Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rootfs not labeled with SELinux mount label #2320

Open
bcressey opened this issue Aug 19, 2021 · 9 comments
Open

rootfs not labeled with SELinux mount label #2320

bcressey opened this issue Aug 19, 2021 · 9 comments

Comments

@bcressey
Copy link

In #1966 support was added for obtaining the process and mount labels on an SELinux-enabled system.

This works correctly for labeling the process, and for labeling most mounts. However, the new generateSecurityOpts() function is called from oci.GenerateSpec, which only happens after mounting the rootfs.

As a result, the root filesystem is not mounted with the expected mount label, and may not be writable by the container process, which ends up with a restricted label.

We first observed this in bottlerocket-os/bottlerocket#1187 but one of our developers saw a similar problem with a new Fedora install.
@bcressey
Copy link
Author

This may be the root cause for #2295 as well - if the overlayfs is not mounted with a context= override, then the SELinux label will be the same as the underlying directory. If that's unlabeled_t then it may not be valid as an entry point into the container_t domain. With the mount label applied, it would be labeled as container_t and the transition would succeed.

I don't have a quick way to validate that hypothesis at the moment. Happy to have this resolved as a duplicate if it turns out to be the same problem.

@tonistiigi
Copy link
Member

@cpuguy83

@aucampia
Copy link

I'm getting this error on fedora 34, using Docker version 20.10.8, build 3967b7d

$ cat Dockerfile 
FROM docker.io/alpine:3

RUN cat /etc/os-release
$ DOCKER_BUILDKIT=1 docker build - < Dockerfile 
[+] Building 0.6s (5/5) FINISHED                                                                                                                                             
 => [internal] load build definition from Dockerfile                                                                                                                    0.1s
 => => transferring dockerfile: 159B                                                                                                                                    0.0s
 => [internal] load .dockerignore                                                                                                                                       0.1s
 => => transferring context: 2B                                                                                                                                         0.0s
 => [internal] load metadata for docker.io/library/alpine:3                                                                                                             0.0s
 => CACHED [1/2] FROM docker.io/library/alpine:3                                                                                                                        0.0s
 => ERROR [2/2] RUN cat /etc/os-release                                                                                                                                 0.3s
------                                                                                                                                                                       
 > [2/2] RUN cat /etc/os-release:
#4 0.297 standard_init_linux.go:228: exec user process caused: permission denied
------
executor failed running [/bin/sh -c cat /etc/os-release]: exit code: 1

The following selinux error comes up when this happehns:

Sep 27 16:01:38 iwana-pc00.coop.no setroubleshoot[2169086]: SELinux is preventing runc:[2:INIT] from entrypoint access on the file /bin/busybox. For complete SELinux messages run: sealert -l 440df748-3a56-495b-b17d-037cc6fabc88
Sep 27 16:01:38 iwana-pc00.coop.no setroubleshoot[2169086]: SELinux is preventing runc:[2:INIT] from entrypoint access on the file /bin/busybox.
                                                            
                                                            *****  Plugin restorecon (54.2 confidence) suggests   ************************
                                                            
                                                            If you want to fix the label. 
                                                            /bin/busybox default label should be bin_t.
                                                            Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
                                                            Do
                                                            # /sbin/restorecon -v /bin/busybox
                                                            
                                                            *****  Plugin file (16.6 confidence) suggests   ******************************
                                                            
                                                            This is caused by a newly created file system.
                                                            Then you need to add labels to it.
                                                            Do
                                                            /sbin/restorecon -R -v /bin/busybox
                                                            
                                                            *****  Plugin file (16.6 confidence) suggests   ******************************
                                                            
                                                            If you think this is caused by a badly mislabeled machine.
                                                            Then you need to fully relabel.
                                                            Do
                                                            touch /.autorelabel; reboot
                                                            
