rkt have some Problems with SELinux in Enforce Mode

[matfechner]

Environment

Replace this with the output of:

rkt Version: 1.30.0
appc Version: 0.8.11
Go Version: go1.12.5
Go OS/Arch: linux/amd64
Features: -TPM +SDJOURNAL

Linux 4.19.68-coreos x86_64

NAME="Container Linux by CoreOS"
ID=coreos
VERSION=2191.5.0
VERSION_ID=2191.5.0
BUILD_ID=2019-09-04-0357
PRETTY_NAME="Container Linux by CoreOS 2191.5.0 (Rhyolite)"
ANSI_COLOR="38;5;75"
HOME_URL="https://coreos.com/"
BUG_REPORT_URL="https://issues.coreos.com"
COREOS_BOARD="amd64-usr"

systemd 241 (241-30-gf0da8f7+)
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT -GNUTLS -ACL +XZ +LZ4 +SECCOMP +BLKID -ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=legacy

What did you do?

sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: mcs
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31

rkt run --interactive docker://debian --insecure-options=image
result
bash-4.3#

sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: mcs
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31

rkt run --interactive docker://debian --insecure-options=image
root@rkt-6b7c67a2-b20b-4b92-a182-81db09b85287:/#

What did you expect to see?

rkt will work with SELinux in the Enforcing mode

What did you see instead?

that rkt not working at the moment with SELinux in the Enforce mode

** Note **

i've play the same scenario on debian Buster with SELinux in the Enforcing mode,
there are the same behavior and the same result.
there are no avc: denied in the logs