Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1952651

Summary: containers do not run in Fedora 34 IoT
Product: [Fedora] Fedora Reporter: Dennis Gilmore <dgilmore>
Component: container-selinuxAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 34CC: amurdaca, container-sig, dwalsh, dweomer5, jchaloup, lsm5, pbrobinson, pehunt, rh.container.bot
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-11 13:02:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1269538    

Description Dennis Gilmore 2021-04-22 18:09:52 UTC 
Description of problem:

running a podman command to run homeassistant on Fedora 34 IoT networking does not work.


Version-Release number of selected component (if applicable):

libselinux-3.2-1.fc34.aarch64
libselinux-utils-3.2-1.fc34.aarch64
rpm-plugin-selinux-4.16.1.3-1.fc34.aarch64
selinux-policy-34-1.fc34.noarch
selinux-policy-targeted-34-1.fc34.noarch
container-selinux-2.158.0-1.gite78ac4f.fc34.noarch
python3-libselinux-3.2-1.fc34.aarch64
podman-plugins-3.1.0-1.fc34.aarch64
podman-3.1.0-1.fc34.aarch64

How reproducible:


Steps to Reproduce:
on a fedora 34 IoT system run 
1. podman run --init -d   --name homeassistant   --restart=unless-stopped   -v /etc/localtime:/etc/localtime:ro   -v /home/homeassistant:/config   --network=host   homeassistant/home-assistant:stable
2.
3.

Actual results:
the container does not work, after switching from enforcing to permissive mode I see