                                                            *****  Plugin catchall_labels (3.18 confidence) suggests   *******************
                                                            
                                                            If you want to allow runc:[2:INIT] to have entrypoint access on the busybox file
                                                            Then you need to change the label on /bin/busybox
                                                            Do
                                                            # semanage fcontext -a -t FILE_TYPE '/bin/busybox'
                                                            where FILE_TYPE is one of the following: NetworkManager_exec_t, NetworkManager_initrc_exec_t, abrt_dump_oops_exec_t, abrt_exec_t, abrt_handle_event_exec_t, abrt_helper_exec_t, abrt_initrc_exec_t, abrt_retrace_coredump_exec_t, abrt_retrace_worker_exec_t, abrt_upload_watch_exec_t, abrt_watch_log_exec_t, accountsd_exec_t, acct_exec_t, acct_initrc_exec_t, admin_home_t, admin_passwd_exec_t, afs_bosserver_exec_t, afs_exec_t, afs_fsserver_exec_t, afs_initrc_exec_t, afs_kaserver_exec_t, afs_ptserver_exec_t, afs_vlserver_exec_t, aiccu_exec_t, aiccu_initrc_exec_t, aide_exec_t, ajaxterm_exec_t, ajaxterm_initrc_exec_t, alsa_exec_t, amanda_exec_t, amanda_inetd_exec_t, amanda_recover_exec_t, amtu_exec_t, amtu_initrc_exec_t, anaconda_exec_t, anacron_exec_t, anon_inodefs_t, antivirus_exec_t, antivirus_initrc_exec_t, apcupsd_cgi_script_exec_t, apcupsd_exec_t, apcupsd_initrc_exec_t, apm_exec_t, apmd_exec_t, apmd_initrc_exec_t, arpwatch_exec_t, arpwatch_initrc_exec_t, asterisk_exec_t, asterisk_initrc_exec_t, audisp_exec_t, audisp_remote_exec_t, audit_spool_t, auditctl_exec_t, auditd_exec_t, auditd_initrc_exec_t, auditd_log_t, authconfig_exec_t, autofs_t, automount_exec_t, automount_initrc_exec_t, automount_tmp_t, avahi_exec_t, avahi_initrc_exec_t, awstats_exec_t, awstats_script_exec_t, bacula_admin_exec_t, bacula_exec_t, bacula_initrc_exec_t, bacula_store_t, bacula_unconfined_script_exec_t, bcfg2_exec_t, bcfg2_initrc_exec_t, bin_t, binfmt_misc_fs_t, bitlbee_exec_t, bitlbee_initrc_exec_t, blkmapd_exec_t, blkmapd_initrc_exec_t, blktap_exec_t, blueman_exec_t, bluetooth_exec_t, bluetooth_helper_exec_t, bluetooth_initrc_exec_t, bluetooth_var_lib_t, boinc_exec_t, boinc_initrc_exec_t, boinc_var_lib_t, boltd_exec_t, boot_t, bootloader_exec_t, bpf_t, brctl_exec_t, brltty_exec_t, bugzilla_script_exec_t, bumblebee_exec_t, cachefilesd_exec_t, calamaris_exec_t, callweaver_exec_t, callweaver_initrc_exec_t, canna_exec_t, canna_initrc_exec_t, capifs_t, cardctl_exec_t, cardmgr_exec_t, ccs_exec_t, ccs_initrc_exec_t, cdcc_exec_t, cdrecord_exec_t, certmaster_exec_t, certmaster_initrc_exec_t, certmonger_exec_t, certmonger_initrc_exec_t, certmonger_unconfined_exec_t, certwatch_exec_t, cfengine_execd_exec_t, cfengine_initrc_exec_t, cfengine_monitord_exec_t, cfengine_serverd_exec_t, cgclear_exec_t, cgconfig_exec_t, cgconfig_initrc_exec_t, cgred_exec_t, cgred_initrc_exec_t, cgroup_t, checkpc_exec_t, checkpolicy_exec_t, chfn_exec_t, chkpwd_exec_t, chrome_sandbox_exec_t, chrome_sandbox_nacl_exec_t, chronyc_exec_t, chronyd_exec_t, chronyd_initrc_exec_t, chroot_exec_t, cifs_t, cinder_api_exec_t, cinder_backup_exec_t, cinder_scheduler_exec_t, cinder_volume_exec_t, ciped_exec_t, ciped_initrc_exec_t, clogd_exec_t, cloud_init_exec_t, cluster_exec_t, cluster_initrc_exec_t, clvmd_exec_t, clvmd_initrc_exec_t, cmirrord_exec_t, cmirrord_initrc_exec_t, cobblerd_exec_t, cobblerd_initrc_exec_t, cockpit_session_exec_t, cockpit_ws_exec_t, collectd_exec_t, collectd_initrc_exec_t, collectd_script_exec_t, colord_exec_t, comsat_exec_t, condor_collector_exec_t, condor_initrc_exec_t, condor_master_exec_t, condor_negotiator_exec_t, condor_procd_exec_t, condor_schedd_exec_t, condor_startd_exec_t, conman_exec_t, conman_unconfined_script_exec_t, conntrackd_exec_t, conntrackd_initrc_exec_t, consolehelper_exec_t, consolekit_exec_t, container_auth_exec_t, container_file_t, container_ro_file_t, container_runtime_exec_t, container_var_lib_t, couchdb_exec_t, couchdb_initrc_exec_t, courier_authdaemon_exec_t, courier_exec_t, courier_pcp_exec_t, courier_pop_exec_t, courier_sqwebmail_exec_t, courier_tcpd_exec_t, cpucontrol_exec_t, cpufreqselector_exec_t, cpuplug_exec_t, cpuplug_initrc_exec_t, cpuspeed_exec_t, crack_exec_t, crond_exec_t, crond_initrc_exec_t, crontab_exec_t, ctdbd_exec_t, ctdbd_initrc_exec_t, cups_pdf_exec_t, cupsd_config_exec_t, cupsd_exec_t, cupsd_initrc_exec_t, cupsd_lpd_exec_t, cvs_exec_t, cvs_initrc_exec_t, cvs_script_exec_t, cyphesis_exec_t, cyphesis_initrc_exec_t, cyrus_exec_t, cyrus_initrc_exec_t, dbskkd_exec_t, dbusd_exec_t, dcc_client_exec_t, dcc_dbclean_exec_t, dccd_exec_t, dccifd_exec_t, dccm_exec_t, dcerpcd_exec_t, ddclient_exec_t, ddclient_initrc_exec_t, debugfs_t, debuginfo_exec_t, default_t, deltacloudd_exec_t, denyhosts_exec_t, denyhosts_initrc_exec_t, device_t, devicekit_disk_exec_t, devicekit_exec_t, devicekit_power_exec_t, devpts_t, dhcpc_exec_t, dhcpc_helper_exec_t, dhcpd_exec_t, dhcpd_initrc_exec_t, dictd_exec_t, dictd_initrc_exec_t, dirsrv_exec_t, dirsrv_snmp_exec_t, dirsrvadmin_exec_t, dirsrvadmin_script_exec_t, dirsrvadmin_unconfined_script_exec_t, disk_munin_plugin_exec_t, dkim_milter_exec_t, dlm_controld_exec_t, dlm_controld_initrc_exec_t, dmesg_exec_t, dmidecode_exec_t, dnsmasq_exec_t, dnsmasq_initrc_exec_t, dnssec_t, dnssec_trigger_exec_t, dosfs_t, dovecot_auth_exec_t, dovecot_deliver_exec_t, dovecot_exec_t, dovecot_initrc_exec_t, drbd_exec_t, drbd_initrc_exec_t, dspam_exec_t, dspam_initrc_exec_t, dspam_script_exec_t, ecryptfs_t, efivarfs_t, entropyd_exec_t, entropyd_initrc_exec_t, eventlogd_exec_t, evtchnd_exec_t, exim_exec_t, exim_initrc_exec_t, fail2ban_client_exec_t, fail2ban_exec_t, fail2ban_initrc_exec_t, fcoemon_exec_t, fcoemon_initrc_exec_t, fenced_exec_t, fetchmail_exec_t, fetchmail_initrc_exec_t, fingerd_exec_t, firewalld_exec_t, firewalld_initrc_exec_t, firewallgui_exec_t, firstboot_exec_t, flatpak_helper_exec_t, foghorn_exec_t, foghorn_initrc_exec_t, fprintd_exec_t, freeipmi_bmc_watchdog_exec_t, freeipmi_ipmidetectd_exec_t, freeipmi_ipmiseld_exec_t, freqset_exec_t, fsadm_exec_t, fsdaemon_exec_t, fsdaemon_initrc_exec_t, ftpd_exec_t, ftpd_initrc_exec_t, ftpdctl_exec_t, fusefs_t, fusermount_exec_t, fwupd_exec_t, fwupd_var_lib_t, games_exec_t, gconfd_exec_t, gconfdefaultsm_exec_t, gdomap_exec_t, gdomap_initrc_exec_t, geoclue_exec_t, getty_exec_t, gfs_controld_exec_t, git_script_exec_t, gitd_exec_t, gitosis_exec_t, gkeyringd_exec_t, glance_api_exec_t, glance_api_initrc_exec_t, glance_registry_exec_t, glance_registry_initrc_exec_t, glance_scrubber_exec_t, glance_scrubber_initrc_exec_t, glusterd_exec_t, glusterd_initrc_exec_t, gnome_atspi_exec_t, gnomesystemmm_exec_t, gpg_agent_exec_t, gpg_exec_t, gpg_helper_exec_t, gpm_exec_t, gpm_initrc_exec_t, gpsd_exec_t, gpsd_initrc_exec_t, greylist_milter_exec_t, groupadd_exec_t, groupd_exec_t, gssd_exec_t, gssproxy_exec_t, haproxy_exec_t, hddtemp_exec_t, hddtemp_initrc_exec_t, home_root_t, hostapd_exec_t, hostname_exec_t, hsqldb_exec_t, httpd_exec_t, httpd_helper_exec_t, httpd_initrc_exec_t, httpd_passwd_exec_t, httpd_php_exec_t, httpd_rotatelogs_exec_t, httpd_suexec_exec_t, httpd_sys_content_t, httpd_sys_script_exec_t, httpd_unconfined_script_exec_t, httpd_user_script_exec_t, httpd_var_run_t, hugetlbfs_t, hwclock_exec_t, hwloc_dhwd_exec_t, hypervkvp_exec_t, hypervkvp_initrc_exec_t, hypervvssd_exec_t, ibacm_exec_t, iceauth_exec_t, icecast_exec_t, icecast_initrc_exec_t, ifconfig_exec_t, ifconfig_var_run_t, inetd_child_exec_t, inetd_exec_t, init_exec_t, initrc_exec_t, initrc_tmp_t, innd_exec_t, innd_initrc_exec_t, install_exec_t, iodined_exec_t, iodined_initrc_exec_t, iotop_exec_t, ipa_custodia_dmldap_exec_t, ipa_custodia_exec_t, ipa_custodia_pki_tomcat_exec_t, ipa_custodia_ra_agent_exec_t, ipa_dnskey_exec_t, ipa_helper_exec_t, ipa_ods_exporter_exec_t, ipa_otpd_exec_t, ipmievd_exec_t, ipmievd_helper_exec_t, ipsec_exec_t, ipsec_initrc_exec_t, ipsec_mgmt_exec_t, iptables_exec_t, iptables_initrc_exec_t, irc_exec_t, irqbalance_exec_t, irqbalance_initrc_exec_t, irssi_exec_t, iscsid_exec_t, isnsd_exec_t, isnsd_initrc_exec_t, iso9660_t, iwhd_exec_t, iwhd_initrc_exec_t, jabberd_exec_t, jabberd_initrc_exec_t, jabberd_router_exec_t, jetty_exec_t, jockey_exec_t, journalctl_exec_t, kadmind_exec_t, kdump_exec_t, kdump_initrc_exec_t, kdumpctl_exec_t, kdumpgui_exec_t, keepalived_exec_t, keepalived_unconfined_script_exec_t, kerberos_initrc_exec_t, keyboardd_exec_t, keystone_cgi_script_exec_t, keystone_exec_t, keystone_initrc_exec_t, kismet_exec_t, kismet_initrc_exec_t, klogd_exec_t, kmod_exec_t, kmscon_exec_t, kpatch_exec_t, kpropd_exec_t, krb5kdc_exec_t, ksmtuned_exec_t, ksmtuned_initrc_exec_t, ktalkd_exec_t, l2tpd_exec_t, l2tpd_initrc_exec_t, ldconfig_exec_t, likewise_initrc_exec_t, lircd_exec_t, lircd_initrc_exec_t, livecd_exec_t, lldpad_exec_t, lldpad_initrc_exec_t, load_policy_exec_t, loadkeys_exec_t, locate_exec_t, lockdev_exec_t, login_exec_t, logrotate_exec_t, logwatch_exec_t, lpd_exec_t, lpr_exec_t, lsassd_exec_t, lsmd_exec_t, lsmd_plugin_exec_t, lttng_sessiond_exec_t, lvm_exec_t, lwiod_exec_t, lwregd_exec_t, lwsmd_exec_t, mail_munin_plugin_exec_t, mail_spool_t, mailman_cgi_exec_t, mailman_mail_exec_t, mailman_queue_exec_t, man2html_script_exec_t, mandb_exec_t, mcelog_exec_t, mcelog_initrc_exec_t, mdadm_exec_t, mdadm_initrc_exec_t, mediawiki_script_exec_t, memcached_exec_t, memcached_initrc_exec_t, mencoder_exec_t, minidlna_exec_t, minidlna_initrc_exec_t, minissdpd_exec_t, minissdpd_initrc_exec_t, mip6d_exec_t, mirrormanager_exec_t, mnt_t, mock_build_exec_t, mock_exec_t, mock_tmp_t, mock_var_lib_t, modemmanager_exec_t, mojomojo_script_exec_t, mon_procd_exec_t, mon_statd_exec_t, mon_statd_initrc_exec_t, mongod_exec_t, mongod_initrc_exec_t, motion_exec_t, mount_ecryptfs_exec_t, mount_exec_t, mozilla_exec_t, mozilla_plugin_config_exec_t, mozilla_plugin_exec_t, mpd_exec_t, mpd_initrc_exec_t, mplayer_exec_t, mqueue_spool_t, mrtg_exec_t, mrtg_initrc_exec_t, mscan_exec_t, mscan_initrc_exec_t, mtrr_device_t, munin_exec_t, munin_initrc_exec_t, munin_script_exec_t, mysqld_exec_t, mysqld_initrc_exec_t, mysqld_safe_exec_t, mysqlmanagerd_exec_t, mysqlmanagerd_initrc_exec_t, mythtv_script_exec_t, naemon_exec_t, naemon_initrc_exec_t, nagios_admin_plugin_exec_t, nagios_checkdisk_plugin_exec_t, nagios_eventhandler_plugin_exec_t, nagios_exec_t, nagios_initrc_exec_t, nagios_mail_plugin_exec_t, nagios_openshift_plugin_exec_t, nagios_script_exec_t, nagios_services_plugin_exec_t, nagios_system_plugin_exec_t, nagios_unconfined_plugin_exec_t, named_checkconf_exec_t, named_conf_t, named_exec_t, named_initrc_exec_t, namespace_init_exec_t, ncftool_exec_t, ndc_exec_t, netlabel_mgmt_exec_t, netlogond_exec_t, netutils_exec_t, neutron_exec_t, neutron_initrc_exec_t, newrole_exec_t, news_spool_t, nfs_t, nfsd_exec_t, nfsd_fs_t, nfsd_initrc_exec_t, ninfod_exec_t, nis_initrc_exec_t, nmbd_exec_t, nova_exec_t, nrpe_exec_t, nscd_exec_t, nscd_initrc_exec_t, nsd_exec_t, nslcd_exec_t, nslcd_initrc_exec_t, ntop_exec_t, ntop_initrc_exec_t, ntpd_exec_t, ntpd_initrc_exec_t, ntpdate_exec_t, numad_exec_t, nut_upsd_exec_t, nut_upsdrvctl_exec_t, nut_upsmon_exec_t, nutups_cgi_script_exec_t, nx_server_exec_t, obex_exec_t, oddjob_exec_t, oddjob_mkhomedir_exec_t, onload_fs_t, opafm_exec_t, openct_exec_t, openct_initrc_exec_t, opendnssec_exec_t, openfortivpn_exec_t, openhpid_exec_t, openhpid_initrc_exec_t, openshift_app_tmp_t, openshift_cgroup_read_exec_t, openshift_cron_exec_t, openshift_initrc_exec_t, openshift_net_read_exec_t, openshift_script_exec_t, openshift_tmp_t, openshift_var_lib_t, opensm_exec_t, openvpn_exec_t, openvpn_initrc_exec_t, openvpn_unconfined_script_exec_t, openvswitch_exec_t, openwsman_exec_t, oracleasm_exec_t, oracleasm_initrc_exec_t, oracleasmfs_t, osad_exec_t, osad_initrc_exec_t, osbuild_exec_t, pads_exec_t, pads_initrc_exec_t, pam_console_exec_t, pam_timestamp_exec_t, passenger_exec_t, passwd_exec_t, pcp_plugin_exec_t, pcp_plugin_initrc_exec_t, pcp_pmcd_exec_t, pcp_pmcd_initrc_exec_t, pcp_pmie_exec_t, pcp_pmie_initrc_exec_t, pcp_pmlogger_exec_t, pcp_pmlogger_initrc_exec_t, pcp_pmproxy_exec_t, pcp_pmproxy_initrc_exec_t, pcscd_exec_t, pcscd_initrc_exec_t, pdns_control_exec_t, pdns_exec_t, pegasus_exec_t, pegasus_openlmi_account_exec_t, pegasus_openlmi_admin_exec_t, pegasus_openlmi_logicalfile_exec_t, pegasus_openlmi_services_exec_t, pegasus_openlmi_storage_exec_t, pegasus_openlmi_system_exec_t, pegasus_openlmi_unconfined_exec_t, pesign_exec_t, phc2sys_exec_t, pinentry_exec_t, ping_exec_t, pingd_exec_t, pingd_initrc_exec_t, piranha_fos_exec_t, piranha_lvs_exec_t, piranha_pulse_exec_t, piranha_pulse_initrc_exec_t, piranha_web_exec_t, pkcs11proxyd_exec_t, pkcs_slotd_exec_t, pkcs_slotd_initrc_exec_t, pki_ra_exec_t, pki_ra_script_exec_t, pki_tomcat_exec_t, pki_tps_exec_t, pki_tps_script_exec_t, plymouth_exec_t, plymouthd_exec_t, podsleuth_exec_t, policykit_auth_exec_t, policykit_exec_t, policykit_grant_exec_t, policykit_resolve_exec_t, polipo_exec_t, polipo_initrc_exec_t, portmap_exec_t, portmap_helper_exec_t, portmap_initrc_exec_t, portreserve_exec_t, portreserve_initrc_exec_t, postfix_bounce_exec_t, postfix_cleanup_exec_t, postfix_exec_t, postfix_initrc_exec_t, postfix_local_exec_t, postfix_map_exec_t, postfix_master_exec_t, postfix_pickup_exec_t, postfix_pipe_exec_t, postfix_postdrop_exec_t, postfix_postdrop_t, postfix_postqueue_exec_t, postfix_qmgr_exec_t, postfix_showq_exec_t, postfix_smtp_exec_t, postfix_smtpd_exec_t, postfix_virtual_exec_t, postgresql_exec_t, postgresql_initrc_exec_t, postgrey_exec_t, postgrey_initrc_exec_t, pppd_exec_t, pppd_initrc_exec_t, pptp_exec_t, prelink_cron_system_exec_t, prelink_exec_t, prelude_audisp_exec_t, prelude_correlator_exec_t, prelude_exec_t, prelude_initrc_exec_t, prelude_lml_exec_t, preupgrade_exec_t, prewikka_script_exec_t, privoxy_exec_t, privoxy_initrc_exec_t, proc_t, proc_xen_t, procmail_exec_t, prosody_exec_t, psad_exec_t, psad_initrc_exec_t, pstore_t, ptal_exec_t, ptchown_exec_t, ptp4l_exec_t, public_content_rw_t, public_content_t, publicfile_exec_t, pulseaudio_exec_t, puppetagent_exec_t, puppetagent_initrc_exec_t, puppetca