exec_t, apmd_initrc_exec_t, arpwatch_exec_t, arpwatch_initrc_exec_t, asterisk_exec_t, asterisk_initrc_exec_t, audisp_exec_t, audisp_remote_exec_t, audit_spool_t, auditctl_exec_t, auditd_exec_t, auditd_initrc_exec_t, auditd_log_t, authconfig_exec_t, autofs_t, automount_exec_t, automount_initrc_exec_t, automount_tmp_t, avahi_exec_t, avahi_initrc_exec_t, awstats_exec_t, awstats_script_exec_t, bacula_admin_exec_t, bacula_exec_t, bacula_initrc_exec_t, bacula_store_t, bacula_unconfined_script_exec_t, bcfg2_exec_t, bcfg2_initrc_exec_t, bin_t, binfmt_misc_fs_t, bitlbee_exec_t, bitlbee_initrc_exec_t, blkmapd_exec_t, blkmapd_initrc_exec_t, blktap_exec_t, blueman_exec_t, bluetooth_exec_t, bluetooth_helper_exec_t, bluetooth_initrc_exec_t, bluetooth_var_lib_t, boinc_exec_t, boinc_initrc_exec_t, boinc_var_lib_t, boltd_exec_t, boot_t, bootloader_exec_t, bpf_t, brctl_exec_t, brltty_exec_t, bugzilla_script_exec_t, bumblebee_exec_t, cachefilesd_exec_t, calamaris_exec_t, callweaver_exec_t, callweaver_initrc_exec_t, canna_exec_t, canna_initrc_exec_t, capifs_t, cardctl_exec_t, cardmgr_exec_t, ccs_exec_t, ccs_initrc_exec_t, cdcc_exec_t, cdrecord_exec_t, certmaster_exec_t, certmaster_initrc_exec_t, certmonger_exec_t, certmonger_initrc_exec_t, certmonger_unconfined_exec_t, certwatch_exec_t, cfengine_execd_exec_t, cfengine_initrc_exec_t, cfengine_monitord_exec_t, cfengine_serverd_exec_t, cgclear_exec_t, cgconfig_exec_t, cgconfig_initrc_exec_t, cgred_exec_t, cgred_initrc_exec_t, cgroup_t, checkpc_exec_t, checkpolicy_exec_t, chfn_exec_t, chkpwd_exec_t, chrome_sandbox_exec_t, chrome_sandbox_nacl_exec_t, chronyc_exec_t, chronyd_exec_t, chronyd_initrc_exec_t, chroot_exec_t, cifs_t, cinder_api_exec_t, cinder_backup_exec_t, cinder_scheduler_exec_t, cinder_volume_exec_t, ciped_exec_t, ciped_initrc_exec_t, clogd_exec_t, cloud_init_exec_t, cluster_exec_t, cluster_initrc_exec_t, clvmd_exec_t, clvmd_initrc_exec_t, cmirrord_exec_t, cmirrord_initrc_exec_t, cobblerd_exec_t, cobblerd_initrc_exec_t, cockpit_session_exec_t, cockpit_ws_exec_t, collectd_exec_t, collectd_initrc_exec_t, collectd_script_exec_t, colord_exec_t, comsat_exec_t, condor_collector_exec_t, condor_initrc_exec_t, condor_master_exec_t, condor_negotiator_exec_t, condor_procd_exec_t, condor_schedd_exec_t, condor_startd_exec_t, conman_exec_t, conman_unconfined_script_exec_t, conntrackd_exec_t, conntrackd_initrc_exec_t, consolehelper_exec_t, consolekit_exec_t, container_auth_exec_t, container_file_t, container_ro_file_t, container_runtime_exec_t, container_var_lib_t, couchdb_exec_t, couchdb_initrc_exec_t, courier_authdaemon_exec_t, courier_exec_t, courier_pcp_exec_t, courier_pop_exec_t, courier_sqwebmail_exec_t, courier_tcpd_exec_t, cpucontrol_exec_t, cpufreqselector_exec_t, cpuplug_exec_t, cpuplug_initrc_exec_t, cpuspeed_exec_t, crack_exec_t, crond_exec_t, crond_initrc_exec_t, crontab_exec_t, ctdbd_exec_t, ctdbd_initrc_exec_t, cups_pdf_exec_t, cupsd_config_exec_t, cupsd_exec_t, cupsd_initrc_exec_t, cupsd_lpd_exec_t, cvs_exec_t, cvs_initrc_exec_t, cvs_script_exec_t, cyphesis_exec_t, cyphesis_initrc_exec_t, cyrus_exec_t, cyrus_initrc_exec_t, dbskkd_exec_t, dbusd_exec_t, dcc_client_exec_t, dcc_dbclean_exec_t, dccd_exec_t, dccifd_exec_t, dccm_exec_t, dcerpcd_exec_t, ddclient_exec_t, ddclient_initrc_exec_t, debugfs_t, debuginfo_exec_t, default_t, deltacloudd_exec_t, denyhosts_exec_t, denyhosts_initrc_exec_t, device_t, devicekit_disk_exec_t, devicekit_exec_t, devicekit_power_exec_t, devpts_t, dhcpc_exec_t, dhcpc_helper_exec_t, dhcpd_exec_t, dhcpd_initrc_exec_t, dictd_exec_t, dictd_initrc_exec_t, dirsrv_exec_t, dirsrv_snmp_exec_t, dirsrvadmin_exec_t, dirsrvadmin_script_exec_t, dirsrvadmin_unconfined_script_exec_t, disk_munin_plugin_exec_t, dkim_milter_exec_t, dlm_controld_exec_t, dlm_controld_initrc_exec_t, dmesg_exec_t, dmidecode_exec_t, dnsmasq_exec_t, dnsmasq_initrc_exec_t, dnssec_t, dnssec_trigger_exec_t, dosfs_t, dovecot_auth_exec_t, dovecot_deliver_exec_t, dovecot_exec_t, dovecot_initrc_exec_t, drbd_exec_t, drbd_initrc_exec_t, dspam_exec_t, dspam_initrc_exec_t, dspam_script_exec_t, ecryptfs_t, efivarfs_t, entropyd_exec_t, entropyd_initrc_exec_t, eventlogd_exec_t, evtchnd_exec_t, exim_exec_t, exim_initrc_exec_t, fail2ban_client_exec_t, fail2ban_exec_t, fail2ban_initrc_exec_t, fcoemon_exec_t, fcoemon_initrc_exec_t, fenced_exec_t, fetchmail_exec_t, fetchmail_initrc_exec_t, fingerd_exec_t, firewalld_exec_t, firewalld_initrc_exec_t, firewallgui_exec_t, firstboot_exec_t, flatpak_helper_exec_t, foghorn_exec_t, foghorn_initrc_exec_t, fprintd_exec_t, freeipmi_bmc_watchdog_exec_t, freeipmi_ipmidetectd_exec_t, freeipmi_ipmiseld_exec_t, freqset_exec_t, fsadm_exec_t, fsdaemon_exec_t, fsdaemon_initrc_exec_t, ftpd_exec_t, ftpd_initrc_exec_t, ftpdctl_exec_t, fusefs_t, fusermount_exec_t, fwupd_exec_t, fwupd_var_lib_t, games_exec_t, gconfd_exec_t, gconfdefaultsm_exec_t, gdomap_exec_t, gdomap_initrc_exec_t, geoclue_exec_t, getty_exec_t, gfs_controld_exec_t, git_script_exec_t, gitd_exec_t, gitosis_exec_t, gkeyringd_exec_t, glance_api_exec_t, glance_api_initrc_exec_t, glance_registry_exec_t, glance_registry_initrc_exec_t, glance_scrubber_exec_t, glance_scrubber_initrc_exec_t, glusterd_exec_t, glusterd_initrc_exec_t, gnome_atspi_exec_t, gnomesystemmm_exec_t, gpg_agent_exec_t, gpg_exec_t, gpg_helper_exec_t, gpm_exec_t, gpm_initrc_exec_t, gpsd_exec_t, gpsd_initrc_exec_t, greylist_milter_exec_t, groupadd_exec_t, groupd_exec_t, gssd_exec_t, gssproxy_exec_t, haproxy_exec_t, hddtemp_exec_t, hddtemp_initrc_exec_t, home_root_t, hostapd_exec_t, hostname_exec_t, hsqldb_exec_t, httpd_exec_t, httpd_helper_exec_t, httpd_initrc