run-document-server.sh triggers a SELinux AVC when the container starts.

[JMarcosHP]

Currently, the OO container is showing this AVC:

type=AVC msg=audit(1775438739.649:6810): avc: denied { write } for pid=204543 comm="run-document-se" name="fd" dev="proc" ino=969392 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=dir permissive=0

This happens on every container start/restart even if:

    security_opt:
      - label=disabled

is used.

I think this is the problematic line that triggers the avc :
https://github.com/ONLYOFFICE/Docker-DocumentServer/blame/77ce899978efa62388cb79c59d8297bff740fce1/run-document-server.sh#L808

[igwyd]

Hello @JMarcosHP, I don't see these messages when running on my environment. Please provide your OS, arch, docker version, the command you use to run the container, and the log where you saw this message.

[JMarcosHP]

OS: openSUSE Leap 16.0
Arch: x86_64
Docker engine: 28.5.1 ce

The OnlyOffice container is running along with Nextcloud-AIO mastercontainer and the other software like apache, postgresq, etc.
Compose file (renamed extension):
compose.txt

Also, the bug is reported in suse's bugzilla:
https://bugzilla.suse.com/show_bug.cgi?id=1261545

Logs:

type=AVC msg=audit(1775989848.284:28377): avc:  denied  { write } for  pid=1952860 comm="run-document-se" name="fd" dev="proc" ino=32872116 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1775992692.112:28687): avc:  denied  { write } for  pid=1991631 comm="run-document-se" name="fd" dev="proc" ino=33135365 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1776078829.605:30631): avc:  denied  { write } for  pid=2895596 comm="run-document-se" name="fd" dev="proc" ino=37828227 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1776165209.521:32578): avc:  denied  { write } for  pid=3800854 comm="run-document-se" name="fd" dev="proc" ino=42540517 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=dir permissive=0

SELinux is preventing run-document-se from write access on the directory fd.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that run-document-se should be allowed write access on the fd directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'run-document-se' --raw | audit2allow -M my-rundocumentse
# semodule -X 300 -i my-rundocumentse.pp


Additional Information:
Source Context                system_u:system_r:spc_t:s0
Target Context                system_u:system_r:container_runtime_t:s0
Target Objects                fd [ dir ]
Source                        run-document-se
Source Path                   run-document-se
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-20250627+git355.5249ba7d5-
                              160000.1.1.noarch
Local Policy RPM              container-selinux-2.239.0-160000.2.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     <Redacted>
Platform                      Linux <Redacted> 6.12.0-160000.27-default #1 SMP
                              PREEMPT_DYNAMIC Thu Mar 12 10:15:03 UTC 2026
                              (b868bbc) x86_64 x86_64
Alert Count                   4
First Seen                    2026-04-12 04:30:48 CST
Last Seen                     2026-04-14 05:13:29 CST
Local ID                      8c90247b-5c20-4a38-8f44-3a7e14d1948f

Raw Audit Messages
type=AVC msg=audit(1776165209.521:32578): avc:  denied  { write } for  pid=3800854 comm="run-document-se" name="fd" dev="proc" ino=42540517 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=dir permissive=0


Hash: run-document-se,spc_t,container_runtime_t,dir,write