_exec_t, puppetmaster_exec_t, puppetmaster_initrc_exec_t, pwauth_exec_t, pyicqt_exec_t, qdiskd_exec_t, qemu_dm_exec_t, qemu_exec_t, qmail_clean_exec_t, qmail_inject_exec_t, qmail_local_exec_t, qmail_lspawn_exec_t, qmail_queue_exec_t, qmail_remote_exec_t, qmail_rspawn_exec_t, qmail_send_exec_t, qmail_smtpd_exec_t, qmail_splogger_exec_t, qmail_start_exec_t, qmail_tcp_env_exec_t, qpidd_exec_t, qpidd_initrc_exec_t, quota_exec_t, quota_nld_exec_t, rabbitmq_exec_t, rabbitmq_initrc_exec_t, racoon_exec_t, radiusd_exec_t, radiusd_initrc_exec_t, radvd_exec_t, radvd_initrc_exec_t, ramfs_t, random_seed_t, rasdaemon_exec_t, rdisc_exec_t, readahead_exec_t, realmd_exec_t, redis_exec_t, redis_initrc_exec_t, regex_milter_exec_t, removable_t, restorecond_exec_t, rhev_agentd_exec_t, rhgb_exec_t, rhnsd_exec_t, rhnsd_initrc_exec_t, rhsmcertd_exec_t, rhsmcertd_initrc_exec_t, ricci_exec_t, ricci_initrc_exec_t, ricci_modcluster_exec_t, ricci_modclusterd_exec_t, ricci_modlog_exec_t, ricci_modrpm_exec_t, ricci_modservice_exec_t, ricci_modstorage_exec_t, rkt_exec_t, rlogind_exec_t, rngd_exec_t, rngd_initrc_exec_t, rolekit_exec_t, root_t, roundup_exec_t, roundup_initrc_exec_t, rpc_pipefs_t, rpcbind_exec_t, rpcbind_initrc_exec_t, rpcd_exec_t, rpcd_initrc_exec_t, rpm_exec_t, rpm_script_exec_t, rpmdb_exec_t, rrdcached_exec_t, rshd_exec_t, rssh_chroot_helper_exec_t, rssh_exec_t, rsync_exec_t, rtas_errd_exec_t, rtkit_daemon_exec_t, rtkit_daemon_initrc_exec_t, run_init_exec_t, rwho_exec_t, rwho_initrc_exec_t, samba_initrc_exec_t, samba_net_exec_t, samba_unconfined_script_exec_t, sambagui_exec_t, sandbox_exec_t, sanlk_resetd_exec_t, sanlock_exec_t, sanlock_initrc_exec_t, saslauthd_exec_t, saslauthd_initrc_exec_t, sbd_exec_t, sblim_gatherd_exec_t, sblim_initrc_exec_t, sblim_reposd_exec_t, sblim_sfcbd_exec_t, screen_exec_t, sectoolm_exec_t, security_t, selinux_munin_plugin_exec_t, semanage_exec_t, sendmail_exec_t, sendmail_initrc_exec_t, sensord_exec_t, sensord_initrc_exec_t, services_munin_plugin_exec_t, setfiles_exec_t, setkey_exec_t, setrans_exec_t, setrans_initrc_exec_t, setroubleshoot_fixit_exec_t, setroubleshootd_exec_t, setsebool_exec_t, seunshare_exec_t, sge_execd_exec_t, sge_job_exec_t, sge_shepherd_exec_t, shell_exec_t, shorewall_exec_t, shorewall_initrc_exec_t, shorewall_var_lib_t, showmount_exec_t, slapd_exec_t, slapd_initrc_exec_t, slpd_exec_t, slpd_initrc_exec_t, smbcontrol_exec_t, smbd_exec_t, smbmount_exec_t, smokeping_cgi_script_exec_t, smokeping_exec_t, smokeping_initrc_exec_t, smoltclient_exec_t, smsd_exec_t, smsd_initrc_exec_t, snapperd_exec_t, snmpd_exec_t, snmpd_initrc_exec_t, snort_exec_t, snort_initrc_exec_t, sosreport_exec_t, soundd_exec_t, soundd_initrc_exec_t, spamass_milter_exec_t, spamc_exec_t, spamd_exec_t, spamd_initrc_exec_t, spamd_update_exec_t, speech_dispatcher_exec_t, spufs_t, squid_cron_exec_t, squid_exec_t, squid_initrc_exec_t, squid_script_exec_t, src_t, srvsvcd_exec_t, ssh_agent_exec_t, ssh_exec_t, ssh_keygen_exec_t, ssh_keysign_exec_t, sshd_exec_t, sshd_initrc_exec_t, sshd_keygen_exec_t, sslh_exec_t, sslh_initrc_exec_t, sssd_exec_t, sssd_initrc_exec_t, sssd_selinux_manager_exec_t, stapserver_exec_t, stratisd_exec_t, stunnel_exec_t, su_exec_t, sudo_exec_t, sulogin_exec_t, svc_multilog_exec_t, svc_run_exec_t, svc_start_exec_t, svnserve_exec_t, svnserve_initrc_exec_t, swat_exec_t, swift_exec_t, swtpm_exec_t, sysctl_fs_t, sysctl_t, sysfs_t, syslogd_exec_t, syslogd_initrc_exec_t, sysstat_exec_t, sysstat_initrc_exec_t, system_munin_plugin_exec_t, systemd_bootchart_exec_t, systemd_coredump_exec_t, systemd_gpt_generator_exec_t, systemd_hostnamed_exec_t, systemd_hwdb_exec_t, systemd_importd_exec_t, systemd_initctl_exec_t, systemd_journal_upload_exec_t, systemd_localed_exec_t, systemd_logger_exec_t, systemd_logind_exec_t, systemd_machined_exec_t, systemd_modules_load_exec_t, systemd_networkd_exec_t, systemd_networkd_var_run_t, systemd_notify_exec_t, systemd_passwd_agent_exec_t, systemd_resolved_exec_t, systemd_resolved_var_run_t, systemd_rfkill_exec_t, systemd_sleep_exec_t, systemd_sysctl_exec_t, systemd_systemctl_exec_t, systemd_timedated_exec_t, systemd_tmpfiles_exec_t, systemd_userdbd_exec_t, sysv_t, tangd_exec_t, targetd_exec_t, tcpd_exec_t, tcsd_exec_t, tcsd_initrc_exec_t, telepathy_gabble_exec_t, telepathy_idle_exec_t, telepathy_logger_exec_t, telepathy_mission_control_exec_t, telepathy_msn_exec_t, telepathy_salut_exec_t, telepathy_sofiasip_exec_t, telepathy_stream_engine_exec_t, telepathy_sunshine_exec_t, telnetd_exec_t, tftpd_exec_t, tgtd_exec_t, tgtd_initrc_exec_t, thin_aeolus_configserver_exec_t, thin_exec_t, thumb_exec_t, timedatex_exec_t, timemaster_exec_t, tlp_exec_t, tmp_t, tmpfs_t, tmpreaper_exec_t, tomcat_exec_t, tor_exec_t, tor_initrc_exec_t, tor_var_lib_t, tor_var_log_t, tor_var_run_t, tracefs_t, traceroute_exec_t, tuned_exec_t, tuned_initrc_exec_t, tvtime_exec_t, udev_exec_t, udev_helper_exec_t, ulogd_exec_t, ulogd_initrc_exec_t, uml_exec_t, uml_switch_exec_t, unconfined_exec_t, unconfined_munin_plugin_exec_t, updfstab_exec_t, updpwd_exec_t, usbfs_t, usbmodules_exec_t, usbmuxd_exec_t, user_home_dir_t, user_home_t, user_tmp_t, useradd_exec_t, userhelper_exec_t, usernetctl_exec_t, usr_t, utempter_exec_t, uucpd_exec_t, uucpd_initrc_exec_t, uuidd_exec_t, uuidd_initrc_exec_t, uux_exec_t, var_lib_nfs_t, var_lib_t, var_lock_t, var_log_t, var_run_t, var_t, varnishd_exec_t, varnishd_initrc_exec_t, varnishlog_exec_t, varnishlog_initrc_exec_t, vdagent_exec_t, vdagentd_initrc_exec_t, vhostmd_exec_t, vhostmd_initrc_exec_t, virsh_exec_t, virt_bridgehelper_exec_t, virt_image_t, virt_qemu_ga_exec_t, virt_qemu_ga_unconfined_exec_t, virt_var_lib_t, virtd_exec_t, virtd_initrc_exec_t, virtd_lxc_exec_t, virtiofs_t, virtlogd_exec_t, virtlogd_initrc_exec_t, vlock_exec_t, vmblock_t, vmtools_exec_t, vmtools_helper_exec_t, vmtools_unconfined_exec_t, vmware_exec_t, vmware_host_exec_t, vnc_session_exec_t, vnstat_exec_t, vnstatd_exec_t, vnstatd_initrc_exec_t, vnstatd_var_lib_t, vpnc_exec_t, w3c_validator_script_exec_t, watchdog_exec_t, watchdog_initrc_exec_t, watchdog_unconfined_exec_t, wdmd_exec_t, wdmd_initrc_exec_t, webalizer_exec_t, webalizer_script_exec_t, winbind_exec_t, winbind_helper_exec_t, wine_exec_t, wireshark_exec_t, wpa_cli_exec_t, xauth_exec_t, xdm_exec_t, xdm_unconfined_exec_t, xenconsoled_exec_t, xend_exec_t, xend_var_lib_t, xend_var_run_t, xenfs_t, xenstored_exec_t, xenstored_var_lib_t, xserver_exec_t, xsession_exec_t, ypbind_exec_t, ypbind_initrc_exec_t, yppasswdd_exec_t, ypserv_exec_t, ypxfr_exec_t, zabbix_agent_exec_t, zabbix_agent_initrc_exec_t, zabbix_exec_t, zabbix_initrc_exec_t, zabbix_script_exec_t, zarafa_deliver_exec_t, zarafa_gateway_exec_t, zarafa_ical_exec_t, zarafa_indexer_exec_t, zarafa_monitor_exec_t, zarafa_server_exec_t, zarafa_spooler_exec_t, zebra_exec_t, zebra_initrc_exec_t, zoneminder_exec_t, zoneminder_initrc_exec_t, zoneminder_script_exec_t, zos_remote_exec_t.
                                                            Then execute:
                                                            restorecon -v '/bin/busybox'
                                                            