_exec_t, httpd_passwd_exec_t, httpd_php_exec_t, httpd_rotatelogs_exec_t, httpd_suexec_exec_t, httpd_sys_content_t, httpd_sys_script_exec_t, httpd_unconfined_script_exec_t, httpd_user_script_exec_t, httpd_var_run_t, hugetlbfs_t, hwclock_exec_t, hwloc_dhwd_exec_t, hypervkvp_exec_t, hypervkvp_initrc_exec_t, hypervvssd_exec_t, ibacm_exec_t, iceauth_exec_t, icecast_exec_t, icecast_initrc_exec_t, ifconfig_exec_t, ifconfig_var_run_t, inetd_child_exec_t, inetd_exec_t, init_exec_t, initrc_exec_t, initrc_tmp_t, innd_exec_t, innd_initrc_exec_t, install_exec_t, iodined_exec_t, iodined_initrc_exec_t, iotop_exec_t, ipa_custodia_dmldap_exec_t, ipa_custodia_exec_t, ipa_custodia_pki_tomcat_exec_t, ipa_custodia_ra_agent_exec_t, ipa_dnskey_exec_t, ipa_helper_exec_t, ipa_ods_exporter_exec_t, ipa_otpd_exec_t, ipmievd_exec_t, ipmievd_helper_exec_t, ipsec_exec_t, ipsec_initrc_exec_t, ipsec_mgmt_exec_t, iptables_exec_t, iptables_initrc_exec_t, irc_exec_t, irqbalance_exec_t, irqbalance_initrc_exec_t, irssi_exec_t, iscsid_exec_t, isnsd_exec_t, isnsd_initrc_exec_t, iso9660_t, iwhd_exec_t, iwhd_initrc_exec_t, jabberd_exec_t, jabberd_initrc_exec_t, jabberd_router_exec_t, jetty_exec_t, jockey_exec_t, journalctl_exec_t, kadmind_exec_t, kdump_exec_t, kdump_initrc_exec_t, kdumpctl_exec_t, kdumpgui_exec_t, keepalived_exec_t, keepalived_unconfined_script_exec_t, kerberos_initrc_exec_t, keyboardd_exec_t, keystone_cgi_script_exec_t, keystone_exec_t, keystone_initrc_exec_t, kismet_exec_t, kismet_initrc_exec_t, klogd_exec_t, kmod_exec_t, kmscon_exec_t, kpatch_exec_t, kpropd_exec_t, krb5kdc_exec_t, ksmtuned_exec_t, ksmtuned_initrc_exec_t, ktalkd_exec_t, l2tpd_exec_t, l2tpd_initrc_exec_t, ldconfig_exec_t, likewise_initrc_exec_t, lircd_exec_t, lircd_initrc_exec_t, livecd_exec_t, lldpad_exec_t, lldpad_initrc_exec_t, load_policy_exec_t, loadkeys_exec_t, locate_exec_t, lockdev_exec_t, login_exec_t, logrotate_exec_t, logwatch_exec_t, lpd_exec_t, lpr_exec_t, lsassd_exec_t, lsmd_exec_t, lsmd_plugin_exec_t, lttng_sessiond_exec_t, lvm_exec_t, lwiod_exec_t, lwregd_exec_t, lwsmd_exec_t, mail_munin_plugin_exec_t, mail_spool_t, mailman_cgi_exec_t, mailman_mail_exec_t, mailman_queue_exec_t, man2html_script_exec_t, mandb_exec_t, mcelog_exec_t, mcelog_initrc_exec_t, mdadm_exec_t, mdadm_initrc_exec_t, mediawiki_script_exec_t, memcached_exec_t, memcached_initrc_exec_t, mencoder_exec_t, minidlna_exec_t, minidlna_initrc_exec_t, minissdpd_exec_t, minissdpd_initrc_exec_t, mip6d_exec_t, mirrormanager_exec_t, mnt_t, mock_build_exec_t, mock_exec_t, mock_tmp_t, mock_var_lib_t, modemmanager_exec_t, mojomojo_script_exec_t, mon_procd_exec_t, mon_statd_exec_t, mon_statd_initrc_exec_t, mongod_exec_t, mongod_initrc_exec_t, motion_exec_t, mount_ecryptfs_exec_t, mount_exec_t, mozilla_exec_t, mozilla_plugin_config_exec_t, mozilla_plugin_exec_t, mpd_exec_t, mpd_initrc_exec_t, mplayer_exec_t, mqueue_spool_t, mrtg_exec_t, mrtg_initrc_exec_t, mscan_exec_t, mscan_initrc_exec_t, mtrr_device_t, munin_exec_t, munin_initrc_exec_t, munin_script_exec_t, mysqld_exec_t, mysqld_initrc_exec_t, mysqld_safe_exec_t, mysqlmanagerd_exec_t, mysqlmanagerd_initrc_exec_t, mythtv_script_exec_t, naemon_exec_t, naemon_initrc_exec_t, nagios_admin_plugin_exec_t, nagios_checkdisk_plugin_exec_t, nagios_eventhandler_plugin_exec_t, nagios_exec_t, nagios_initrc_exec_t, nagios_mail_plugin_exec_t, nagios_openshift_plugin_exec_t, nagios_script_exec_t, nagios_services_plugin_exec_t, nagios_system_plugin_exec_t, nagios_unconfined_plugin_exec_t, named_checkconf_exec_t, named_conf_t, named_exec_t, named_initrc_exec_t, namespace_init_exec_t, ncftool_exec_t, ndc_exec_t, netlabel_mgmt_exec_t, netlogond_exec_t, netutils_exec_t, neutron_exec_t, neutron_initrc_exec_t, newrole_exec_t, news_spool_t, nfs_t, nfsd_exec_t, nfsd_fs_t, nfsd_initrc_exec_t, ninfod_exec_t, nis_initrc_exec_t, nmbd_exec_t, nova_exec_t, nrpe_exec_t, nscd_exec_t, nscd_initrc_exec_t, nsd_exec_t, nslcd_exec_t, nslcd_initrc_exec_t, ntop_exec_t, ntop_initrc_exec_t, ntpd_exec_t, ntpd_initrc_exec_t, ntpdate_exec_t, numad_exec_t, nut_upsd_exec_t, nut_upsdrvctl_exec_t, nut_upsmon_exec_t, nutups_cgi_script_exec_t, nx_server_exec_t, obex_exec_t, oddjob_exec_t, oddjob_mkhomedir_exec_t, onload_fs_t, opafm_exec_t, openct_exec_t, openct_initrc_exec_t, opendnssec_exec_t, openfortivpn_exec_t, openhpid_exec_t, openhpid_initrc_exec_t, openshift_app_tmp_t, openshift_cgroup_read_exec_t, openshift_cron_exec_t, openshift_initrc_exec_t, openshift_net_read_exec_t, openshift_script_exec_t, openshift_tmp_t, openshift_var_lib_t, opensm_exec_t, openvpn_exec_t, openvpn_initrc_exec_t, openvpn_unconfined_script_exec_t, openvswitch_exec_t, openwsman_exec_t, oracleasm_exec_t, oracleasm_initrc_exec_t, oracleasmfs_t, osad_exec_t, osad_initrc_exec_t, osbuild_exec_t, pads_exec_t, pads_initrc_exec_t, pam_console_exec_t, pam_timestamp_exec_t, passenger_exec_t, passwd_exec_t, pcp_plugin_exec_t, pcp_plugin_initrc_exec_t, pcp_pmcd_exec_t, pcp_pmcd_initrc_exec_t, pcp_pmie_exec_t, pcp_pmie_initrc_exec_t, pcp_pmlogger_exec_t, pcp_pmlogger_initrc_exec_t, pcp_pmproxy_exec_t, pcp_pmproxy_initrc_exec_t, pcscd_exec_t, pcscd_initrc_exec_t, pdns_control_exec_t, pdns_exec_t, pegasus_exec_t, pegasus_openlmi_account_exec_t, pegasus_openlmi_admin_exec_t, pegasus_openlmi_logicalfile_exec_t, pegasus_openlmi_services_exec_t, pegasus_openlmi_storage_exec_t, pegasus_openlmi_system_exec_t, pegasus_openlmi_unconfined_exec_t, pesign_exec_t, phc2sys_exec_t, pinentry_exec_t, ping_exec_t, pingd_exec_t, pingd_initrc_exec_t, piranha_fos_exec_t, piranha_lvs_exec_t, piranha_pulse_exec_t, piranha_pulse_initrc_exec_t, piranha_web_exec_t