Open bcressey opened 3 years ago
This may be the root cause for #2295 as well - if the overlayfs is not mounted with a context=
override, then the SELinux label will be the same as the underlying directory. If that's unlabeled_t
then it may not be valid as an entry point into the container_t
domain. With the mount label applied, it would be labeled as container_t
and the transition would succeed.
I don't have a quick way to validate that hypothesis at the moment. Happy to have this resolved as a duplicate if it turns out to be the same problem.
@cpuguy83
I'm getting this error on fedora 34, using Docker version 20.10.8, build 3967b7d
$ cat Dockerfile
FROM docker.io/alpine:3
RUN cat /etc/os-release
$ DOCKER_BUILDKIT=1 docker build - < Dockerfile
[+] Building 0.6s (5/5) FINISHED
=> [internal] load build definition from Dockerfile 0.1s
=> => transferring dockerfile: 159B 0.0s
=> [internal] load .dockerignore 0.1s
=> => transferring context: 2B 0.0s
=> [internal] load metadata for docker.io/library/alpine:3 0.0s
=> CACHED [1/2] FROM docker.io/library/alpine:3 0.0s
=> ERROR [2/2] RUN cat /etc/os-release 0.3s
------
> [2/2] RUN cat /etc/os-release:
#4 0.297 standard_init_linux.go:228: exec user process caused: permission denied
------
executor failed running [/bin/sh -c cat /etc/os-release]: exit code: 1
The following selinux error comes up when this happehns:
Sep 27 16:01:38 iwana-pc00.coop.no setroubleshoot[2169086]: SELinux is preventing runc:[2:INIT] from entrypoint access on the file /bin/busybox. For complete SELinux messages run: sealert -l 440df748-3a56-495b-b17d-037cc6fabc88
Sep 27 16:01:38 iwana-pc00.coop.no setroubleshoot[2169086]: SELinux is preventing runc:[2:INIT] from entrypoint access on the file /bin/busybox.
***** Plugin restorecon (54.2 confidence) suggests ************************
If you want to fix the label.
/bin/busybox default label should be bin_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /bin/busybox
***** Plugin file (16.6 confidence) suggests ******************************
This is caused by a newly created file system.
Then you need to add labels to it.
Do
/sbin/restorecon -R -v /bin/busybox
***** Plugin file (16.6 confidence) suggests ******************************
If you think this is caused by a badly mislabeled machine.
Then you need to fully relabel.
Do
touch /.autorelabel; reboot
***** Plugin catchall_labels (3.18 confidence) suggests *******************
If you want to allow runc:[2:INIT] to have entrypoint access on the busybox file
Then you need to change the label on /bin/busybox
Do
# semanage fcontext -a -t FILE_TYPE '/bin/busybox'
where FILE_TYPE is one of the following: NetworkManager_exec_t, NetworkManager_initrc_exec_t, abrt_dump_oops_exec_t, abrt_exec_t, abrt_handle_event_exec_t, abrt_helper_exec_t, abrt_initrc_exec_t, abrt_retrace_coredump_exec_t, abrt_retrace_worker_exec_t, abrt_upload_watch_exec_t, abrt_watch_log_exec_t, accountsd_exec_t, acct_exec_t, acct_initrc_exec_t, admin_home_t, admin_passwd_exec_t, afs_bosserver_exec_t, afs_exec_t, afs_fsserver_exec_t, afs_initrc_exec_t, afs_kaserver_exec_t, afs_ptserver_exec_t, afs_vlserver_exec_t, aiccu_exec_t, aiccu_initrc_exec_t, aide_exec_t, ajaxterm_exec_t, ajaxterm_initrc_exec_t, alsa_exec_t, amanda_exec_t, amanda_inetd_exec_t, amanda_recover_exec_t, amtu_exec_t, amtu_initrc_exec_t, anaconda_exec_t, anacron_exec_t, anon_inodefs_t, antivirus_exec_t, antivirus_initrc_exec_t, apcupsd_cgi_script_exec_t, apcupsd_exec_t, apcupsd_initrc_exec_t, apm_exec_t, apmd_exec_t, apmd_initrc_exec_t, arpwatch_exec_t, arpwatch_initrc_exec_t, asterisk_exec_t, asterisk_initrc_exec_t, audisp_exec_t, audisp_remote_exec_t, audit_spool_t, auditctl_exec_t, auditd_exec_t, auditd_initrc_exec_t, auditd_log_t, authconfig_exec_t, autofs_t, automount_exec_t, automount_initrc_exec_t, automount_tmp_t, avahi_exec_t, avahi_initrc_exec_t, awstats_exec_t, awstats_script_exec_t, bacula_admin_exec_t, bacula_exec_t, bacula_initrc_exec_t, bacula_store_t, bacula_unconfined_script_exec_t, bcfg2_exec_t, bcfg2_initrc_exec_t, bin_t, binfmt_misc_fs_t, bitlbee_exec_t, bitlbee_initrc_exec_t, blkmapd_exec_t, blkmapd_initrc_exec_t, blktap_exec_t, blueman_exec_t, bluetooth_exec_t, bluetooth_helper_exec_t, bluetooth_initrc_exec_t, bluetooth_var_lib_t, boinc_exec_t, boinc_initrc_exec_t, boinc_var_lib_t, boltd_exec_t, boot_t, bootloader_exec_t, bpf_t, brctl_exec_t, brltty_exec_t, bugzilla_script_exec_t, bumblebee_exec_t, cachefilesd_exec_t, calamaris_exec_t, callweaver_exec_t, callweaver_initrc_exec_t, canna_exec_t, canna_initrc_exec_t, capifs_t, cardctl_exec_t, cardmgr_exec_t, ccs_exec_t, ccs_initrc_exec_t, cdcc_exec_t, cdrecord_exec_t, certmaster_exec_t, certmaster_initrc_exec_t, certmonger_exec_t, certmonger_initrc_exec_t, certmonger_unconfined_exec_t, certwatch_exec_t, cfengine_execd_exec_t, cfengine_initrc_exec_t, cfengine_monitord_exec_t, cfengine_serverd_exec_t, cgclear_exec_t, cgconfig_exec_t, cgconfig_initrc_exec_t, cgred_exec_t, cgred_initrc_exec_t, cgroup_t, checkpc_exec_t, checkpolicy_exec_t, chfn_exec_t, chkpwd_exec_t, chrome_sandbox_exec_t, chrome_sandbox_nacl_exec_t, chronyc_exec_t, chronyd_exec_t, chronyd_initrc_exec_t, chroot_exec_t, cifs_t, cinder_api_exec_t, cinder_backup_exec_t, cinder_scheduler_exec_t, cinder_volume_exec_t, ciped_exec_t, ciped_initrc_exec_t, clogd_exec_t, cloud_init_exec_t, cluster_exec_t, cluster_initrc_exec_t, clvmd_exec_t, clvmd_initrc_exec_t, cmirrord_exec_t, cmirrord_initrc_exec_t, cobblerd_exec_t, cobblerd_initrc_exec_t, cockpit_session_exec_t, cockpit_ws_exec_t, collectd_exec_t, collectd_initrc_exec_t, collectd_script_exec_t, colord_exec_t, comsat_exec_t, condor_collector_exec_t, condor_initrc_exec_t, condor_master_exec_t, condor_negotiator_exec_t, condor_procd_exec_t, condor_schedd_exec_t, condor_startd_exec_t, conman_exec_t, conman_unconfined_script_exec_t, conntrackd_exec_t, conntrackd_initrc_exec_t, consolehelper_exec_t, consolekit_exec_t, container_auth_exec_t, container_file_t, container_ro_file