'su' in a Docker container -> AVC

[Laurent Rineau]

I have a container whose entrypoint uses 'su' to drop its privileges. The run of the container triggers an AVC, but the container seems to run normally.

That is on a server, and the SELinux Troubleshooter sends me emails (see the attachment).

Two questions:

 1/ Is there a way to report bugs to Bugzilla using the command line sealert tool (or another command line tool), like what we can do using the GUI?

 2/ What should I do to fix that issue, if that is one?


I copy-paste here the AVC (the attached email have more information):

type=AVC msg=audit(1434542552.136:6332403): avc:  denied  { search } for  pid=11266 comm="su" scontext=system_u:system_r:svirt_lxc_net_t:s0:c68,c965 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=key

type=SYSCALL msg=audit(1434542552.136:6332403): arch=x86_64 syscall=keyctl success=no exit=EACCES a0=0 a1=fffffffd a2=0 a3=7f7c50a132f0 items=0 ppid=11065 pid=11266 auid=4294967295 uid=500 gid=501 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=su exe=/usr/bin/su subj=system_u:system_r:svirt_lxc_net_t:s0:c68,c965 key=(null)

-- 
Laurent Rineau
http://fedoraproject.org/wiki/LaurentRineau
-------------- next part --------------
An embedded message was scrubbed...
From: SELinux_Troubleshoot at cgal.geometryfactory.com
Subject: [SELinux AVC Alert] SELinux is preventing /usr/bin/su from search access on the key Unknown.
Date: Wed, 17 Jun 2015 12:02:33 +0000
Size: 3766
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20150617/c0c6e640/attachment.mht>