Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1765818
Summary: | Cannot longer install podman: error: Plugin selinux: hook fsm_file_prepare failed | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Miro Hrončok <mhroncok> |
Component: | podman | Assignee: | Lokesh Mandvekar <lsm5> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 31 | CC: | bbaude, dwalsh, jnovy, lsm5, lvrabec, mheon, santiago, tom.killian |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | podman-1.7.0-3.fc30 podman-1.7.0-2.fc31 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-01-10 01:13:40 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1700323 |
Description
Miro Hrončok
2019-10-26 10:43:59 UTC
type=AVC msg=audit(1572086705.196:5948): avc: denied { mac_admin } for pid=3665 comm="dnf" capability=33 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2 permissive=0 Hash: dnf,unconfined_t,unconfined_t,capability2,mac_admin selinux-policy-3.14.3-46.fc30 On Fedora 31 I cannot longer reproduce this. Miro, Did you remove container-selinux or something? mac_admin means that dnf/rpm was attempting to put down a label that the kernel did not understand. Podman executable is labeled based on the container-selinux package which should be installed before podman. I would od dnf reinstall container-selinux dnf reinstall podman And see if this cleans up the issue. no, I was just running plain dnf upgrade. If there are some logs I can share, I will. BTW this was not a regression in the new build, `dnf install 'podman < 2:1.6.2-2'` failed in the same way with podman-2:1.2.0-2.git3bd528e.fc30. Could you try the commands I listed above to see if the issue goes away. Sorry, I cannot. I solved the problem by upgrading to Fedora 31. Feel free to close this, or I can provide more data from the logs, if there is something useful. I ran into this error upgrading containers-common on an FC30 system. Per this bugzilla, I installed container-selinux (it was not previously installed) and the problem went away. Perhaps there is (or was) a missing dependency for container-selinux. podman has container-selinux only as a soft dependency. I will turn it into a hard dep to be sure container-selinux is always installed prior to podman. Maybe it can be conditionalized on selinux-policy? Requires: (container-selinux if selinux-policy) OTOH Im not sure if you can ever install podman without selinux-policy. # rpm -q --requires container-selinux | grep selinux-policy selinux-policy >= 3.14.4-43 selinux-policy-base >= 3.14.4-43 selinux-policy-targeted >= 3.14.4-43 so container-selinux already requires selinux-policy. The F30 spec file is way different than F31 (podman-remote subpackage missing, etc.) so I will leave it be for F30 and fix it for F31. container-selinux already requires selinux-policy, but I proposed to only require container-selinux if selinux-policy is installed. That is completely orthogonal. Imagine this scenario: 1. selinux-policy is installed 2. user installs podman 3. container-selinux gets pulled in And this scenario: 1. selinux-policy is not installed, maybe this is a minimal container itself? 2. user installs podman 3. container-selinux does not get pulled in, and neither does selinux-policy Anyway, I'm not sure "selinux-policy is not installed" is a realstic scenario. ------ Side note: The error happens on transaction. The requires probably must be added as Requires(pre) and Requires(post) as well. Miro - running podman without selinux-policy is more a question for Dan. Dan, do you think scenario described by Miro would work? Meaning would it fly to run podman without selinux-policy in case of minimal containers? I would prefer it stay a soft dependency for people wanting to run podman within a container. Sucking in container-selinux pulls in selinux-policy and really swells the size of the container image. Podman will run fine without selinux-policy. If there is a construct in rpm to not install container-selinux is selinux-policy is not installed, I am fine with that. Although for security in containers SELinux is the best tool that we have. (In reply to Daniel Walsh from comment #15) > If there is a construct in rpm to not install container-selinux is > selinux-policy is not installed, I am fine with that. There is: Requires: (container-selinux if selinux-policy) LGTM FEDORA-2020-9aae371366 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-9aae371366 podman-1.7.0-2.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-9aae371366 podman-1.7.0-3.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report. podman-1.7.0-2.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report. |