                                                            
                                                            *****  Plugin catchall (1.03 confidence) suggests   **************************
                                                            
                                                            If you believe that runc:[2:INIT] should be allowed entrypoint access on the busybox file by default.
                                                            Then you should report this as a bug.
                                                            You can generate a local policy module to allow this access.
                                                            Do
                                                            allow this access for now by executing:
                                                            # ausearch -c 'runc:[2:INIT]' --raw | audit2allow -M my-runc2INIT
                                                            # semodule -X 300 -i my-runc2INIT.pp

sealert output:

# sealert -l 440df748-3a56-495b-b17d-037cc6fabc88
SELinux is preventing runc:[2:INIT] from entrypoint access on the file /bin/busybox.

*****  Plugin restorecon (68.9 confidence) suggests   ************************

If you want to fix the label. 
/bin/busybox default label should be bin_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /bin/busybox

*****  Plugin file (21.0 confidence) suggests   ******************************

If you think this is caused by a badly mislabeled machine.
Then you need to fully relabel.
Do
touch /.autorelabel; reboot

*****  Plugin file (21.0 confidence) suggests   ******************************

If you think this is caused by a badly mislabeled machine.
Then you need to fully relabel.
Do
touch /.autorelabel; reboot

*****  Plugin catchall_labels (3.92 confidence) suggests   *******************

If you want to allow runc:[2:INIT] to have entrypoint access on the busybox file
Then you need to change the label on /bin/busybox
Do
# semanage fcontext -a -t FILE_TYPE '/bin/busybox'
where FILE_TYPE is one of the following: NetworkManager_exec_t, NetworkManager_initrc_exec_t, abrt_dump_oops_exec_t, abrt_exec_t, abrt_handle_event_exec_t, abrt_helper_exec_t, abrt_initrc_exec_t, abrt_retrace_coredump_exec_t, abrt_retrace_worker_exec_t, abrt_upload_watch_exec_t, abrt_watch_log_exec_t, accountsd_exec_t, acct_exec_t, acct_initrc_exec_t, admin_home_t, admin_passwd_exec_t, afs_bosserver_exec_t, afs_exec_t, afs_fsserver_exec_t, afs_initrc_exec_t, afs_kaserver_exec_t, afs_ptserver_exec_t, afs_vlserver_exec_t, aiccu_exec_t, aiccu_initrc_exec_t, aide_exec_t, ajaxterm_exec_t, ajaxterm_initrc_exec_t, alsa_exec_t, amanda_exec_t, amanda_inetd_exec_t, amanda_recover_exec_t, amtu_exec_t, amtu_initrc_exec_t, anaconda_exec_t, anacron_exec_t, anon_inodefs_t, antivirus_exec_t, antivirus_initrc_exec_t, apcupsd_cgi_script_exec_t, apcupsd_exec_t, apcupsd_initrc_exec_t, apm_exec_t, apmd_exec_t, apmd_initrc_exec_t, arpwatch_exec_t, arpwatch_initrc_exec_t, asterisk_exec_t, asterisk_initrc_exec_t, audisp_exec_t, audisp_remote_exec_t, audit_spool_t, auditctl_exec_t, auditd_exec_t, auditd_initrc_exec_t, auditd_log_t, authconfig_exec_t, autofs_t, automount_exec_t, automount_initrc_exec_t, automount_tmp_t, avahi_exec_t, avahi_initrc_exec_t, awstats_exec_t, awstats_script_exec_t, bacula_admin_exec_t, bacula_exec_t, bacula_initrc_exec_t, bacula_store_t, bacula_unconfined_script_exec_t, bcfg2_exec_t, bcfg2_initrc_exec_t, bin_t, binfmt_misc_fs_t, bitlbee_exec_t, bitlbee_initrc_exec_t, blkmapd_exec_t, blkmapd_initrc_exec_t, blktap_exec_t, blueman_exec_t, bluetooth_exec_t, bluetooth_helper_exec_t, bluetooth_initrc_exec_t, bluetooth_var_lib_t, boinc_exec_t, boinc_initrc_exec_t, boinc_var_lib_t, boltd_exec_t, boot_t, bootloader_exec_t, bpf_t, brctl_exec_t, brltty_exec_t, bugzilla_script_exec_t, bumblebee_exec_t, cachefilesd_exec_t, calamaris_exec_t, callweaver_exec_t, callweaver_initrc_exec_t, canna_exec_t, canna_initrc_exec_t, capifs_t, cardctl_exec_t, cardmgr_exec_t, ccs_exec_t, ccs_initrc_exec_t, cdcc_exec_t, cdrecord_exec_t, certmaster_exec_t, certmaster_initrc_exec_t, certmonger_exec_t, certmonger_initrc_exec_t, certmonger_unconfined_exec_t, certwatch_exec_t, cfengine_execd_exec_t, cfengine_initrc_exec_t, cfengine_monitord_exec_t, cfengine_serverd_exec_t, cgclear_exec_t, cgconfig_exec_t, cgconfig_initrc_exec_t, cgred_exec_t, cgred_initrc_exec_t, cgroup_t, checkpc_exec_t, checkpolicy_exec_t, chfn_exec_t, chkpwd_exec_t, chrome_sandbox_exec_t, chrome_sandbox_nacl_exec_t, chronyc_exec_t, chronyd_exec_t, chronyd_initrc_exec_t, chroot_exec_t, cifs_t, cinder_api_exec_t, cinder_backup_exec_t, cinder_scheduler_exec_t, cinder_volume_exec_t, ciped_exec_t, ciped_initrc_exec_t, clogd_exec_t, cloud_init_exec_t, cluster_exec_t, cluster_initrc_exec_t, clvmd_exec_t, clvmd_initrc_exec_t, cmirrord_exec_t, cmirrord_initrc_exec_t, cobblerd_exec_t, cobblerd_initrc_exec_t, cockpit_session_exec_t, cockpit_ws_exec_t, collectd_exec_t, collectd_initrc_exec_t, collectd_script_exec_t, colord_exec_t, comsat_exec_t, condor_collector_exec_t, condor_initrc_exec_t, condor_master_exec_t, condor_negotiator_exec_t, condor_procd_exec_t, condor_schedd_exec_t, condor_startd_exec_t, conman_exec_t, conman_unconfined_script_exec_t, conntrackd_exec_t, conntrackd_initrc_exec_t, consolehelper_exec_t, consolekit_exec_t, container_auth_exec_t, container_file_t, container_ro_file_t, container_runtime_exec_t, container_var_lib_t, couchdb_exec_t, couchdb_initrc_exec_t, courier_authdaemon_exec_t, courier_exec_t, courier_pcp_exec_t, courier_pop_exec_t, courier_sqwebmail_exec_t, courier_tcpd_exec_t, cpucontrol_exec_t, cpufreqselector_exec_t, cpuplug_exec_t, cpuplug_initrc_exec_t, cpuspeed_exec_t, crack_exec_t, crond_exec_t, crond_initrc_exec_t, crontab_exec_t, ctdbd_exec_t, ctdbd_initrc_exec_t, cups_pdf_exec_t, cupsd_config_exec_t, cupsd_exec_t, cupsd_initrc_exec_t, cupsd_lpd_exec_t, cvs_exec_t, cvs_initrc_exec_t, cvs_script_exec_t, cyphesis_exec_t, cyphesis_initrc_exec_t, cyrus_exec_t, cyrus_initrc_exec_t, dbskkd_exec_t, dbusd_exec_t, dcc_client_exec_t, dcc_dbclean_exec_t, dccd_exec_t, dccifd_exec_t, dccm_exec_t, dcerpcd_exec_t, ddclient_exec_t, ddclient_initrc_exec_t, debugfs_t, debuginfo_exec_t, default_t, deltacloudd_exec_t, denyhosts_exec_t, denyhosts_initrc_exec_t, device_t, devicekit_disk_exec_t, devicekit_exec_t, devicekit_power_exec_t, devpts_t, dhcpc_exec_t, dhcpc_helper_exec_t, dhcpd_exec_t, dhcpd_initrc_exec_t, dictd_exec_t, dictd_initrc_exec_t, dirsrv_exec_t, dirsrv_snmp_exec_t, dirsrvadmin_exec_t, dirsrvadmin_script_exec_t, dirsrvadmin_unconfined_script_exec_t, disk_munin_plugin_exec_t, dkim_milter_exec_t, dlm_controld_exec_t, dlm_controld_initrc_exec_t, dmesg_exec_t, dmidecode_exec_t, dnsmasq_exec_t, dnsmasq_initrc_exec_t, dnssec_t, dnssec_trigger_exec_t, dosfs_t, dovecot_auth_exec_t, dovecot_deliver_exec_t, dovecot_exec_t, dovecot_initrc_exec_t, drbd_exec_t, drbd_initrc_exec_t, dspam_exec_t, dspam_initrc_exec_t, dspam_script_exec_t, ecryptfs_t, efivarfs_t, entropyd_exec_t, entropyd_initrc_exec_t, eventlogd_exec_t, evtchnd_exec_t, exim_exec_t, exim_initrc_exec_t, fail2ban_client_exec_t, fail2ban_exec_t, fail2ban_initrc_exec_t, fcoemon_exec_t, fcoemon_initrc_exec_t, fenced_exec_t, fetchmail_exec_t, fetchmail_initrc_exec_t, fingerd_exec_t, firewalld_exec_t, firewalld_initrc_exec_t, firewallgui_exec_t, firstboot_exec_t, flatpak_helper_exec_t, foghorn_exec_t, foghorn_initrc_exec_t, fprintd_exec_t, freeipmi_bmc_watchdog_exec_t, freeipmi_ipmidetectd_exec_t, freeipmi_ipmiseld_exec_t, freqset_exec_t, fsadm_exec_t, fsdaemon_exec_t, fsdaemon_initrc_exec_t, ftpd_exec_t, ftpd_initrc_exec_t, ftpdctl_exec_t, fusefs_t, fusermount_exec_t, fwupd_exec_t, fwupd_var_lib_t, games_exec_t, gconfd_exec_t, gconfdefaultsm_exec_t, gdomap_exec_t, gdomap_initrc_exec_t, geoclue_exec_t, getty_exec_t, gfs_controld_exec_t, git_script_exec_t, gitd_exec_t, gitosis_exec_t, gkeyringd_exec_t, glance_api_exec_t, glance_api_initrc_exec_t, glance_registry_exec_t, glance_registry_initrc_exec_t, glance_scrubber_exec_t, glance_scrubber_initrc_exec_t, glusterd_exec_t, glusterd_initrc_exec_t, gnome_atspi_exec_t, gnomesystemmm_exec_t, gpg_agent_exec_t, gpg_exec_t, gpg_helper_exec_t, gpm_exec_t, gpm_initrc_exec_t, gpsd_exec_t, gpsd_initrc_exec_t, greylist_milter_exec_t, groupadd_exec_t, groupd_exec_t, gssd_exec_t, gssproxy_exec_t, haproxy_exec_t, hddtemp_exec_t, hddtemp_initrc_exec_t, home_root_t, hostapd_exec_t, hostname_exec_t, hsqldb_exec_t, httpd_exec_t, httpd_helper_exec_t, httpd_initrc_exec_t, httpd_passwd_exec_t, httpd_php_exec_t, httpd_rotatelogs_exec_t, httpd_suexec_exec_t, httpd_sys_content_t, httpd_sys_script_exec_t, httpd_unconfined_script_exec_t, httpd_user_script_exec_t, httpd_var_run_t, hugetlbfs_t, hwclock_exec_t, hwloc_dhwd_exec_t, hypervkvp_exec_t, hypervkvp_initrc_exec_t, hypervvssd_exec_t, ibacm_exec_t, iceauth_exec_t, icecast_exec_t, icecast_initrc_exec_t, ifconfig_exec_t, ifconfig_var_run_t, inetd_child_exec_t, inetd_exec_t, init_exec_t, initrc_exec_t, initrc_tmp_t, innd_exec_t, innd_initrc_exec_t, install_exec_t, iodined_exec_t, iodined_initrc_exec_t, iotop_exec_t, ipa_custodia_dmldap_exec_t, ipa_custodia_exec_t, ipa_custodia_pki_tomcat_exec_t, ipa_custodia_ra_agent_exec_t, ipa_dnskey_exec_t, ipa_helper_exec_t, ipa_ods_exporter_exec_t, ipa_otpd_exec_t, ipmievd_exec_t, ipmievd_helper_exec_t, ipsec_exec_t, ipsec_initrc_exec_t, ipsec_mgmt_exec_t, iptables_exec_t, iptables_initrc_exec_t, irc_exec_t, irqbalance_exec_t, irqbalance_initrc_exec_t, irssi_exec_t, iscsid_exec_t, isnsd_exec_t, isnsd_initrc_exec_t, iso9660_t, iwhd_exec_t, iwhd_initrc_exec_t, jabberd_exec_t, jabberd_initrc_exec_t, jabberd_router_exec_t, jetty_exec_t, jockey_exec_t, journalctl_exec_t, kadmind_exec_t, kdump_exec_t, kdump_initrc_exec_t, kdumpctl_exec_t, kdumpgui_exec_t, keepalived_exec_t, keepalived_unconfined_script_exec_t, kerberos_initrc_exec_t, keyboardd_exec_t, keystone_cgi_script_exec_t, keystone_exec_t, keystone_initrc_exec_t, kismet_exec_t, kismet_initrc_exec_t, klogd_exec_t, kmod_exec_t, kmscon_exec_t, kpatch_exec_t, kpropd_exec_t, krb5kdc_exec_t, ksmtuned_exec_t, ksmtuned_initrc_exec_t, ktalkd_exec_t, l2tpd_exec_t, l2tpd_initrc_exec_t, ldconfig_exec_t, likewise_initrc_exec_t, lircd_exec_t, lircd_initrc_exec_t, livecd_exec_t, lldpad_exec_t, lldpad_initrc_exec_t, load_policy_exec_t, loadkeys_exec_t, locate_exec_t, lockdev_exec_t, login_exec_t, logrotate_exec_t, logwatch_exec_t, lpd_exec_t, lpr_exec_t, lsassd_exec_t, lsmd_exec_t, lsmd_plugin_exec_t, lttng_sessiond_exec_t, lvm_exec_t, lwiod_exec_t, lwregd_exec_t, lwsmd_exec_t, mail_munin_plugin_exec_t, mail_spool_t, mailman_cgi_exec_t, mailman_mail_exec_t, mailman_queue_exec_t, man2html_script_exec_t, mandb_exec_t, mcelog_exec_t, mcelog_initrc_exec_t, mdadm_exec_t, mdadm_initrc_exec_t, mediawiki_script_exec_t, memcached_exec_t, memcached_initrc_exec_t, mencoder_exec_t, minidlna_exec_t, minidlna_initrc_exec_t, minissdpd_exec_t, minissdpd_initrc_exec_t, mip6d_exec_t, mirrormanager_exec_t, mnt_t, mock_build_exec_t, mock_exec_t, mock_tmp_t, mock_var_lib_t, modemmanager_exec_t, mojomojo_script_exec_t, mon_procd_exec_t, mon_statd_exec_t, mon_statd_initrc_exec_t, mongod_exec_t, mongod_initrc_exec_t, motion_exec_t, mount_ecryptfs_exec_t, mount_exec_t, mozilla_exec_t, mozilla_plugin_config_exec_t, mozilla_plugin_exec_t, mpd_exec_t, mpd_initrc_exec_t, mplayer_exec_t, mqueue_spool_t, mrtg_exec_t, mrtg_initrc_exec_t, mscan_exec_t, mscan_initrc_exec_t, mtrr_device_t, munin_exec_t, munin_initrc_exec_t, munin_script_exec_t, mysqld_exec_t, mysqld_initrc_exec_t, mysqld_safe_exec_t, mysqlmanagerd_exec_t, mysqlmanagerd_initrc_exec_t, mythtv_script_exec_t, naemon_exec_t, naemon_initrc_exec_t, nagios_admin_plugin_exec_t, nagios_checkdisk_plugin_exec_t, nagios_eventhandler_plugin_exec_t, nagios_exec_t, nagios_initrc_exec_t, nagios_mail_plugin_exec_t, nagios_openshift_plugin_exec_t, nagios_script_exec_t, nagios_services_plugin_exec_t, nagios_system_plugin_exec_t, nagios_unconfined_plugin_exec_t, named_checkconf_exec_t, named_conf_t, named_exec_t, named_initrc_exec_t, namespace_init_exec_t, ncftool_exec_t, ndc_exec_t, netlabel_mgmt_exec_t, netlogond_exec_t, netutils_exec_t, neutron_exec_t, neutron_initrc_exec_t, newrole_exec_t, news_spool_t, nfs_t, nfsd_exec_t, nfsd_fs_t, nfsd_initrc_exec_t, ninfod_exec_t, nis_initrc_exec_t, nmbd_exec_t, nova_exec_t, nrpe_exec_t, nscd_exec_t, nscd_initrc_exec_t, nsd_exec_t, nslcd_exec_t, nslcd_initrc_exec_t, ntop_exec_t, ntop_initrc_exec_t, ntpd_exec_t, ntpd_initrc_exec_t, ntpdate_exec_t, numad_exec_t, nut_upsd_exec_t, nut_upsdrvctl_exec_t, nut_upsmon_exec_t, nutups_cgi_script_exec_t, nx_server_exec_t, obex_exec_t, oddjob_exec_t, oddjob_mkhomedir_exec_t, onload_fs_t, opafm_exec_t, openct_exec_t, openct_initrc_exec_t, opendnssec_exec_t, openfortivpn_exec_t, openhpid_exec_t, openhpid_initrc_exec_t, openshift_app_tmp_t, openshift_cgroup_read_exec_t, openshift_cron_exec_t, openshift_initrc_exec_t, openshift_net_read_exec_t, openshift_script_exec_t, openshift_tmp_t, openshift_var_lib_t, opensm_exec_t, openvpn_exec_t, openvpn_initrc_exec_t, openvpn_unconfined_script_exec_t, openvswitch_exec_t, openwsman_exec_t, oracleasm_exec_t, oracleasm_initrc_exec_t, oracleasmfs_t, osad_exec_t, osad_initrc_exec_t, osbuild_exec_t, pads_exec_t, pads_initrc_exec_t, pam_console_exec_t, pam_timestamp_exec_t, passenger_exec_t, passwd_exec_t, pcp_plugin_exec_t, pcp_plugin_initrc_exec_t, pcp_pmcd_exec_t, pcp_pmcd_initrc_exec_t, pcp_pmie_exec_t, pcp_pmie_initrc_exec_t, pcp_pmlogger_exec_t, pcp_pmlogger_initrc_exec_t, pcp_pmproxy_exec_t, pcp_pmproxy_initrc_exec_t, pcscd_exec_t, pcscd_initrc_exec_t, pdns_control_exec_t, pdns_exec_t, pegasus_exec_t, pegasus_openlmi_account_exec_t, pegasus_openlmi_admin_exec_t, pegasus_openlmi_logicalfile_exec_t, pegasus_openlmi_services_exec_t, pegasus_openlmi_storage_exec_t, pegasus_openlmi_system_exec_t, pegasus_openlmi_unconfined_exec_t, pesign_exec_t, phc2sys_exec_t, pinentry_exec_t, ping_exec_t, pingd_exec_t, pingd_initrc_exec_t, piranha_fos_exec_t, piranha_lvs_exec_t, piranha_pulse_exec_t, piranha_pulse_initrc_exec_t, piranha_web_exec_t, pkcs11proxyd_exec_t, pkcs_slotd_exec_t, pkcs_slotd_initrc_exec_t, pki_ra_exec_t, pki_ra_script_exec_t, pki_tomcat_exec_t, pki_tps_exec_t, pki_tps_script_exec_t, plymouth_exec_t, plymouthd_exec_t, podsleuth_exec_t, policykit_auth_exec_t, policykit_exec_t, policykit_grant_exec_t, policykit_resolve_exec_t, polipo_exec_t, polipo_initrc_exec_t, portmap_exec_t, portmap_helper_exec_t, portmap_initrc_exec_t, portreserve_exec_t, portreserve_initrc_exec_t, postfix_bounce_exec_t, postfix_cleanup_exec_t, postfix_exec_t, postfix_initrc_exec_t, postfix_local_exec_t, postfix_map_exec_t, postfix_master_exec_t, postfix_pickup_exec_t, postfix_pipe_exec_t, postfix_postdrop_exec_t, postfix_postdrop_t, postfix_postqueue_exec_t, postfix_qmgr_exec_t, postfix_showq_exec_t, postfix_smtp_exec_t, postfix_smtpd_exec_t, postfix_virtual_exec_t, postgresql_exec_t, postgresql_initrc_exec_t, postgrey_exec_t, postgrey_initrc_exec_t, pppd_exec_t, pppd_initrc_exec_t, pptp_exec_t, prelink_cron_system_exec_t, prelink_exec_t, prelude_audisp_exec_t, prelude_correlator_exec_t, prelude_exec_t, prelude_initrc_exec_t, prelude_lml_exec_t, preupgrade_exec_t, prewikka_script_exec_t, privoxy_exec_t, privoxy_initrc_exec_t, proc_t, proc_xen_t, procmail_exec_t, prosody_exec_t, psad_exec_t, psad_initrc_exec_t, pstore_t, ptal_exec_t, ptchown_exec_t, ptp4l_exec_t, public_content_rw_t, public_content_t, publicfile_exec_t, pulseaudio_exec_t, puppetagent_exec_t, puppetagent_initrc_exec_t, puppetca_exec_t, puppetmaster_exec_t, puppetmaster_initrc_exec_t, pwauth_exec_t, pyicqt_exec_t, qdiskd_exec_t, qemu_dm_exec_t, qemu_exec_t, qmail_clean_exec_t, qmail_inject_exec_t, qmail_local_exec_t, qmail_lspawn_exec_t, qmail_queue_exec_t, qmail_remote_exec_t, qmail_rspawn_exec_t, qmail_send_exec_t, qmail_smtpd_exec_t, qmail_splogger_exec_t, qmail_start_exec_t, qmail_tcp_env_exec_t, qpidd_exec_t, qpidd_initrc_exec_t, quota_exec_t, quota_nld_exec_t, rabbitmq_exec_t, rabbitmq_initrc_exec_t, racoon_exec_t, radiusd_exec_t, radiusd_initrc_exec_t, radvd_exec_t, radvd_initrc_exec_t, ramfs_t, random_seed_t, rasdaemon_exec_t, rdisc_exec_t, readahead_exec_t, realmd_exec_t, redis_exec_t, redis_initrc_exec_t, regex_milter_exec_t, removable_t, restorecond_exec_t, rhev_agentd_exec_t, rhgb_exec_t, rhnsd_exec_t, rhnsd_initrc_exec_t, rhsmcertd_exec_t, rhsmcertd_initrc_exec_t, ricci_exec_t, ricci_initrc_exec_t, ricci_modcluster_exec_t, ricci_modclusterd_exec_t, ricci_modlog_exec_t, ricci_modrpm_exec_t, ricci_modservice_exec_t, ricci_modstorage_exec_t, rkt_exec_t, rlogind_exec_t, rngd_exec_t, rngd_initrc_exec_t, rolekit_exec_t, root_t, roundup_exec_t, roundup_initrc_exec_t, rpc_pipefs_t, rpcbind_exec_t, rpcbind_initrc_exec_t, rpcd_exec_t, rpcd_initrc_exec_t, rpm_exec_t, rpm_script_exec_t, rpmdb_exec_t, rrdcached_exec_t, rshd_exec_t, rssh_chroot_helper_exec_t, rssh_exec_t, rsync_exec_t, rtas_errd_exec_t, rtkit_daemon_exec_t, rtkit_daemon_initrc_exec_t, run_init_exec_t, rwho_exec_t, rwho_initrc_exec_t, samba_initrc_exec_t, samba_net_exec_t, samba_unconfined_script_exec_t, sambagui_exec_t, sandbox_exec_t, sanlk_resetd_exec_t, sanlock_exec_t, sanlock_initrc_exec_t, saslauthd_exec_t, saslauthd_initrc_exec_t, sbd_exec_t, sblim_gatherd_exec_t, sblim_initrc_exec_t, sblim_reposd_exec_t, sblim_sfcbd_exec_t, screen_exec_t, sectoolm_exec_t, security_t, selinux_munin_plugin_exec_t, semanage_exec_t, sendmail_exec_t, sendmail_initrc_exec_t, sensord_exec_t, sensord_initrc_exec_t, services_munin_plugin_exec_t, setfiles_exec_t, setkey_exec_t, setrans_exec_t, setrans_initrc_exec_t, setroubleshoot_fixit_exec_t, setroubleshootd_exec_t, setsebool_exec_t, seunshare_exec_t, sge_execd_exec_t, sge_job_exec_t, sge_shepherd_exec_t, shell_exec_t, shorewall_exec_t, shorewall_initrc_exec_t, shorewall_var_lib_t, showmount_exec_t, slapd_exec_t, slapd_initrc_exec_t, slpd_exec_t, slpd_initrc_exec_t, smbcontrol_exec_t, smbd_exec_t, smbmount_exec_t, smokeping_cgi_script_exec_t, smokeping_exec_t, smokeping_initrc_exec_t, smoltclient_exec_t, smsd_exec_t, smsd_initrc_exec_t, snapperd_exec_t, snmpd_exec_t, snmpd_initrc_exec_t, snort_exec_t, snort_initrc_exec_t, sosreport_exec_t, soundd_exec_t, soundd_initrc_exec_t, spamass_milter_exec_t, spamc_exec_t, spamd_exec_t, spamd_initrc_exec_t, spamd_update_exec_t, speech_dispatcher_exec_t, spufs_t, squid_cron_exec_t, squid_exec_t, squid_initrc_exec_t, squid_script_exec_t, src_t, srvsvcd_exec_t, ssh_agent_exec_t, ssh_exec_t, ssh_keygen_exec_t, ssh_keysign_exec_t, sshd_exec_t, sshd_initrc_exec_t, sshd_keygen_exec_t, sslh_exec_t, sslh_initrc_exec_t, sssd_exec_t, sssd_initrc_exec_t, sssd_selinux_manager_exec_t, stapserver_exec_t, stratisd_exec_t, stunnel_exec_t, su_exec_t, sudo_exec_t, sulogin_exec_t, svc_multilog_exec_t, svc_run_exec_t, svc_start_exec_t, svnserve_exec_t, svnserve_initrc_exec_t, swat_exec_t, swift_exec_t, swtpm_exec_t, sysctl_fs_t, sysctl_t, sysfs_t, syslogd_exec_t, syslogd_initrc_exec_t, sysstat_exec_t, sysstat_initrc_exec_t, system_munin_plugin_exec_t, systemd_bootchart_exec_t, systemd_coredump_exec_t, systemd_gpt_generator_exec_t, systemd_hostnamed_exec_t, systemd_hwdb_exec_t, systemd_importd_exec_t, systemd_initctl_exec_t, systemd_journal_upload_exec_t, systemd_localed_exec_t, systemd_logger_exec_t, systemd_logind_exec_t, systemd_machined_exec_t, systemd_modules_load_exec_t, systemd_networkd_exec_t, systemd_networkd_var_run_t, systemd_notify_exec_t, systemd_passwd_agent_exec_t, systemd_resolved_exec_t, systemd_resolved_var_run_t, systemd_rfkill_exec_t, systemd_sleep_exec_t, systemd_sysctl_exec_t, systemd_systemctl_exec_t, systemd_timedated_exec_t, systemd_tmpfiles_exec_t, systemd_userdbd_exec_t, sysv_t, tangd_exec_t, targetd_exec_t, tcpd_exec_t, tcsd_exec_t, tcsd_initrc_exec_t, telepathy_gabble_exec_t, telepathy_idle_exec_t, telepathy_logger_exec_t, telepathy_mission_control_exec_t, telepathy_msn_exec_t, telepathy_salut_exec_t, telepathy_sofiasip_exec_t, telepathy_stream_engine_exec_t, telepathy_sunshine_exec_t, telnetd_exec_t, tftpd_exec_t, tgtd_exec_t, tgtd_initrc_exec_t, thin_aeolus_configserver_exec_t, thin_exec_t, thumb_exec_t, timedatex_exec_t, timemaster_exec_t, tlp_exec_t, tmp_t, tmpfs_t, tmpreaper_exec_t, tomcat_exec_t, tor_exec_t, tor_initrc_exec_t, tor_var_lib_t, tor_var_log_t, tor_var_run_t, tracefs_t, traceroute_exec_t, tuned_exec_t, tuned_initrc_exec_t, tvtime_exec_t, udev_exec_t, udev_helper_exec_t, ulogd_exec_t, ulogd_initrc_exec_t, uml_exec_t, uml_switch_exec_t, unconfined_exec_t, unconfined_munin_plugin_exec_t, updfstab_exec_t, updpwd_exec_t, usbfs_t, usbmodules_exec_t, usbmuxd_exec_t, user_home_dir_t, user_home_t, user_tmp_t, useradd_exec_t, userhelper_exec_t, usernetctl_exec_t, usr_t, utempter_exec_t, uucpd_exec_t, uucpd_initrc_exec_t, uuidd_exec_t, uuidd_initrc_exec_t, uux_exec_t, var_lib_nfs_t, var_lib_t, var_lock_t, var_log_t, var_run_t, var_t, varnishd_exec_t, varnishd_initrc_exec_t, varnishlog_exec_t, varnishlog_initrc_exec_t, vdagent_exec_t, vdagentd_initrc_exec_t, vhostmd_exec_t, vhostmd_initrc_exec_t, virsh_exec_t, virt_bridgehelper_exec_t, virt_image_t, virt_qemu_ga_exec_t, virt_qemu_ga_unconfined_exec_t, virt_var_lib_t, virtd_exec_t, virtd_initrc_exec_t, virtd_lxc_exec_t, virtiofs_t, virtlogd_exec_t, virtlogd_initrc_exec_t, vlock_exec_t, vmblock_t, vmtools_exec_t, vmtools_helper_exec_t, vmtools_unconfined_exec_t, vmware_exec_t, vmware_host_exec_t, vnc_session_exec_t, vnstat_exec_t, vnstatd_exec_t, vnstatd_initrc_exec_t, vnstatd_var_lib_t, vpnc_exec_t, w3c_validator_script_exec_t, watchdog_exec_t, watchdog_initrc_exec_t, watchdog_unconfined_exec_t, wdmd_exec_t, wdmd_initrc_exec_t, webalizer_exec_t, webalizer_script_exec_t, winbind_exec_t, winbind_helper_exec_t, wine_exec_t, wireshark_exec_t, wpa_cli_exec_t, xauth_exec_t, xdm_exec_t, xdm_unconfined_exec_t, xenconsoled_exec_t, xend_exec_t, xend_var_lib_t, xend_var_run_t, xenfs_t, xenstored_exec_t, xenstored_var_lib_t, xserver_exec_t, xsession_exec_t, ypbind_exec_t, ypbind_initrc_exec_t, yppasswdd_exec_t, ypserv_exec_t, ypxfr_exec_t, zabbix_agent_exec_t, zabbix_agent_initrc_exec_t, zabbix_exec_t, zabbix_initrc_exec_t, zabbix_script_exec_t, zarafa_deliver_exec_t, zarafa_gateway_exec_t, zarafa_ical_exec_t, zarafa_indexer_exec_t, zarafa_monitor_exec_t, zarafa_server_exec_t, zarafa_spooler_exec_t, zebra_exec_t, zebra_initrc_exec_t, zoneminder_exec_t, zoneminder_initrc_exec_t, zoneminder_script_exec_t, zos_remote_exec_t.
Then execute:
restorecon -v '/bin/busybox'