_t, container_runtime_exec_t, container_var_lib_t, couchdb_exec_t, couchdb_initrc_exec_t, courier_authdaemon_exec_t, courier_exec_t, courier_pcp_exec_t, courier_pop_exec_t, courier_sqwebmail_exec_t, courier_tcpd_exec_t, cpucontrol_exec_t, cpufreqselector_exec_t, cpuplug_exec_t, cpuplug_initrc_exec_t, cpuspeed_exec_t, crack_exec_t, crond_exec_t, crond_initrc_exec_t, crontab_exec_t, ctdbd_exec_t, ctdbd_initrc_exec_t, cups_pdf_exec_t, cupsd_config_exec_t, cupsd_exec_t, cupsd_initrc_exec_t, cupsd_lpd_exec_t, cvs_exec_t, cvs_initrc_exec_t, cvs_script_exec_t, cyphesis_exec_t, cyphesis_initrc_exec_t, cyrus_exec_t, cyrus_initrc_exec_t, dbskkd_exec_t, dbusd_exec_t, dcc_client_exec_t, dcc_dbclean_exec_t, dccd_exec_t, dccifd_exec_t, dccm_exec_t, dcerpcd_exec_t, ddclient_exec_t, ddclient_initrc_exec_t, debugfs_t, debuginfo_exec_t, default_t, deltacloudd_exec_t, denyhosts_exec_t, denyhosts_initrc_exec_t, device_t, devicekit_disk_exec_t, devicekit_exec_t, devicekit_power_exec_t, devpts_t, dhcpc_exec_t, dhcpc_helper_exec_t, dhcpd_exec_t, dhcpd_initrc_exec_t, dictd_exec_t, dictd_initrc_exec_t, dirsrv_exec_t, dirsrv_snmp_exec_t, dirsrvadmin_exec_t, dirsrvadmin_script_exec_t, dirsrvadmin_unconfined_script_exec_t, disk_munin_plugin_exec_t, dkim_milter_exec_t, dlm_controld_exec_t, dlm_controld_initrc_exec_t, dmesg_exec_t, dmidecode_exec_t, dnsmasq_exec_t, dnsmasq_initrc_exec_t, dnssec_t, dnssec_trigger_exec_t, dosfs_t, dovecot_auth_exec_t, dovecot_deliver_exec_t, dovecot_exec_t, dovecot_initrc_exec_t, drbd_exec_t, drbd_initrc_exec_t, dspam_exec_t, dspam_initrc_exec_t, dspam_script_exec_t, ecryptfs_t, efivarfs_t, entropyd_exec_t, entropyd_initrc_exec_t, eventlogd_exec_t, evtchnd_exec_t, exim_exec_t, exim_initrc_exec_t, fail2ban_client_exec_t, fail2ban_exec_t, fail2ban_initrc_exec_t, fcoemon_exec_t, fcoemon_initrc_exec_t, fenced_exec_t, fetchmail_exec_t, fetchmail_initrc_exec_t, fingerd_exec_t, firewalld_exec_t, firewalld_initrc_exec_t, firewallgui_exec_t, firstboot_exec_t, flatpak_helper_exec_t, foghorn_exec_t, foghorn_initrc_exec_t, fprintd_exec_t, freeipmi_bmc_watchdog_exec_t, freeipmi_ipmidetectd_exec_t, freeipmi_ipmiseld_exec_t, freqset_exec_t, fsadm_exec_t, fsdaemon_exec_t, fsdaemon_initrc_exec_t, ftpd_exec_t, ftpd_initrc_exec_t, ftpdctl_exec_t, fusefs_t, fusermount_exec_t, fwupd_exec_t, fwupd_var_lib_t, games_exec_t, gconfd_exec_t, gconfdefaultsm_exec_t, gdomap_exec_t, gdomap_initrc_exec_t, geoclue_exec_t, getty_exec_t, gfs_controld_exec_t, git_script_exec_t, gitd_exec_t, gitosis_exec_t, gkeyringd_exec_t, glance_api_exec_t, glance_api_initrc_exec_t, glance_registry_exec_t, glance_registry_initrc_exec_t, glance_scrubber_exec_t, glance_scrubber_initrc_exec_t, glusterd_exec_t, glusterd_initrc_exec_t, gnome_atspi_exec_t, gnomesystemmm_exec_t, gpg_agent_exec_t, gpg_exec_t, gpg_helper_exec_t, gpm_exec_t, gpm_initrc_exec_t, gpsd_exec_t, gpsd_initrc_exec_t, greylist_milter_exec_t, groupadd_exec_t, groupd_exec_t, gssd_exec_t, gssproxy_exec_t, haproxy_exec_t, hddtemp_exec_t, hddtemp_initrc_exec_t, home_root_t, hostapd_exec_t, hostname_exec_t, hsqldb_exec_t, httpd_exec_t, httpd_helper_exec_t, httpd_initrc_exec_t, httpd_passwd_exec_t, httpd_php_exec_t, httpd_rotatelogs_exec_t, httpd_suexec_exec_t, httpd_sys_content_t, httpd_sys_script_exec_t, httpd_unconfined_script_exec_t, httpd_user_script_exec_t, httpd_var_run_t, hugetlbfs_t, hwclock_exec_t, hwloc_dhwd_exec_t, hypervkvp_exec_t, hypervkvp_initrc_exec_t, hypervvssd_exec_t, ibacm_exec_t, iceauth_exec_t, icecast_exec_t, icecast_initrc_exec_t, ifconfig_exec_t, ifconfig_var_run_t, inetd_child_exec_t, inetd_exec_t, init_exec_t, initrc_exec_t, initrc_tmp_t, innd_exec_t, innd_initrc_exec_t, install_exec_t, iodined_exec_t, iodined_initrc_exec_t, iotop_exec_t, ipa_custodia_dmldap_exec_t, ipa_custodia_exec_t, ipa_custodia_pki_tomcat_exec_t, ipa_custodia_ra_agent_exec_t, ipa_dnskey_exec_t, ipa_helper_exec_t, ipa_ods_exporter_exec_t, ipa_otpd_exec_t, ipmievd_exec_t, ipmievd_helper_exec_t, ipsec_exec_t, ipsec_initrc_exec_t, ipsec_mgmt_exec_t, iptables_exec_t, iptables_initrc_exec_t, irc_exec_t, irqbalance_exec_t, irqbalance_initrc_exec_t, irssi_exec_t, iscsid_exec_t, isnsd_exec_t, isnsd_initrc_exec_t, iso9660_t, iwhd_exec_t, iwhd_initrc_exec_t, jabberd_exec_t, jabberd_initrc_exec_t, jabberd_router_exec_t, jetty_exec_t, jockey_exec_t, journalctl_exec_t, kadmind_exec_t, kdump_exec_t, kdump_initrc_exec_t, kdumpctl_exec_t, kdumpgui_exec_t, keepalived_exec_t, keepalived_unconfined_script_exec_t, kerberos_initrc_exec_t, keyboardd_exec_t, keystone_cgi_script_exec_t, keystone_exec_t, keystone_initrc_exec_t, kismet_exec_t, kismet_initrc_exec_t, klogd_exec_t, kmod_exec_t, kmscon_exec_t, kpatch_exec_t, kpropd_exec_t, krb5kdc_exec_t, ksmtuned_exec_t, ksmtuned_initrc_exec_t, ktalkd_exec_t, l2tpd_exec_t, l2tpd_initrc_exec_t, ldconfig_exec_t, likewise_initrc_exec_t, lircd_exec_t, lircd_initrc_exec_t, livecd_exec_t, lldpad_exec_t, lldpad_initrc_exec_t, load_policy_exec_t, loadkeys_exec_t, locate_exec_t, lockdev_exec_t, login_exec_t, logrotate_exec_t, logwatch_exec_t, lpd_exec_t, lpr_exec_t, lsassd_exec_t, lsmd_exec_t, lsmd_plugin_exec_t, lttng_sessiond_exec_t, lvm_exec_t, lwiod_exec_t, lwregd_exec_t, lwsmd_exec_t, mail_munin_plugin_exec_t, mail_spool_t, mailman_cgi_exec_t, mailman_mail_exec_t, mailman_queue_exec_t, man2html_script_exec_t, mandb_exec_t, mcelog_exec_t, mcelog_initrc_exec_t, mdadm_exec_t, mdadm_initrc_exec_t, mediawiki_script_exec_t, memcached_exec_t, memcached_initrc_exec_t, mencoder_exec_t, minidlna_exec_t, minidlna_initrc_exec_t, minissdpd_exec_t, minissdpd_initrc_exec_t, mip6d_exec_t, mirrormanager_exec_t, mnt_t, mock_build_exec_t, mock_exec_t, mock_tmp_t, mock_var_lib_t, modemmanager_exec_t, mojomojo_script_exec_t, mon_procd_exec_t, mon_statd_exec_t, mon_statd_initrc_exec_t, mongod_exec_t, mongod_initrc_exec_t, motion_exec_t, mount_ecryptfs_exec_t, mount_exec_t, mozilla_exec_t, mozilla_plugin_config_exec_t, mozilla_plugin_exec_t, mpd_exec_t, mpd_initrc_exec_t, mplayer