, pkcs11proxyd_exec_t, pkcs_slotd_exec_t, pkcs_slotd_initrc_exec_t, pki_ra_exec_t, pki_ra_script_exec_t, pki_tomcat_exec_t, pki_tps_exec_t, pki_tps_script_exec_t, plymouth_exec_t, plymouthd_exec_t, podsleuth_exec_t, policykit_auth_exec_t, policykit_exec_t, policykit_grant_exec_t, policykit_resolve_exec_t, polipo_exec_t, polipo_initrc_exec_t, portmap_exec_t, portmap_helper_exec_t, portmap_initrc_exec_t, portreserve_exec_t, portreserve_initrc_exec_t, postfix_bounce_exec_t, postfix_cleanup_exec_t, postfix_exec_t, postfix_initrc_exec_t, postfix_local_exec_t, postfix_map_exec_t, postfix_master_exec_t, postfix_pickup_exec_t, postfix_pipe_exec_t, postfix_postdrop_exec_t, postfix_postdrop_t, postfix_postqueue_exec_t, postfix_qmgr_exec_t, postfix_showq_exec_t, postfix_smtp_exec_t, postfix_smtpd_exec_t, postfix_virtual_exec_t, postgresql_exec_t, postgresql_initrc_exec_t, postgrey_exec_t, postgrey_initrc_exec_t, pppd_exec_t, pppd_initrc_exec_t, pptp_exec_t, prelink_cron_system_exec_t, prelink_exec_t, prelude_audisp_exec_t, prelude_correlator_exec_t, prelude_exec_t, prelude_initrc_exec_t, prelude_lml_exec_t, preupgrade_exec_t, prewikka_script_exec_t, privoxy_exec_t, privoxy_initrc_exec_t, proc_t, proc_xen_t, procmail_exec_t, prosody_exec_t, psad_exec_t, psad_initrc_exec_t, pstore_t, ptal_exec_t, ptchown_exec_t, ptp4l_exec_t, public_content_rw_t, public_content_t, publicfile_exec_t, pulseaudio_exec_t, puppetagent_exec_t, puppetagent_initrc_exec_t, puppetca_exec_t, puppetmaster_exec_t, puppetmaster_initrc_exec_t, pwauth_exec_t, pyicqt_exec_t, qdiskd_exec_t, qemu_dm_exec_t, qemu_exec_t, qmail_clean_exec_t, qmail_inject_exec_t, qmail_local_exec_t, qmail_lspawn_exec_t, qmail_queue_exec_t, qmail_remote_exec_t, qmail_rspawn_exec_t, qmail_send_exec_t, qmail_smtpd_exec_t, qmail_splogger_exec_t, qmail_start_exec_t, qmail_tcp_env_exec_t, qpidd_exec_t, qpidd_initrc_exec_t, quota_exec_t, quota_nld_exec_t, rabbitmq_exec_t, rabbitmq_initrc_exec_t, racoon_exec_t, radiusd_exec_t, radiusd_initrc_exec_t, radvd_exec_t, radvd_initrc_exec_t, ramfs_t, random_seed_t, rasdaemon_exec_t, rdisc_exec_t, readahead_exec_t, realmd_exec_t, redis_exec_t, redis_initrc_exec_t, regex_milter_exec_t, removable_t, restorecond_exec_t, rhev_agentd_exec_t, rhgb_exec_t, rhnsd_exec_t, rhnsd_initrc_exec_t, rhsmcertd_exec_t, rhsmcertd_initrc_exec_t, ricci_exec_t, ricci_initrc_exec_t, ricci_modcluster_exec_t, ricci_modclusterd_exec_t, ricci_modlog_exec_t, ricci_modrpm_exec_t, ricci_modservice_exec_t, ricci_modstorage_exec_t, rkt_exec_t, rlogind_exec_t, rngd_exec_t, rngd_initrc_exec_t, rolekit_exec_t, root_t, roundup_exec_t, roundup_initrc_exec_t, rpc_pipefs_t, rpcbind_exec_t, rpcbind_initrc_exec_t, rpcd_exec_t, rpcd_initrc_exec_t, rpm_exec_t, rpm_script_exec_t, rpmdb_exec_t, rrdcached_exec_t, rshd_exec_t, rssh_chroot_