audit2allow likely generates a rule to allow execheap for container_t type process. You can always first generate the module and inspect it, before you load it.
A possible problem is, that now any process with container_t type is now allowed the same operation. To avoid this, you possibly need to create your own custom type (using container_t as template) and only allow execheap for this special type.
This blog post by Dan Walsh explains how to write such custom policy. You can also combine this with audit2allow to generate the actual rules. The essential steps are:
Create a basic container policy, for example container_execheap:
policy_module(container_execheap, 1.0)
virt_sandbox_domain_template(container_execheap_t)
virt_sandbox_domain_template macro creates the new type container_execheap_t and creates necessary rules for docker operation that the new type can be used as container domain.
Compile and load the policy module (necessary development files, including the makefile, should be provided by selinux-policy-devel package):
make -f /usr/selinux/devel/Makefile container_execheap.pp
semodule -i container_execheap.pp
The new type can be configured to be a permissive domain:
semanage permissive -a container_execheap_t
For permissive domains, AVC denials are logged but rules are not enforced. This way it is easy to generate the missing rules later using audit2allow.
Run your container in this new context, something like docker run ... --security-opt label:type:container_execheap_t ...
Generate expected errors. Then run audit2allow to generate rules allowing those operations for container_execheap_t. You can update the same module .te file (remember to bump up version number) with the new rules. Compile and install the updated module.
When no more errors generated, put the custom container type back into enforcing mode semanage -d container_execheap.