_exec_t, mqueue_spool_t, mrtg_exec_t, mrtg_initrc_exec_t, mscan_exec_t, mscan_initrc_exec_t, mtrr_device_t, munin_exec_t, munin_initrc_exec_t, munin_script_exec_t, mysqld_exec_t, mysqld_initrc_exec_t, mysqld_safe_exec_t, mysqlmanagerd_exec_t, mysqlmanagerd_initrc_exec_t, mythtv_script_exec_t, naemon_exec_t, naemon_initrc_exec_t, nagios_admin_plugin_exec_t, nagios_checkdisk_plugin_exec_t, nagios_eventhandler_plugin_exec_t, nagios_exec_t, nagios_initrc_exec_t, nagios_mail_plugin_exec_t, nagios_openshift_plugin_exec_t, nagios_script_exec_t, nagios_services_plugin_exec_t, nagios_system_plugin_exec_t, nagios_unconfined_plugin_exec_t, named_checkconf_exec_t, named_conf_t, named_exec_t, named_initrc_exec_t, namespace_init_exec_t, ncftool_exec_t, ndc_exec_t, netlabel_mgmt_exec_t, netlogond_exec_t, netutils_exec_t, neutron_exec_t, neutron_initrc_exec_t, newrole_exec_t, news_spool_t, nfs_t, nfsd_exec_t, nfsd_fs_t, nfsd_initrc_exec_t, ninfod_exec_t, nis_initrc_exec_t, nmbd_exec_t, nova_exec_t, nrpe_exec_t, nscd_exec_t, nscd_initrc_exec_t, nsd_exec_t, nslcd_exec_t, nslcd_initrc_exec_t, ntop_exec_t, ntop_initrc_exec_t, ntpd_exec_t, ntpd_initrc_exec_t, ntpdate_exec_t, numad_exec_t, nut_upsd_exec_t, nut_upsdrvctl_exec_t, nut_upsmon_exec_t, nutups_cgi_script_exec_t, nx_server_exec_t, obex_exec_t, oddjob_exec_t, oddjob_mkhomedir_exec_t, onload_fs_t, opafm_exec_t, openct_exec_t, openct_initrc_exec_t, opendnssec_exec_t, openfortivpn_exec_t, openhpid_exec_t, openhpid_initrc_exec_t, openshift_app_tmp_t, openshift_cgroup_read_exec_t, openshift_cron_exec_t, openshift_initrc_exec_t, openshift_net_read_exec_t, openshift_script_exec_t, openshift_tmp_t, openshift_var_lib_t, opensm_exec_t, openvpn_exec_t, openvpn_initrc_exec_t, openvpn_unconfined_script_exec_t, openvswitch_exec_t, openwsman_exec_t, oracleasm_exec_t, oracleasm_initrc_exec_t, oracleasmfs_t, osad_exec_t, osad_initrc_exec_t, osbuild_exec_t, pads_exec_t, pads_initrc_exec_t, pam_console_exec_t, pam_timestamp_exec_t, passenger_exec_t, passwd_exec_t, pcp_plugin_exec_t, pcp_plugin_initrc_exec_t, pcp_pmcd_exec_t, pcp_pmcd_initrc_exec_t, pcp_pmie_exec_t, pcp_pmie_initrc_exec_t, pcp_pmlogger_exec_t, pcp_pmlogger_initrc_exec_t, pcp_pmproxy_exec_t, pcp_pmproxy_initrc_exec_t, pcscd_exec_t, pcscd_initrc_exec_t, pdns_control_exec_t, pdns_exec_t, pegasus_exec_t, pegasus_openlmi_account_exec_t, pegasus_openlmi_admin_exec_t, pegasus_openlmi_logicalfile_exec_t, pegasus_openlmi_services_exec_t, pegasus_openlmi_storage_exec_t, pegasus_openlmi_system_exec_t, pegasus_openlmi_unconfined_exec_t, pesign_exec_t, phc2sys_exec_t, pinentry_exec_t, ping_exec_t, pingd_exec_t, pingd_initrc_exec_t, piranha_fos_exec_t, piranha_lvs_exec_t, piranha_pulse_exec_t, piranha_pulse_initrc_exec_t, piranha_web_exec_t, pkcs11proxyd_exec_t, pkcs_slotd_exec_t, pkcs_slotd_initrc_exec_t, pki_ra_exec_t, pki_ra_script_exec_t, pki_tomcat_exec_t, pki_tps_exec_t, pki_tps_script_exec_t, plymouth_exec_t, plymouthd_exec_t, podsleuth_exec_t, policykit_auth_exec_t, policykit_exec_t, policykit_grant_exec_t, policykit_resolve_exec_t, polipo_exec_t, polipo_initrc_exec_t, portmap_exec_t, portmap_helper_exec_t, portmap_initrc_exec_t, portreserve_exec_t, portreserve_initrc_exec_t, postfix_bounce_exec_t, postfix_cleanup_exec_t, postfix_exec_t, postfix_initrc_exec_t, postfix_local_exec_t, postfix_map_exec_t, postfix_master_exec_t, postfix_pickup_exec_t, postfix_pipe_exec_t, postfix_postdrop_exec_t, postfix_postdrop_t, postfix_postqueue_exec_t, postfix_qmgr_exec_t, postfix_showq_exec_t, postfix_smtp_exec_t, postfix_smtpd_exec_t, postfix_virtual_exec_t, postgresql_exec_t, postgresql_initrc_exec_t, postgrey_exec_t, postgrey_initrc_exec_t, pppd_exec_t, pppd_initrc_exec_t, pptp_exec_t, prelink_cron_system_exec_t, prelink_exec_t, prelude_audisp_exec_t, prelude_correlator_exec_t, prelude_exec_t, prelude_initrc_exec_t, prelude_lml_exec_t, preupgrade_exec_t, prewikka_script_exec_t, privoxy_exec_t, privoxy_initrc_exec_t, proc_t, proc_xen_t, procmail_exec_t, prosody_exec_t, psad_exec_t, psad_initrc_exec_t, pstore_t, ptal_exec_t, ptchown_exec_t, ptp4l_exec_t, public_content_rw_t, public_content_t, publicfile_exec_t, pulseaudio_exec_t, puppetagent_exec_t, puppetagent_initrc_exec_t, puppetca_exec_t, puppetmaster_exec_t, puppetmaster_initrc_exec_t, pwauth_exec_t, pyicqt_exec_t, qdiskd_exec_t, qemu_dm_exec_t, qemu_exec_t, qmail_clean_exec_t, qmail_inject_exec_t, qmail_local_exec_t, qmail_lspawn_exec_t, qmail_queue_exec_t, qmail_remote_exec_t, qmail_rspawn_exec_t, qmail_send_exec_t, qmail_smtpd_exec_t, qmail_splogger_exec_t, qmail_start_exec_t, qmail_tcp_env_exec_t, qpidd_exec_t, qpidd_initrc_exec_t, quota_exec_t, quota_nld_exec_t, rabbitmq_exec_t, rabbitmq_initrc_exec_t, racoon_exec_t, radiusd_exec_t, radiusd_initrc_exec_t, radvd_exec_t, radvd_initrc_exec_t, ramfs_t, random_seed_t, rasdaemon_exec_t, rdisc_exec_t, readahead_exec_t, realmd_exec_t, redis_exec_t, redis_initrc_exec_t, regex_milter_exec_t, removable_t, restorecond_exec_t, rhev_agentd_exec_t, rhgb_exec_t, rhnsd_exec_t, rhnsd_initrc_exec_t, rhsmcertd_exec_t, rhsmcertd_initrc_exec_t, ricci_exec_t, ricci_initrc_exec_t, ricci_modcluster_exec_t, ricci_modclusterd_exec_t, ricci_modlog_exec_t, ricci_modrpm_exec_t, ricci_modservice_exec_t, ricci_modstorage_exec_t, rkt_exec_t, rlogind_exec_t, rngd_exec_t, rngd_initrc_exec_t, rolekit_exec_t, root_t, roundup_exec_t, roundup_initrc_exec_t, rpc_pipefs_t, rpcbind_exec_t, rpcbind_initrc_exec_t, rpcd_exec_t, rpcd_initrc_exec_t, rpm_exec_t, rpm_script_exec_t, rpmdb_exec_t, rrdcached_exec_t, rshd_exec_t, rssh_chroot_helper_exec_t, rssh_exec_t, rsync_exec_t, rtas_errd_exec_t, rtkit_daemon_exec_t, rtkit_daemon_initrc_exec_t, run_init_exec_t, rwho_exec_t, rwho_initrc_exec_t, samba_initrc_exec_t, samba_net_exec_t, samba_unconfined_script_exec_t, sambagui_exec_t, sandbox_exec_t, sanlk_resetd_exec_t, sanlock_exec_t, sanlock_initrc_exec_t, saslauthd_exec_t, saslauthd_initrc_exec_t, sbd_exec_t, sblim_gatherd_exec_t, sblim_initrc_exec_t, sblim_reposd_exec_t, sblim_sfcbd_exec_t, screen_exec_t, sectoolm_exec_t, security_t, selinux_munin_plugin_exec_t, semanage_exec_t, sendmail_exec_t, sendmail_initrc_exec_t, sensord_exec_t, sensord_initrc_exec_t, services_munin_plugin_exec_t, setfiles_exec_t, setkey_exec_t, setrans_exec_t, setrans_initrc_exec_t, setroubleshoot_fixit_exec_t, setroubleshootd_exec_t, setsebool_exec_t, seunshare_exec_t, sge_execd_exec_t, sge_job_exec_t, sge_shepherd_exec_t, shell_exec_t, shorewall_exec_t, shorewall_initrc_exec_t, shorewall_var_lib_t, showmount_exec_t, slapd_exec_t, slapd_initrc_exec_t, slpd_exec_t, slpd_initrc_exec_t, smbcontrol_exec_t, smbd_exec_t, smbmount_exec_t, smokeping_cgi_script_exec_t, smokeping_exec_t, smokeping_initrc_exec_t, smoltclient_exec_t, smsd_exec_t, smsd_initrc_exec_t, snapperd_exec_t, snmpd_exec_t, snmpd_initrc_exec_t, snort_exec_t, snort_initrc_exec_t, sosreport_exec_t, soundd_exec_t, soundd_initrc_exec_t, spamass_milter_exec_t, spamc_exec_t, spamd_exec_t, spamd_initrc_exec_t, spamd_update_exec_t, speech_dispatcher_exec_t, spufs_t, squid_cron_exec_t, squid_exec_t, squid_initrc_exec_t, squid_script_exec_t, src_t, srvsvcd_exec_t, ssh_agent_exec_t, ssh_exec_t, ssh_keygen_exec_t, ssh_keysign_exec_t, sshd_exec_t, sshd_initrc_exec_t, sshd_keygen_exec_t, sslh_exec_t, sslh_initrc_exec_t, sssd_exec_t, sssd_initrc_exec_t, sssd_selinux_manager_exec_t, stapserver_exec_t, stratisd_exec_t, stunnel_exec_t, su_exec_t, sudo_exec_t, sulogin_exec_t, svc_multilog_exec_t, svc_run_exec_t, svc_start_exec_t, svnserve_exec_t, svnserve_initrc_exec_t, swat_exec_t, swift_exec_t, swtpm_exec_t, sysctl_fs_t, sysctl_t, sysfs_t, syslogd_exec_t, syslogd_initrc_exec_t, sysstat_exec_t, sysstat_initrc_exec_t, system_munin_plugin_exec_t, systemd_bootchart_exec_t, systemd_coredump_exec_t, systemd_gpt_generator_exec_t, systemd_hostnamed_exec_t, systemd_hwdb_exec_t, systemd_importd_exec_t, systemd_initctl_exec_t, systemd_journal_upload_exec_t, systemd_localed_exec_t, systemd_logger_exec_t, systemd_logind_exec_t, systemd_machined_exec_t, systemd_modules_load_exec_t, systemd_networkd_exec_t, systemd_networkd_var_run_t, systemd_notify_exec_t, systemd_passwd_agent_exec_t, systemd_resolved_exec_t, systemd_resolved_var_run_t, systemd_rfkill_exec_t, systemd_sleep_exec_t, systemd_sysctl_exec_t, systemd_systemctl_exec_t, systemd_timedated_exec_t, systemd_tmpfiles_exec_t, systemd_userdbd_exec_t, sysv_t, tangd_exec_t, targetd_exec_t, tcpd_exec_t, tcsd_exec_t, tcsd_initrc_exec_t, telepathy_gabble_exec_t, telepathy_idle_exec_t, telepathy_logger_exec_t, telepathy_mission_control_exec_t, telepathy_msn_exec_t, telepathy_salut_exec_t, telepathy_sofiasip_exec_t, telepathy_stream_engine_exec_t, telepathy_sunshine_exec_t, telnetd_exec_t, tftpd_exec_t, tgtd_exec_t, tgtd_initrc_exec_t, thin_aeolus_configserver_exec_t, thin_exec_t, thumb_exec_t, timedatex_exec_t, timemaster_exec_t, tlp_exec_t, tmp_t, tmpfs_t, tmpreaper_exec_t, tomcat_exec_t, tor_exec_t, tor_initrc_exec_t, tor_var_lib_t, tor_var_log_t, tor_var_run_t, tracefs_t, traceroute_exec_t, tuned_exec_t, tuned_initrc_exec_t, tvtime_exec_t, udev_exec_t, udev_helper_exec_t, ulogd_exec_t, ulogd_initrc_exec_t, uml_exec_t, uml_switch_exec_t, unconfined_exec_t, unconfined_munin_plugin_exec_t, updfstab_exec_t, updpwd_exec_t, usbfs_t, usbmodules_exec_t, usbmuxd_exec_t, user_home_dir_t, user_home_t, user_tmp_t, useradd_exec_t, userhelper_exec_t, usernetctl_exec_t, usr_t, utempter_exec_t, uucpd_exec_t, uucpd_initrc_exec_t, uuidd_exec_t, uuidd_initrc_exec_t, uux_exec_t, var_lib_nfs_t, var_lib_t, var_lock_t, var_log_t, var_run_t, var_t, varnishd_exec_t, varnishd_initrc_exec_t, varnishlog_exec_t, varnishlog_initrc_exec_t, vdagent_exec_t, vdagentd_initrc_exec_t, vhostmd_exec_t, vhostmd_initrc_exec_t, virsh_exec_t, virt_bridgehelper_exec_t, virt_image_t, virt_qemu_ga_exec_t, virt_qemu_ga_unconfined_exec_t, virt_var_lib_t, virtd_exec_t, virtd_initrc_exec_t, virtd_lxc_exec_t, virtiofs_t, virtlogd_exec_t, virtlogd_initrc_exec_t, vlock_exec_t, vmblock_t, vmtools_exec_t, vmtools_helper_exec_t, vmtools_unconfined_exec_t, vmware_exec_t, vmware_host_exec_t, vnc_session_exec_t, vnstat_exec_t, vnstatd_exec_t, vnstatd_initrc_exec_t, vnstatd_var_lib_t, vpnc_exec_t, w3c_validator_script_exec_t, watchdog_exec_t, watchdog_initrc_exec_t, watchdog_unconfined_exec_t, wdmd_exec_t, wdmd_initrc_exec_t, webalizer_exec_t, webalizer_script_exec_t, winbind_exec_t, winbind_helper_exec_t, wine_exec_t, wireshark_exec_t, wpa_cli_exec_t, xauth_exec_t, xdm_exec_t, xdm_unconfined_exec_t, xenconsoled_exec_t, xend_exec_t, xend_var_lib_t, xend_var_run_t, xenfs_t, xenstored_exec_t, xenstored_var_lib_t, xserver_exec_t, xsession_exec_t, ypbind_exec_t, ypbind_initrc_exec_t, yppasswdd_exec_t, ypserv_exec_t, ypxfr_exec_t, zabbix_agent_exec_t, zabbix_agent_initrc_exec_t, zabbix_exec_t, zabbix_initrc_exec_t, zabbix_script_exec_t, zarafa_deliver_exec_t, zarafa_gateway_exec_t, zarafa_ical_exec_t, zarafa_indexer_exec_t, zarafa_monitor_exec_t, zarafa_server_exec_t, zarafa_spooler_exec_t, zebra_exec_t, zebra_initrc_exec_t, zoneminder_exec_t, zoneminder_initrc_exec_t, zoneminder_script_exec_t, zos_remote_exec_t.
Then execute:
restorecon -v '/bin/busybox'
***** Plugin catchall (1.03 confidence) suggests **************************
If you believe that runc:[2:INIT] should be allowed entrypoint access on the busybox file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'runc:[2:INIT]' --raw | audit2allow -M my-runc2INIT
# semodule -X 300 -i my-runc2INIT.pp
sealert output:
# sealert -l 440df748-3a56-495b-b17d-037cc6fabc88
SELinux is preventing runc:[2:INIT] from entrypoint access on the file /bin/busybox.
***** Plugin restorecon (68.9 confidence) suggests ************************
If you want to fix the label.
/bin/busybox default label should be bin_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /bin/busybox
***** Plugin file (21.0 confidence) suggests ******************************
If you think this is caused by a badly mislabeled machine.