helper_exec_t, rssh_exec_t, rsync_exec_t, rtas_errd_exec_t, rtkit_daemon_exec_t, rtkit_daemon_initrc_exec_t, run_init_exec_t, rwho_exec_t, rwho_initrc_exec_t, samba_initrc_exec_t, samba_net_exec_t, samba_unconfined_script_exec_t, sambagui_exec_t, sandbox_exec_t, sanlk_resetd_exec_t, sanlock_exec_t, sanlock_initrc_exec_t, saslauthd_exec_t, saslauthd_initrc_exec_t, sbd_exec_t, sblim_gatherd_exec_t, sblim_initrc_exec_t, sblim_reposd_exec_t, sblim_sfcbd_exec_t, screen_exec_t, sectoolm_exec_t, security_t, selinux_munin_plugin_exec_t, semanage_exec_t, sendmail_exec_t, sendmail_initrc_exec_t, sensord_exec_t, sensord_initrc_exec_t, services_munin_plugin_exec_t, setfiles_exec_t, setkey_exec_t, setrans_exec_t, setrans_initrc_exec_t, setroubleshoot_fixit_exec_t, setroubleshootd_exec_t, setsebool_exec_t, seunshare_exec_t, sge_execd_exec_t, sge_job_exec_t, sge_shepherd_exec_t, shell_exec_t, shorewall_exec_t, shorewall_initrc_exec_t, shorewall_var_lib_t, showmount_exec_t, slapd_exec_t, slapd_initrc_exec_t, slpd_exec_t, slpd_initrc_exec_t, smbcontrol_exec_t, smbd_exec_t, smbmount_exec_t, smokeping_cgi_script_exec_t, smokeping_exec_t, smokeping_initrc_exec_t, smoltclient_exec_t, smsd_exec_t, smsd_initrc_exec_t, snapperd_exec_t, snmpd_exec_t, snmpd_initrc_exec_t, snort_exec_t, snort_initrc_exec_t, sosreport_exec_t, soundd_exec_t, soundd_initrc_exec_t, spamass_milter_exec_t, spamc_exec_t, spamd_exec_t, spamd_initrc_exec_t, spamd_update_exec_t, speech_dispatcher_exec_t, spufs_t, squid_cron_exec_t, squid_exec_t, squid_initrc_exec_t, squid_script_exec_t, src_t, srvsvcd_exec_t, ssh_agent_exec_t, ssh_exec_t, ssh_keygen_exec_t, ssh_keysign_exec_t, sshd_exec_t, sshd_initrc_exec_t, sshd_keygen_exec_t, sslh_exec_t, sslh_initrc_exec_t, sssd_exec_t, sssd_initrc_exec_t, sssd_selinux_manager_exec_t, stapserver_exec_t, stratisd_exec_t, stunnel_exec_t, su_exec_t, sudo_exec_t, sulogin_exec_t, svc_multilog_exec_t, svc_run_exec_t, svc_start_exec_t, svnserve_exec_t, svnserve_initrc_exec_t, swat_exec_t, swift_exec_t, swtpm_exec_t, sysctl_fs_t, sysctl_t, sysfs_t, syslogd_exec_t, syslogd_initrc_exec_t, sysstat_exec_t, sysstat_initrc_exec_t, system_munin_plugin_exec_t, systemd_bootchart_exec_t, systemd_coredump_exec_t, systemd_gpt_generator_exec_t, systemd_hostnamed_exec_t, systemd_hwdb_exec_t, systemd_importd_exec_t, systemd_initctl_exec_t, systemd_journal_upload_exec_t, systemd_localed_exec_t, systemd_logger_exec_t, systemd_logind_exec_t, systemd_machined_exec_t, systemd_modules_load_exec_t, systemd_networkd_exec_t, systemd_networkd_var_run_t, systemd_notify_exec_t, systemd_passwd_agent_exec_t, systemd_resolved_exec_t, systemd_resolved_var_run_t, systemd_rfkill_exec_t, systemd_sleep_exec_t, systemd_sysctl_exec_t, systemd_systemctl_exec_t, systemd_timedated_exec_t, systemd_tmpfiles_exec_t, systemd_userdbd_exec_t, sysv_t, tangd_exec_t, targetd_exec_t, tcpd_exec_t, tcsd_exec_t, tcsd_initrc_exec_t, telepathy_gabble_exec_t, telepathy_idle_exec_t, telepathy_logger_exec_t, telepathy_mission_control_exec_t, telepathy_msn_exec_t, telepathy_salut_exec_t, telepathy_sofiasip_exec_t, telepathy_stream_engine_exec_t, telepathy_sunshine_exec_t, telnetd_exec_t, tftpd_exec_t, tgtd_exec_t, tgtd_initrc_exec_t, thin_aeolus_configserver_exec_t, thin_exec_t, thumb_exec_t, timedatex_exec_t, timemaster_exec_t, tlp_exec_t, tmp_t, tmpfs_t, tmpreaper_exec_t, tomcat_exec_t, tor_exec_t, tor_initrc_exec_t, tor_var_lib_t, tor_var_log_t, tor_var_run_t, tracefs_t, traceroute_exec_t, tuned_exec_t, tuned_initrc_exec_t, tvtime_exec_t, udev_exec_t, udev_helper_exec_t, ulogd_exec_t, ulogd_initrc_exec_t, uml_exec_t, uml_switch_exec_t, unconfined_exec_t, unconfined_munin_plugin_exec_t, updfstab_exec_t, updpwd_exec_t, usbfs_t, usbmodules_exec_t, usbmuxd_exec_t, user_home_dir_t, user_home_t, user_tmp_t, useradd_exec_t, userhelper_exec_t, usernetctl_exec_t, usr_t, utempter_exec_t, uucpd_exec_t, uucpd_initrc_exec_t, uuidd_exec_t, uuidd_initrc_exec_t, uux_exec_t, var_lib_nfs_t, var_lib_t, var_lock_t, var_log_t, var_run_t, var_t, varnishd_exec_t, varnishd_initrc_exec_t, varnishlog_exec_t, varnishlog_initrc_exec_t, vdagent_exec_t, vdagentd_initrc_exec_t, vhostmd_exec_t, vhostmd_initrc_exec_t, virsh_exec_t, virt_bridgehelper_exec_t, virt_image_t, virt_qemu_ga_exec_t, virt_qemu_ga_unconfined_exec_t, virt_var_lib_t, virtd_exec_t, virtd_initrc_exec_t, virtd_lxc_exec_t, virtiofs_t, virtlogd_exec_t, virtlogd_initrc_exec_t, vlock_exec_t, vmblock_t, vmtools_exec_t, vmtools_helper_exec_t, vmtools_unconfined_exec_t, vmware_exec_t, vmware_host_exec_t, vnc_session_exec_t, vnstat_exec_t, vnstatd_exec_t, vnstatd_initrc_exec_t, vnstatd_var_lib_t, vpnc_exec_t, w3c_validator_script_exec_t, watchdog_exec_t, watchdog_initrc_exec_t, watchdog_unconfined_exec_t, wdmd_exec_t, wdmd_initrc_exec_t, webalizer_exec_t, webalizer_script_exec_t, winbind_exec_t, winbind_helper_exec_t, wine_exec_t, wireshark_exec_t, wpa_cli_exec_t, xauth_exec_t, xdm_exec_t, xdm_unconfined_exec_t, xenconsoled_exec_t, xend_exec_t, xend_var_lib_t, xend_var_run_t, xenfs_t, xenstored_exec_t, xenstored_var_lib_t, xserver_exec_t, xsession_exec_t, ypbind_exec_t, ypbind_initrc_exec_t, yppasswdd_exec_t, ypserv_exec_t, ypxfr_exec_t, zabbix_agent_exec_t, zabbix_agent_initrc_exec_t, zabbix_exec_t, zabbix_initrc_exec_t, zabbix_script_exec_t, zarafa_deliver_exec_t, zarafa_gateway_exec_t, zarafa_ical_exec_t, zarafa_indexer_exec_t, zarafa_monitor_exec_t, zarafa_server_exec_t, zarafa_spooler_exec_t, zebra_exec_t, zebra_initrc_exec_t, zoneminder_exec_t, zoneminder_initrc_exec_t, zoneminder_script_exec_t, zos_remote_exec_t.
Then execute:
restorecon -v '/bin/busybox'

