Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1952651
Summary: | containers do not run in Fedora 34 IoT | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Dennis Gilmore <dgilmore> |
Component: | container-selinux | Assignee: | Lokesh Mandvekar <lsm5> |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 34 | CC: | amurdaca, container-sig, dwalsh, dweomer5, jchaloup, lsm5, pbrobinson, pehunt, rh.container.bot |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-06-11 13:02:38 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1269538 |
Description
Dennis Gilmore
2021-04-22 18:09:52 UTC
You are attempting to leak and entire homedirectory into a container and SELinux is rightly blocking the access. If you need to do this you need to disable SELinux container separation or play around with udica. I would run the following command. podman run --init -d --security-opt label=disable --name homeassistant --restart=unless-stopped --tz=local -v /home/homeassistant:/config --network=host homeassistant/home-assistant:stable BTW Notice the --tz flag. as the directory was just a directory containing config files I moved it to /var/lib/homeassistant running "podman run --init -d --name homeassistant --restart=unless-stopped -v /etc/localtime:/etc/localtime:ro -v /var/lib/homeassistant:/config --network=host homeassistant/home-assistant:stable" I get: type=AVC msg=audit(1619287263.705:547): avc: denied { write } for pid=1780 comm="udevadm" name="uevent" dev="sysfs" ino=10484 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1619287267.855:549): avc: denied { write } for pid=1796 comm="python3" name="home-assistant.log" dev="mmcblk0p3" ino=259917 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1 type=AVC msg=audit(1619287267.855:551): avc: denied { read } for pid=1796 comm="python3" name=".HA_VERSION" dev="mmcblk0p3" ino=259894 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1 type=AVC msg=audit(1619287267.855:552): avc: denied { ioctl } for pid=1796 comm="python3" path="/config/.HA_VERSION" dev="mmcblk0p3" ino=259894 ioctlcmd=0x5413 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1 type=AVC msg=audit(1619287268.915:553): avc: denied { lock } for pid=1796 comm="python3" path="/config/home-assistant_v2.db" dev="mmcblk0p3" ino=259900 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1 type=AVC msg=audit(1619287268.915:554): avc: denied { write } for pid=1796 comm="python3" name="homeassistant" dev="mmcblk0p3" ino=250884 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=dir permissive=1 type=AVC msg=audit(1619287268.915:555): avc: denied { add_name } for pid=1796 comm="python3" name="home-assistant_v2.db-wal" scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=dir permissive=1 type=AVC msg=audit(1619287268.915:556): avc: denied { create } for pid=1796 comm="python3" name="home-assistant_v2.db-wal" scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1 type=AVC msg=audit(1619287268.915:557): avc: denied { setattr } for pid=1796 comm="python3" name="home-assistant_v2.db-wal" dev="mmcblk0p3" ino=250890 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1 type=AVC msg=audit(1619287268.925:558): avc: denied { remove_name } for pid=1796 comm="python3" name="home-assistant_v2.db-shm" dev="mmcblk0p3" ino=259652 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=dir permissive=1 type=AVC msg=audit(1619287268.925:559): avc: denied { unlink } for pid=1796 comm="python3" name="home-assistant_v2.db-shm" dev="mmcblk0p3" ino=259652 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1 type=AVC msg=audit(1619287273.645:561): avc: denied { rename } for pid=1796 comm="python3" name="tmpqq7mj4zg" dev="mmcblk0p3" ino=250890 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1 If instead I run "podman run --init -d --name homeassistant --restart=unless-stopped -v /etc/localtime:/etc/localtime:ro -v /var/lib/homeassistant:/config:Z --network=host homeassistant/home-assistant:stable" I still get one denial: type=AVC msg=audit(1619287145.126:537): avc: denied { write } for pid=1262 comm="udevadm" name="uevent" dev="sysfs" ino=10484 scontext=system_u:system_r:container_t:s0:c286,c789 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 should udevadm be able to run inside of a container? Currently we block this via SELinux, writing to sysfs `uevent`. I do not believe this is going to work the way you expect, IE Devices will not appear on the hosts /dev. You can disable SELinux separation to see if it works. If it does, I could consider adding this allow rule. The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days |