*****  Plugin catchall (1.18 confidence) suggests   **************************

If you believe that runc:[2:INIT] should be allowed entrypoint access on the busybox file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'runc:[2:INIT]' --raw | audit2allow -M my-runc2INIT
# semodule -X 300 -i my-runc2INIT.pp


Additional Information:
Source Context                system_u:system_r:container_t:s0:c363,c621
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                /bin/busybox [ file ]
Source                        runc:[2:INIT]
Source Path                   runc:[2:INIT]
Port                          <Unknown>
Host                          iwana-pc00.coop.no
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-34.20-1.fc34.noarch
Local Policy RPM              selinux-policy-targeted-34.20-1.fc34.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     iwana-pc00.coop.no
Platform                      Linux iwana-pc00.coop.no 5.13.14-200.fc34.x86_64
                              #1 SMP Fri Sep 3 15:33:01 UTC 2021 x86_64 x86_64
Alert Count                   1
First Seen                    2021-09-27 16:01:30 CEST
Last Seen                     2021-09-27 16:01:30 CEST
Local ID                      440df748-3a56-495b-b17d-037cc6fabc88

Raw Audit Messages
type=AVC msg=audit(1632751290.997:1472733): avc:  denied  { entrypoint } for  pid=2169035 comm="runc:[2:INIT]" path="/bin/busybox" dev="dm-0" ino=264 scontext=system_u:system_r:container_t:s0:c363,c621 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0


Hash: runc:[2:INIT],container_t,unlabeled_t,file,entrypoint

@mkhl mkhl mentioned this issue Oct 24, 2021
Closed
@drdivano
Copy link

drdivano commented Jan 8, 2022

Maybe the following will be helpful - I had a similar error when running buildkit 0.9.3 on RHEL 7/8. Fixed it by recompiling buildkit, explicitly adding selinux tag. (However, in my case I ran buildkit directly, without docker)

@runephilosof-karnovgroup
Copy link

@drdivano

Fixed it by recompiling buildkit, explicitly adding selinux tag.

Could you explain exactly what you did?

@drdivano
Copy link

If you look into Dockerfile, there's a line like this:
ARG BUILDKITD_TAGS

You can pass the tag via the build argument BUILDKITD_TAGS="selinux" (or add tag "selinux" directly to go build --tags options in Dockerfile)

@rccrdpccl rccrdpccl mentioned this issue Oct 12, 2022
Merged
20 tasks
@AkihiroSuda AkihiroSuda mentioned this issue Oct 20, 2022
Closed
@defanator defanator mentioned this issue Jan 8, 2023
Merged
4 tasks
@iblancasa
Copy link

iblancasa commented Jan 27, 2023
edited
Loading

Same problem here with v0.10.1 and Fedora 37

@eriksjolund
Copy link
Contributor

I asked the buildkit slack channel for advice and was told that my issue

is probably related to this issue.

@cpuguy83
Copy link
Member

I don't really have a machine readily available to test on.
I believe we can call label.Relabel after generating the spec using the mount label on the spec.

@eriksjolund eriksjolund mentioned this issue Feb 1, 2023
Closed
@yann-soubeyrand yann-soubeyrand mentioned this issue Mar 24, 2023
Open
12 tasks
yann-soubeyrand added a commit to yann-soubeyrand/argo-cd that referenced this issue Apr 7, 2023
@yann-soubeyrand
ci: make build work on systems with SELinux
7e7b7ff 
It seems impossible to use BuildKit at the time on a system with
SELinux: moby/buildkit#2320. In the meantime,
one can use Podman on these systems.

Signed-off-by: Yann Soubeyrand <yann.soubeyrand@camptocamp.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@eriksjolund @bcressey @tonistiigi @cpuguy83 @aucampia @iblancasa @drdivano @runephilosof-karnovgroup