*****  Plugin catchall (1.18 confidence) suggests   **************************

If you believe that runc:[2:INIT] should be allowed entrypoint access on the busybox file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'runc:[2:INIT]' --raw | audit2allow -M my-runc2INIT
# semodule -X 300 -i my-runc2INIT.pp

Additional Information:
Source Context                system_u:system_r:container_t:s0:c363,c621
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                /bin/busybox [ file ]
Source                        runc:[2:INIT]
Source Path                   runc:[2:INIT]
Port                          <Unknown>
Host                          iwana-pc00.coop.no
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-34.20-1.fc34.noarch
Local Policy RPM              selinux-policy-targeted-34.20-1.fc34.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     iwana-pc00.coop.no
Platform                      Linux iwana-pc00.coop.no 5.13.14-200.fc34.x86_64
                              #1 SMP Fri Sep 3 15:33:01 UTC 2021 x86_64 x86_64
Alert Count                   1
First Seen                    2021-09-27 16:01:30 CEST
Last Seen                     2021-09-27 16:01:30 CEST
Local ID                      440df748-3a56-495b-b17d-037cc6fabc88

Raw Audit Messages
type=AVC msg=audit(1632751290.997:1472733): avc:  denied  { entrypoint } for  pid=2169035 comm="runc:[2:INIT]" path="/bin/busybox" dev="dm-0" ino=264 scontext=system_u:system_r:container_t:s0:c363,c621 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0

Hash: runc:[2:INIT],container_t,unlabeled_t,file,entrypoint

[drdivano]

Maybe the following will be helpful - I had a similar error when running buildkit 0.9.3 on RHEL 7/8. Fixed it by recompiling buildkit, explicitly adding selinux tag. (However, in my case I ran buildkit directly, without docker)

[runephilosof-karnovgroup]

@drdivano

Fixed it by recompiling buildkit, explicitly adding selinux tag.

Could you explain exactly what you did?

[drdivano]

If you look into Dockerfile, there's a line like this: ARG BUILDKITD_TAGS

You can pass the tag via the build argument BUILDKITD_TAGS="selinux" (or add tag "selinux" directly to go build --tags options in Dockerfile)

[iblancasa]

Same problem here with v0.10.1 and Fedora 37

[eriksjolund]

I asked the buildkit slack channel for advice and was told that my issue

• https://github.com/containers/container-selinux/issues/201

is probably related to this issue.

[cpuguy83]

I don't really have a machine readily available to test on. I believe we can call label.Relabel after generating the spec using the mount label on the spec.