Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1696679
Summary: | Cannot create UNIX sockets in podman (SELinux denial) | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Michal Domonkos <mdomonko> |
Component: | podman | Assignee: | Lokesh Mandvekar <lsm5> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 30 | CC: | bbaude, dwalsh, lsm5, mheon |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | podman-1.3.1-1.git7210727.fc30 podman-1.3.1-1.git7210727.fc29 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-05-20 01:03:56 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Michal Domonkos
2019-04-05 12:14:27 UTC
Can you try this with container-selinux-2.94? Should be available in updates. Yeah, I actually have the latest version already but it doesn't help: container-selinux-2:2.94-1.git1e99f1d.fc29.noarch OK, I'm actually on a F29 (although I upgraded podman to the F30 version previously to check if it still occurs with it). So I upgraded container-selinux to the F30 as well: container-selinux-2:2.94-1.git1e99f1d.fc30.noarch But still no success :( Oh, looking at the changelog, it seems this was really addressed recently: * Thu Mar 28 2019 Dan Walsh <dwalsh> - 2.94-1 - Allow init_t to manage container content - Allow container domains to create fifo_files on fusefs file systems - Add boolean to allow containers to use ceph file systems Isn't there some kind of action needed in order for the policy to apply (when coming from the earlier version of the package)? Well lets see what the AVC's are. If you are not seeing any, could you do the following sudo semodule -DB Now create the failure. sudo ausearch -m avc -ts recent sudo semodule -B And attach the AVCs # ausearch -m avc --start recent ---- time->Fri Apr 5 16:42:14 2019 type=AVC msg=audit(1554475334.573:725): avc: denied { create } for pid=22188 comm="python3" name="somesocket" scontext=system_u:system_r:container_t:s0:c427,c633 tcontext=system_u:object_r:fusefs_t:s0 tclass=sock_file permissive=0 Is that sufficient or do you need more detailed data? podman-1.3.1-1.git7210727.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-fe6ef87556 podman-1.3.1-1.git7210727.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-a0ddb8df76 podman-1.3.1-1.git7210727.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-a0ddb8df76 podman-1.3.1-1.git7210727.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-fe6ef87556 podman-1.3.1-1.git7210727.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report. podman-1.3.1-1.git7210727.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. |