Then you need to fully relabel.
Do
touch /.autorelabel; reboot
***** Plugin file (21.0 confidence) suggests ******************************
If you think this is caused by a badly mislabeled machine.
Then you need to fully relabel.
Do
touch /.autorelabel; reboot
***** Plugin catchall_labels (3.92 confidence) suggests *******************
If you want to allow runc:[2:INIT] to have entrypoint access on the busybox file
Then you need to change the label on /bin/busybox
Do
# semanage fcontext -a -t FILE_TYPE '/bin/busybox'
where FILE_TYPE is one of the following: NetworkManager_exec_t, NetworkManager_initrc_exec_t, abrt_dump_oops_exec_t, abrt_exec_t, abrt_handle_event_exec_t, abrt_helper_exec_t, abrt_initrc_exec_t, abrt_retrace_coredump_exec_t, abrt_retrace_worker_exec_t, abrt_upload_watch_exec_t, abrt_watch_log_exec_t, accountsd_exec_t, acct_exec_t, acct_initrc_exec_t, admin_home_t, admin_passwd_exec_t, afs_bosserver_exec_t, afs_exec_t, afs_fsserver_exec_t, afs_initrc_exec_t, afs_kaserver_exec_t, afs_ptserver_exec_t, afs_vlserver_exec_t, aiccu_exec_t, aiccu_initrc_exec_t, aide_exec_t, ajaxterm_exec_t, ajaxterm_initrc_exec_t, alsa_exec_t, amanda_exec_t, amanda_inetd_exec_t, amanda_recover_exec_t, amtu_exec_t, amtu_initrc_exec_t, anaconda_exec_t, anacron_exec_t, anon_inodefs_t, antivirus_exec_t, antivirus_initrc_exec_t, apcupsd_cgi_script_exec_t, apcupsd_exec_t, apcupsd_initrc_exec_t, apm_exec_t, apmd_exec_t, apmd_initrc_exec_t, arpwatch_exec_t, arpwatch_initrc_exec_t, asterisk_exec_t, asterisk_initrc_exec_t, audisp_exec_t, audisp_remote_exec_t, audit_spool_t, auditctl_exec_t, auditd_exec_t, auditd_initrc_exec_t, auditd_log_t, authconfig_exec_t, autofs_t, automount_exec_t, automount_initrc_exec_t, automount_tmp_t, avahi_exec_t, avahi_initrc_exec_t, awstats_exec_t, awstats_script_exec_t, bacula_admin_exec_t, bacula_exec_t, bacula_initrc_exec_t, bacula_store_t, bacula_unconfined_script_exec_t, bcfg2_exec_t, bcfg2_initrc_exec_t, bin_t, binfmt_misc_fs_t, bitlbee_exec_t, bitlbee_initrc_exec_t, blkmapd_exec_t, blkmapd_initrc_exec_t, blktap_exec_t, blueman_exec_t, bluetooth_exec_t, bluetooth_helper_exec_t, bluetooth_initrc_exec_t, bluetooth_var_lib_t, boinc_exec_t, boinc_initrc_exec_t, boinc_var_lib_t, boltd_exec_t, boot_t, bootloader_exec_t, bpf_t, brctl_exec_t, brltty_exec_t, bugzilla_script_exec_t, bumblebee_exec_t, cachefilesd_exec_t, calamaris_exec_t, callweaver_exec_t, callweaver_initrc_exec_t, canna_exec_t, canna_initrc_exec_t, capifs_t, cardctl_exec_t, cardmgr_exec_t, ccs_exec_t, ccs_initrc_exec_t, cdcc_exec_t, cdrecord_exec_t, certmaster_exec_t, certmaster_initrc_exec_t, certmonger_exec_t, certmonger_initrc_exec_t, certmonger_unconfined_exec_t, certwatch_exec_t, cfengine_execd_exec_t, cfengine_initrc_exec_t, cfengine_monitord_exec_t, cfengine_serverd_exec_t, cgclear_exec_t, cgconfig_exec_t, cgconfig_initrc_exec_t, cgred_exec_t, cgred_initrc_exec_t, cgroup_t, checkpc_exec_t, checkpolicy_exec_t, chfn_exec_t, chkpwd_exec_t, chrome_sandbox_exec_t, chrome_sandbox_nacl_exec_t, chronyc_exec_t, chronyd_exec_t, chronyd_initrc_exec_t, chroot_exec_t, cifs_t, cinder_api_exec_t, cinder_backup_exec_t, cinder_scheduler_exec_t, cinder_volume_exec_t, ciped_exec_t, ciped_initrc_exec_t, clogd_exec_t, cloud_init_exec_t, cluster_exec_t, cluster_initrc_exec_t, clvmd_exec_t, clvmd_initrc_exec_t, cmirrord_exec_t, cmirrord_initrc_exec_t, cobblerd_exec_t, cobblerd_initrc_exec_t, cockpit_session_exec_t, cockpit_ws_exec_t, collectd_exec_t, collectd_initrc_exec_t, collectd_script_exec_t, colord_exec_t, comsat_exec_t, condor_collector_exec_t, condor_initrc_exec_t, condor_master_exec_t, condor_negotiator_exec_t, condor_procd_exec_t, condor_schedd_exec_t, condor_startd_exec_t, conman_exec_t, conman_unconfined_script_exec_t, conntrackd_exec_t, conntrackd_initrc_exec_t, consolehelper_exec_t, consolekit_exec_t, container_auth_exec_t, container_file_t, container_ro_file_t, container_runtime_exec_t, container_var_lib_t, couchdb_exec_t, couchdb_initrc_exec_t, courier_authdaemon_exec_t, courier_exec_t, courier_pcp_exec_t, courier_pop_exec_t, courier_sqwebmail_exec_t, courier_tcpd_exec_t, cpucontrol_exec_t, cpufreqselector_exec_t, cpuplug_exec_t, cpuplug_initrc_exec_t, cpuspeed_exec_t, crack_exec_t, crond_exec_t, crond_initrc_exec_t, crontab_exec_t, ctdbd_exec_t, ctdbd_initrc_exec_t, cups_pdf_exec_t, cupsd_config_exec_t, cupsd_exec_t, cupsd_initrc_exec_t, cupsd_lpd_exec_t, cvs_exec_t, cvs_initrc_exec_t, cvs_script_exec_t, cyphesis_exec_t, cyphesis_initrc_exec_t, cyrus_exec_t, cyrus_initrc_exec_t, dbskkd_exec_t, dbusd_exec_t, dcc_client_exec_t, dcc_dbclean_exec_t, dccd_exec_t, dccifd_exec_t, dccm_exec_t, dcerpcd_exec_t, ddclient_exec_t, ddclient_initrc_exec_t, debugfs_t, debuginfo_exec_t, default_t, deltacloudd_exec_t, denyhosts_exec_t, denyhosts_initrc_exec_t, device_t, devicekit_disk_exec_t, devicekit_exec_t, devicekit_power_exec_t, devpts_t, dhcpc_exec_t, dhcpc_helper_exec_t, dhcpd_exec_t, dhcpd_initrc_exec_t, dictd_exec_t, dictd_initrc_exec_t, dirsrv_exec_t, dirsrv_snmp_exec_t, dirsrvadmin_exec_t, dirsrvadmin_script_exec_t, dirsrvadmin_unconfined_script_exec_t, disk_munin_plugin_exec_t, dkim_milter_exec_t, dlm_controld_exec_t, dlm_controld_initrc_exec_t, dmesg_exec_t, dmidecode_exec_t, dnsmasq_exec_t, dnsmasq_initrc_exec_t, dnssec_t, dnssec_trigger_exec_t, dosfs_t, dovecot_auth_exec_t, dovecot_deliver_exec_t, dovecot_exec_t, dovecot_initrc_exec_t, drbd_exec_t, drbd_initrc_exec_t, dspam_exec_t, dspam_initrc_exec_t, dspam_script_exec_t, ecryptfs_t, efivarfs_t, entropyd_exec_t, entropyd_initrc_exec_t, eventlogd_exec_t, evtchnd_exec_t, exim_exec_t, exim_initrc_exec_t, fail2ban_client_exec_t, fail2ban_exec_t, fail2ban_initrc_exec_t, fcoemon_exec_t, fcoemon_initrc_exec_t, fenced_exec_t, fetchmail_exec_t, fetchmail_initrc_exec_t, fingerd_exec_t, firewalld_exec_t, firewalld_initrc_exec_t, firewallgui_exec_t, firstboot_exec_t, flatpak_helper_exec_t, foghorn_exec_t, foghorn_initrc_exec_t, fprintd_exec_t, freeipmi_bmc_watchdog_exec_t, freeipmi_ipmidetectd_exec_t, freeipmi_ipmiseld_exec_t, freqset_exec_t, fsadm_exec_t, fsdaemon_exec_t, fsdaemon_initrc_exec_t, ftpd_exec_t, ftpd_initrc_exec_t, ftpdctl_exec_t, fusefs_t, fusermount_exec_t, fwupd_exec_t, fwupd_var_lib_t, games_exec_t, gconfd_exec_t, gconfdefaultsm_exec_t, gdomap_exec_t, gdomap_initrc_exec_t, geoclue_exec_t, getty_exec_t, gfs_controld_exec_t, git_script_exec_t, gitd_exec_t, gitosis_exec_t, gkeyringd_exec_t, glance_api_exec_t, glance_api_initrc_exec_t, glance_registry_exec_t, glance_registry_initrc_exec_t, glance_scrubber_exec_t, glance_scrubber_initrc_exec_t, glusterd_exec_t, glusterd_initrc_exec_t, gnome_atspi_exec_t, gnomesystemmm_exec_t, gpg_agent_exec_t, gpg_exec_t, gpg_helper_exec_t, gpm_exec_t, gpm_initrc_exec_t, gpsd_exec_t, gpsd_initrc_exec_t, greylist_milter_exec_t, groupadd_exec_t, groupd_exec_t, gssd_exec_t, gssproxy_exec_t, haproxy_exec_t, hddtemp_exec_t, hddtemp_initrc_exec_t, home_root_t, hostapd_exec_t, hostname_exec_t, hsqldb_exec_t, httpd_exec_t, httpd_helper_exec_t, httpd_initrc_exec_t, httpd_passwd_exec_t, httpd_php_exec_t, httpd_rotatelogs_exec_t, httpd_suexec_exec_t, httpd_sys_content_t, httpd_sys_script_exec_t, httpd_unconfined_script_exec_t, httpd_user_script_exec_t, httpd_var_run_t, hugetlbfs_t, hwclock_exec_t, hwloc_dhwd_exec_t, hypervkvp_exec_t, hypervkvp_initrc_exec_t, hypervvssd_exec_t, ibacm_exec_t, iceauth_exec_t, icecast_exec_t, icecast_initrc_exec_t, ifconfig_exec_t, ifconfig_var_run_t, inetd_child_exec_t, inetd_exec_t, init_exec_t, initrc_exec_t, initrc_tmp_t, innd_exec_t, innd_initrc_exec_t, install_exec_t, iodined_exec_t, iodined_initrc_exec_t, iotop_exec_t, ipa_custodia_dmldap_exec_t, ipa_custodia_exec_t, ipa_custodia_pki_tomcat_exec_t, ipa_custodia_ra_agent_exec_t, ipa_dnskey_exec_t, ipa_helper_exec_t, ipa_ods_exporter_exec_t, ipa_otpd_exec_t, ipmievd_exec_t, ipmievd_helper_exec_t, ipsec_exec_t, ipsec_initrc_exec_t, ipsec_mgmt_exec_t, iptables_exec_t, iptables_initrc_exec_t, irc_exec_t, irqbalance_exec_t, irqbalance_initrc_exec_t, irssi_exec_t, iscsid_exec_t, isnsd_exec_t, isnsd_initrc_exec_t, iso9660_t, iwhd_exec_t, iwhd_initrc_exec_t, jabberd_exec_t, jabberd_initrc_exec_t, jabberd_router_exec_t, jetty_exec_t, jockey_exec_t, journalctl_exec_t, kadmind_exec_t, kdump_exec_t, kdump_initrc_exec_t, kdumpctl_exec_t, kdumpgui_exec_t, keepalived_exec_t, keepalived_unconfined_script_exec_t, kerberos_initrc_exec_t, keyboardd_exec_t, keystone_cgi_script_exec_t, keystone_exec_t, keystone_initrc_exec_t, kismet_exec_t, kismet_initrc_exec_t, klogd_exec_t, kmod_exec_t, kmscon_exec_t, kpatch_exec_t, kpropd_exec_t, krb5kdc_exec_t, ksmtuned_exec_t, ksmtuned_initrc_exec_t, ktalkd_exec_t, l2tpd_exec_t, l2tpd_initrc_exec_t, ldconfig_exec_t, likewise_initrc_exec_t, lircd_exec_t, lircd_initrc_exec_t, livecd_exec_t, lldpad_exec_t, lldpad_initrc_exec_t, load_policy_exec_t, loadkeys_exec_t, locate_exec_t, lockdev_exec_t, login_exec_t, logrotate_exec_t, logwatch_exec_t, lpd_exec_t, lpr_exec_t, lsassd_exec_t, lsmd_exec_t, lsmd_plugin_exec_t, lttng_sessiond_exec_t, lvm_exec_t, lwiod_exec_t, lwregd_exec_t, lwsmd_exec_t, mail_munin_plugin_exec_t, mail_spool_t, mailman_cgi_exec_t, mailman_mail_exec_t, mailman_queue_exec_t, man2html_script_exec_t, mandb_exec_t, mcelog_exec_t, mcelog_initrc_exec_t, mdadm_exec_t, mdadm_initrc_exec_t, mediawiki_script_exec_t, memcached_exec_t, memcached_initrc_exec_t, mencoder_exec_t, minidlna_exec_t, minidlna_initrc_exec_t, minissdpd_exec_t, minissdpd_initrc_exec_t, mip6d_exec_t, mirrormanager_exec_t, mnt_t, mock_build_exec_t, mock_exec_t, mock_tmp_t, mock_var_lib_t, modemmanager_exec_t, mojomojo_script_exec_t, mon_procd_exec_t, mon_statd_exec_t, mon_statd_initrc_exec_t, mongod_exec_t, mongod_initrc_exec_t, motion_exec_t, mount_ecryptfs_exec_t, mount_exec_t, mozilla_exec_t, mozilla_plugin_config_exec_t, mozilla_plugin_exec_t, mpd_exec_t, mpd_initrc_exec_t, mplayer_exec_t, mqueue_spool_t, mrtg_exec_t, mrtg_initrc_exec_t, mscan_exec_t, mscan_initrc_exec_t, mtrr_device_t, munin_exec_t, munin_initrc_exec_t, munin_script_exec_t, mysqld_exec_t, mysqld_initrc_exec_t, mysqld_safe_exec_t, mysqlmanagerd_exec_t, mysqlmanagerd_initrc_exec_t, mythtv_script_exec_t, naemon_exec_t, naemon_initrc_exec_t, nagios_admin_plugin_exec_t, nagios_checkdisk_plugin_exec_t, nagios_eventhandler_plugin_exec_t, nagios_exec_t, nagios_initrc_exec_t, nagios_mail_plugin_exec_t, nagios_openshift_plugin_exec_t, nagios_script_exec_t, nagios_services_plugin_exec_t, nagios_system_plugin_exec_t, nagios_unconfined_plugin_exec_t, named_checkconf_exec_t, named_conf_t, named_exec_t, named_initrc_exec_t, namespace_init_exec_t, ncftool_exec_t, ndc_exec_t, netlabel_mgmt_exec_t, netlogond_exec_t, netutils_exec_t, neutron_exec_t, neutron_initrc_exec_t, newrole_exec_t, news_spool_t, nfs_t, nfsd_exec_t, nfsd_fs_t, nfsd_initrc_exec_t, ninfod_exec_t, nis_initrc_exec_t, nmbd_exec_t, nova_exec_t, nrpe_exec_t, nscd_exec_t, nscd_initrc_exec_t, nsd_exec_t, nslcd_exec_t, nslcd_initrc_exec_t, ntop_exec_t, ntop_initrc_exec_t, ntpd_exec_t, ntpd_initrc_exec_t, ntpdate_exec_t, numad_exec_t, nut_upsd_exec_t, nut_upsdrvctl_exec_t, nut_upsmon_exec_t, nutups_cgi_script_exec_t, nx_server_exec_t, obex_exec_t, oddjob_exec_t, oddjob_mkhomedir_exec_t, onload_fs_t, opafm_exec_t, openct_exec_t, openct_initrc_exec_t, opendnssec_exec_t, openfortivpn_exec_t, openhpid_exec_t, openhpid_initrc_exec_t, openshift_app_tmp_t, openshift_cgroup_read_exec_t, openshift_cron_exec_t, openshift_initrc_exec_t, openshift_net_read_exec_t, openshift_script_exec_t, openshift_tmp_t, openshift_var_lib_t, opensm_exec_t, openvpn_exec_t, openvpn_initrc_exec_t, openvpn_unconfined_script_exec_t, openvswitch_exec_t, openwsman_exec_t, oracleasm_exec_t, oracleasm_initrc_exec_t, oracleasmfs_t, osad_exec_t, osad_initrc_exec_t, osbuild_exec_t, pads_exec_t, pads_initrc_exec_t, pam_console_exec_t, pam_timestamp_exec_t, passenger_exec_t, passwd_exec_t, pcp_plugin_exec_t, pcp_plugin_initrc_exec_t, pcp_pmcd_exec_t, pcp_pmcd_initrc_exec_t, pcp_pmie_exec_t, pcp_pmie_initrc_exec_t, pcp_pmlogger_exec_t, pcp_pmlogger_initrc_exec_t, pcp_pmproxy_exec_t, pcp_pmproxy_initrc_exec_t, pcscd_exec_t, pcscd_initrc_exec_t, pdns_control_exec_t, pdns_exec_t, pegasus_exec_t, pegasus_openlmi_account_exec_t, pegasus_openlmi_admin_exec_t, pegasus_openlmi_logicalfile_exec_t, pegasus_openlmi_services_exec_t, pegasus_openlmi_storage_exec_t, pegasus_openlmi_system_exec_t, pegasus_openlmi_unconfined_exec_t, pesign_exec_t, phc2sys_exec_t, pinentry_exec_t, ping_exec_t, pingd_exec_t, pingd_initrc_exec_t, piranha_fos_exec_t, piranha_lvs_exec_t, piranha_pulse_exec_t, piranha_pulse_initrc_exec_t, piranha_web_exec_t, pkcs11proxyd_exec_t, pkcs_slotd_exec_t, pkcs_slotd_initrc_exec_t, pki_ra_exec_t, pki_ra_script_exec_t, pki_tomcat_exec_t, pki_tps_exec_t, pki_tps_script_exec_t, plymouth_exec_t, plymouthd_exec_t, podsleuth_exec_t, policykit_auth_exec_t, policykit_exec_t, policykit_grant_exec_t, policykit_resolve_exec_t, polipo_exec_t, polipo_initrc_exec_t, portmap_exec_t, portmap_helper_exec_t, portmap_initrc_exec_t, portreserve_exec_t, portreserve_initrc_exec_t, postfix_bounce_exec_t, postfix_cleanup_exec_t, postfix_exec_t, postfix_initrc_exec_t, postfix_local_exec_t, postfix_map_exec_t, postfix_master_exec_t, postfix_pickup_exec_t, postfix_pipe_exec_t, postfix_postdrop_exec_t, postfix_postdrop_t, postfix_postqueue_exec_t, postfix_qmgr_exec_t, postfix_showq_exec_t, postfix_smtp_exec_t, postfix_smtpd_exec_t, postfix_virtual_exec_t, postgresql_exec_t, postgresql_initrc_exec_t, postgrey_exec_t, postgrey_initrc_exec_t, pppd_exec_t, pppd_initrc_exec_t, pptp_exec_t, prelink_cron_system_exec_t, prelink_exec_t, prelude_audisp_exec_t, prelude_correlator_exec_t, prelude_exec_t, prelude_initrc_exec_t, prelude_lml_exec_t, preupgrade_exec_t, prewikka_script_exec_t, privoxy_exec_t, privoxy_initrc_exec_t, proc_t, proc_xen_t, procmail_exec_t, prosody_exec_t, psad_exec_t, psad_initrc_exec_t, pstore_t, ptal_exec_t, ptchown_exec_t, ptp4l_exec_t, public_content_rw_t, public_content_t, publicfile_exec_t, pulseaudio_exec_t, puppetagent_exec_t, puppetagent_initrc_exec_t, puppetca_exec_t, puppetmaster_exec_t, puppetmaster_initrc_exec_t, pwauth_exec_t, pyicqt_exec_t, qdiskd_exec_t, qemu_dm_exec_t, qemu_exec_t, qmail_clean_exec_t, qmail_inject_exec_t, qmail_local_exec_t, qmail_lspawn_exec_t, qmail_queue_exec_t, qmail_remote_exec_t, qmail_rspawn_exec_t, qmail_send_exec_t, qmail_smtpd_exec_t, qmail_splogger_exec_t, qmail_start_exec_t, qmail_tcp_env_exec_t, qpidd_exec_t, qpidd_initrc_exec_t, quota_exec_t, quota_nld_exec_t, rabbitmq_exec_t, rabbitmq_initrc_exec_t, racoon_exec_t, radiusd_exec_t, radiusd_initrc_exec_t, radvd_exec_t, radvd_initrc_exec_t, ramfs_t, random_seed_t, rasdaemon_exec_t, rdisc_exec_t, readahead_exec_t, realmd_exec_t, redis_exec_t, redis_initrc_exec_t, regex_milter_exec_t, removable_t, restorecond_exec_t, rhev_agentd_exec_t, rhgb_exec_t, rhnsd_exec_t, rhnsd_initrc_exec_t, rhsmcertd_exec_t, rhsmcertd_initrc_exec_t, ricci_exec_t, ricci_initrc_exec_t, ricci_modcluster_exec_t, ricci_modclusterd_exec_t, ricci_modlog_exec_t, ricci_modrpm_exec_t, ricci_modservice_exec_t, ricci_modstorage_exec_t, rkt_exec_t, rlogind_exec_t, rngd_exec_t, rngd_initrc_exec_t, rolekit_exec_t, root_t, roundup_exec_t, roundup_initrc_exec_t, rpc_pipefs_t, rpcbind_exec_t, rpcbind_initrc_exec_t, rpcd_exec_t, rpcd_initrc_exec_t, rpm_exec_t, rpm_script_exec_t, rpmdb_exec_t, rrdcached_exec_t, rshd_exec_t, rssh_chroot_helper_exec_t, rssh_exec_t, rsync_exec_t, rtas_errd_exec_t, rtkit_daemon_exec_t, rtkit_daemon_initrc_exec_t, run_init_exec_t, rwho_exec_t, rwho_initrc_exec_t, samba_initrc_exec_t, samba_net_exec_t, samba_unconfined_script_exec_t, sambagui_exec_t, sandbox_exec_t, sanlk_resetd_exec_t, sanlock_exec_t, sanlock_initrc_exec_t, saslauthd_exec_t, saslauthd_initrc_exec_t, sbd_exec_t, sblim_gatherd_exec_t, sblim_initrc_exec_t, sblim_reposd_exec_t, sblim_sfcbd_exec_t, screen_exec_t, sectoolm_exec_t, security_t, selinux_munin_plugin_exec_t, semanage_exec_t, sendmail_exec_t, sendmail_initrc_exec_t, sensord_exec_t, sensord_initrc_exec_t, services_munin_plugin_exec_t, setfiles_exec_t, setkey_exec_t, setrans_exec_t, setrans_initrc_exec_t, setroubleshoot_fixit_exec_t, setroubleshootd_exec_t, setsebool_exec_t, seunshare_exec_t, sge_execd_exec_t, sge_job_exec_t, sge_shepherd_exec_t, shell_exec_t, shorewall_exec_t, shorewall_initrc_exec_t, shorewall_var_lib_t, showmount_exec_t, slapd_exec_t, slapd_initrc_exec_t, slpd_exec_t, slpd_initrc_exec_t, smbcontrol_exec_t, smbd_exec_t, smbmount_exec_t, smokeping_cgi_script_exec_t, smokeping_exec_t, smokeping_initrc_exec_t, smoltclient_exec_t, smsd_exec_t, smsd_initrc_exec_t, snapperd_exec_t, snmpd_exec_t, snmpd_initrc_exec_t, snort_exec_t, snort_initrc_exec_t, sosreport_exec_t, soundd_exec_t, soundd_initrc_exec_t, spamass_milter_exec_t, spamc_exec_t, spamd_exec_t, spamd_initrc_exec_t, spamd_update_exec_t, speech_dispatcher_exec_t, spufs_t, squid_cron_exec_t, squid_exec_t, squid_initrc_exec_t, squid_script_exec_t, src_t, srvsvcd_exec_t, ssh_agent_exec_t, ssh_exec_t, ssh_keygen_exec_t, ssh_keysign_exec_t, sshd_exec_t, sshd_initrc_exec_t, sshd_keygen_exec_t, sslh_exec_t, sslh_initrc_exec_t, sssd_exec_t, sssd_initrc_exec_t, sssd_selinux_manager_exec_t, stapserver_exec_t, stratisd_exec_t, stunnel_exec_t, su_exec_t, sudo_exec_t, sulogin_exec_t, svc_multilog_exec_t, svc_run_exec_t, svc_start_exec_t, svnserve_exec_t, svnserve_initrc_exec_t, swat_exec_t, swift_exec_t, swtpm_exec_t, sysctl_fs_t, sysctl_t, sysfs_t, syslogd_exec_t, syslogd_initrc_exec_t, sysstat_exec_t, sysstat_initrc_exec_t, system_munin_plugin_exec_t, systemd_bootchart_exec_t, systemd_coredump_exec_t, systemd_gpt_generator_exec_t, systemd_hostnamed_exec_t, systemd_hwdb_exec_t, systemd_importd_exec_t, systemd_initctl_exec_t, systemd_journal_upload_exec_t, systemd_localed_exec_t, systemd_logger_exec_t, systemd_logind_exec_t, systemd_machined_exec_t, systemd_modules_load_exec_t, systemd_networkd_exec_t, systemd_networkd_var_run_t, systemd_notify_exec_t, systemd_passwd_agent_exec_t, systemd_resolved_exec_t, systemd_resolved_var_run_t, systemd_rfkill_exec_t, systemd_sleep_exec_t, systemd_sysctl_exec_t, systemd_systemctl_exec_t, systemd_timedated_exec_t, systemd_tmpfiles_exec_t, systemd_userdbd_exec_t, sysv_t, tangd_exec_t, targetd_exec_t, tcpd_exec_t, tcsd_exec_t, tcsd_initrc_exec_t, telepathy_gabble_exec_t, telepathy_idle_exec_t, telepathy_logger_exec_t, telepathy_mission_control_exec_t, telepathy_msn_exec_t, telepathy_salut_exec_t, telepathy_sofiasip_exec_t, telepathy_stream_engine_exec_t, telepathy_sunshine_exec_t, telnetd_exec_t, tftpd_exec_t, tgtd_exec_t, tgtd_initrc_exec_t, thin_aeolus_configserver_exec_t, thin_exec_t, thumb_exec_t, timedatex_exec_t, timemaster_exec_t, tlp_exec_t, tmp_t, tmpfs_t, tmpreaper_exec_t, tomcat_exec_t, tor_exec_t, tor_initrc_exec_t, tor_var_lib_t, tor_var_log_t, tor_var_run_t, tracefs_t, traceroute_exec_t, tuned_exec_t, tuned_initrc_exec_t, tvtime_exec_t, udev_exec_t, udev_helper_exec_t, ulogd_exec_t, ulogd_initrc_exec_t, uml_exec_t, uml_switch_exec_t, unconfined_exec_t, unconfined_munin_plugin_exec_t, updfstab_exec_t, updpwd_exec_t, usbfs_t, usbmodules_exec_t, usbmuxd_exec_t, user_home_dir_t, user_home_t, user_tmp_t, useradd_exec_t, userhelper_exec_t, usernetctl_exec_t, usr_t, utempter_exec_t, uucpd_exec_t, uucpd_initrc_exec_t, uuidd_exec_t, uuidd_initrc_exec_t, uux_exec_t, var_lib_nfs_t, var_lib_t, var_lock_t, var_log_t, var_run_t, var_t, varnishd_exec_t, varnishd_initrc_exec_t, varnishlog_exec_t, varnishlog_initrc_exec_t, vdagent_exec_t, vdagentd_initrc_exec_t, vhostmd_exec_t, vhostmd_initrc_exec_t, virsh_exec_t, virt_bridgehelper_exec_t, virt_image_t, virt_qemu_ga_exec_t, virt_qemu_ga_unconfined_exec_t, virt_var_lib_t, virtd_exec_t, virtd_initrc_exec_t, virtd_lxc_exec_t, virtiofs_t, virtlogd_exec_t, virtlogd_initrc_exec_t, vlock_exec_t, vmblock_t, vmtools_exec_t, vmtools_helper_exec_t, vmtools_unconfined_exec_t, vmware_exec_t, vmware_host_exec_t, vnc_session_exec_t, vnstat_exec_t, vnstatd_exec_t, vnstatd_initrc_exec_t, vnstatd_var_lib_t, vpnc_exec_t, w3c_validator_script_exec_t, watchdog_exec_t, watchdog_initrc_exec_t, watchdog_unconfined_exec_t, wdmd_exec_t, wdmd_initrc_exec_t, webalizer_exec_t, webalizer_script_exec_t, winbind_exec_t, winbind_helper_exec_t, wine_exec_t, wireshark_exec_t, wpa_cli_exec_t, xauth_exec_t, xdm_exec_t, xdm_unconfined_exec_t, xenconsoled_exec_t, xend_exec_t, xend_var_lib_t, xend_var_run_t, xenfs_t, xenstored_exec_t, xenstored_var_lib_t, xserver_exec_t, xsession_exec_t, ypbind_exec_t, ypbind_initrc_exec_t, yppasswdd_exec_t, ypserv_exec_t, ypxfr_exec_t, zabbix_agent_exec_t, zabbix_agent_initrc_exec_t, zabbix_exec_t, zabbix_initrc_exec_t, zabbix_script_exec_t, zarafa_deliver_exec_t, zarafa_gateway_exec_t, zarafa_ical_exec_t, zarafa_indexer_exec_t, zarafa_monitor_exec_t, zarafa_server_exec_t, zarafa_spooler_exec_t, zebra_exec_t, zebra_initrc_exec_t, zoneminder_exec_t, zoneminder_initrc_exec_t, zoneminder_script_exec_t, zos_remote_exec_t.
Then execute:
restorecon -v '/bin/busybox'
***** Plugin catchall (1.18 confidence) suggests **************************
If you believe that runc:[2:INIT] should be allowed entrypoint access on the busybox file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'runc:[2:INIT]' --raw | audit2allow -M my-runc2INIT
# semodule -X 300 -i my-runc2INIT.pp
Additional Information:
Source Context system_u:system_r:container_t:s0:c363,c621
Target Context system_u:object_r:unlabeled_t:s0
Target Objects /bin/busybox [ file ]
Source runc:[2:INIT]
Source Path runc:[2:INIT]
Port <Unknown>
Host iwana-pc00.coop.no
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-34.20-1.fc34.noarch
Local Policy RPM selinux-policy-targeted-34.20-1.fc34.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name iwana-pc00.coop.no
Platform Linux iwana-pc00.coop.no 5.13.14-200.fc34.x86_64
#1 SMP Fri Sep 3 15:33:01 UTC 2021 x86_64 x86_64
Alert Count 1
First Seen 2021-09-27 16:01:30 CEST
Last Seen 2021-09-27 16:01:30 CEST
Local ID 440df748-3a56-495b-b17d-037cc6fabc88
Raw Audit Messages
type=AVC msg=audit(1632751290.997:1472733): avc: denied { entrypoint } for pid=2169035 comm="runc:[2:INIT]" path="/bin/busybox" dev="dm-0" ino=264 scontext=system_u:system_r:container_t:s0:c363,c621 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Hash: runc:[2:INIT],container_t,unlabeled_t,file,entrypoint
Maybe the following will be helpful - I had a similar error when running buildkit 0.9.3 on RHEL 7/8. Fixed it by recompiling buildkit, explicitly adding selinux tag. (However, in my case I ran buildkit directly, without docker)
@drdivano
Fixed it by recompiling buildkit, explicitly adding selinux tag.
Could you explain exactly what you did?
If you look into Dockerfile, there's a line like this: ARG BUILDKITD_TAGS
You can pass the tag via the build argument BUILDKITD_TAGS="selinux" (or add tag "selinux" directly to go build --tags options in Dockerfile)
Same problem here with v0.10.1 and Fedora 37
I asked the buildkit slack channel for advice and was told that my issue
is probably related to this issue.
I don't really have a machine readily available to test on.
I believe we can call label.Relabel
after generating the spec using the mount label on the spec.
In #1966 support was added for obtaining the process and mount labels on an SELinux-enabled system.
This works correctly for labeling the process, and for labeling most mounts. However, the new
generateSecurityOpts()
function is called fromoci.GenerateSpec
, which only happens after mounting the rootfs.As a result, the root filesystem is not mounted with the expected mount label, and may not be writable by the container process, which ends up with a restricted label.
We first observed this in https://github.com/bottlerocket-os/bottlerocket/issues/1187 but one of our developers saw a similar problem with a new Fedora install.