type=AVC msg=audit(1619112380.373:899666): avc:  denied  { write } for  pid=552924 comm="udevadm" name="uevent" dev="sysfs" ino=10484 scontext=system_u:system_r:container_t:s0:c568,c815 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112384.163:899668): avc:  denied  { write } for  pid=552939 comm="python3" name="homeassistant" dev="mmcblk0p3" ino=250884 scontext=system_u:system_r:container_t:s0:c568,c815 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112384.163:899669): avc:  denied  { add_name } for  pid=552939 comm="python3" name="deps" scontext=system_u:system_r:container_t:s0:c568,c815 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112384.163:899670): avc:  denied  { create } for  pid=552939 comm="python3" name="deps" scontext=system_u:system_r:container_t:s0:c568,c815 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112384.563:899672): avc:  denied  { create } for  pid=552939 comm="python3" name="configuration.yaml" scontext=system_u:system_r:container_t:s0:c568,c815 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112384.563:899673): avc:  denied  { write open } for  pid=552939 comm="python3" path="/config/configuration.yaml" dev="mmcblk0p3" ino=259891 scontext=system_u:system_r:container_t:s0:c568,c815 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112384.563:899674): avc:  denied  { ioctl } for  pid=552939 comm="python3" path="/config/configuration.yaml" dev="mmcblk0p3" ino=259891 ioctlcmd=0x5413 scontext=system_u:system_r:container_t:s0:c568,c815 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112384.583:899675): avc:  denied  { read } for  pid=552939 comm="python3" name=".HA_VERSION" dev="mmcblk0p3" ino=259894 scontext=system_u:system_r:container_t:s0:c568,c815 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112396.543:899676): avc:  denied  { write } for  pid=553352 comm="udevadm" name="uevent" dev="sysfs" ino=10484 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112400.723:899678): avc:  denied  { write } for  pid=553368 comm="python3" name="homeassistant" dev="mmcblk0p3" ino=250884 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112400.723:899680): avc:  denied  { read } for  pid=553368 comm="python3" name=".HA_VERSION" dev="mmcblk0p3" ino=259894 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112400.723:899681): avc:  denied  { open } for  pid=553368 comm="python3" path="/config/.HA_VERSION" dev="mmcblk0p3" ino=259894 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112400.723:899682): avc:  denied  { ioctl } for  pid=553368 comm="python3" path="/config/.HA_VERSION" dev="mmcblk0p3" ino=259894 ioctlcmd=0x5413 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112402.263:899683): avc:  denied  { add_name } for  pid=553368 comm="python3" name="home-assistant_v2.db" scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112402.263:899684): avc:  denied  { create } for  pid=553368 comm="python3" name="home-assistant_v2.db" scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112402.263:899685): avc:  denied  { write } for  pid=553368 comm="python3" path="/config/home-assistant_v2.db" dev="mmcblk0p3" ino=259900 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112402.283:899686): avc:  denied  { lock } for  pid=553368 comm="python3" path="/config/home-assistant_v2.db" dev="mmcblk0p3" ino=259900 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112402.283:899687): avc:  denied  { setattr } for  pid=553368 comm="python3" name="home-assistant_v2.db-journal" dev="mmcblk0p3" ino=259901 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112402.293:899688): avc:  denied  { remove_name } for  pid=553368 comm="python3" name="home-assistant_v2.db-journal" dev="mmcblk0p3" ino=259901 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112402.293:899689): avc:  denied  { unlink } for  pid=553368 comm="python3" name="home-assistant_v2.db-journal" dev="mmcblk0p3" ino=259901 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112402.303:899690): avc:  denied  { map } for  pid=553368 comm="python3" path="/config/home-assistant_v2.db-shm" dev="mmcblk0p3" ino=259902 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112404.593:899691): avc:  denied  { create } for  pid=553368 comm="python3" name=".cloud" scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112408.353:899693): avc:  denied  { write } for  pid=553368 comm="python3" name="blueprints" dev="mmcblk0p3" ino=259908 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112408.353:899694): avc:  denied  { add_name } for  pid=553368 comm="python3" name="automation" scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112408.363:899695): avc:  denied  { relabelfrom } for  pid=553368 comm="python3" name="motion_light.yaml" dev="mmcblk0p3" ino=259912 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112408.373:899696): avc:  denied  { setattr } for  pid=553368 comm="python3" name="homeassistant" dev="mmcblk0p3" ino=259911 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112408.373:899697): avc:  denied  { relabelfrom } for  pid=553368 comm="python3" name="homeassistant" dev="mmcblk0p3" ino=259911 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112408.423:899698): avc:  denied  { remove_name } for  pid=553368 comm="python3" name="tmpfah9tsms" dev="mmcblk0p3" ino=259916 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112408.423:899699): avc:  denied  { rename } for  pid=553368 comm="python3" name="tmpfah9tsms" dev="mmcblk0p3" ino=259916 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619113408.009:899720): avc:  denied  { read write } for  pid=553368 comm="python3" name="home-assistant_v2.db" dev="mmcblk0p3" ino=259900 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619113408.009:899721): avc:  denied  { open } for  pid=553368 comm="python3" path="/config/home-assistant_v2.db" dev="mmcblk0p3" ino=259900 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619113408.009:899722): avc:  denied  { lock } for  pid=553368 comm="python3" path="/config/home-assistant_v2.db" dev="mmcblk0p3" ino=259900 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619113408.019:899723): avc:  denied  { create } for  pid=553368 comm="python3" name="home-assistant_v2.db-wal" scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619113408.019:899724): avc:  denied  { setattr } for  pid=553368 comm="python3" name="home-assistant_v2.db-wal" dev="mmcblk0p3" ino=259921 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619113408.019:899725): avc:  denied  { map } for  pid=553368 comm="python3" path="/config/home-assistant_v2.db-shm" dev="mmcblk0p3" ino=259934 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619113408.049:899726): avc:  denied  { unlink } for  pid=553368 comm="python3" name="home-assistant_v2.db-shm" dev="mmcblk0p3" ino=259934 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619113430.629:899727): avc:  denied  { write } for  pid=553368 comm="python3" name=".storage" dev="mmcblk0p3" ino=259915 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619113430.629:899728): avc:  denied  { add_name } for  pid=553368 comm="python3" name="tmpxb6igo5e" scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619113430.629:899729): avc:  denied  { ioctl } for  pid=553368 comm="python3" path="/config/.storage/tmpxb6igo5e" dev="mmcblk0p3" ino=259921 ioctlcmd=0x5413 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619113430.629:899730): avc:  denied  { remove_name } for  pid=553368 comm="python3" name="tmpxb6igo5e" dev="mmcblk0p3" ino=259921 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619113430.639:899731): avc:  denied  { rename } for  pid=553368 comm="python3" name="tmpxb6igo5e" dev="mmcblk0p3" ino=259921 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619113641.008:899734): avc:  denied  { write } for  pid=553368 comm="python3" name="homeassistant" dev="mmcblk0p3" ino=250884 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619113641.008:899735): avc:  denied  { add_name } for  pid=553368 comm="python3" name="home-assistant_v2.db-wal" scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619113641.028:899736): avc:  denied  { remove_name } for  pid=553368 comm="python3" name="home-assistant_v2.db-shm" dev="mmcblk0p3" ino=259934 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
 in the audit log. 

Expected results:

the container to run
Additional info:
Comment 1 Daniel Walsh 2021-04-23 10:12:31 UTC 
You are attempting to leak and entire homedirectory into a container and SELinux is rightly blocking the access.  If you need to do this you need to disable SELinux container separation or play around with udica.

I would run the following command.

 podman run --init -d  --security-opt label=disable --name homeassistant   --restart=unless-stopped   --tz=local   -v /home/homeassistant:/config   --network=host   homeassistant/home-assistant:stable

BTW Notice the --tz flag.
Comment 2 Dennis Gilmore 2021-04-24 18:10:47 UTC 
as the directory was just a directory containing config files I moved it to /var/lib/homeassistant

running "podman run --init -d   --name homeassistant   --restart=unless-stopped   -v /etc/localtime:/etc/localtime:ro   -v /var/lib/homeassistant:/config   --network=host   homeassistant/home-assistant:stable" I get:

type=AVC msg=audit(1619287263.705:547): avc:  denied  { write } for  pid=1780 comm="udevadm" name="uevent" dev="sysfs" ino=10484 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619287267.855:549): avc:  denied  { write } for  pid=1796 comm="python3" name="home-assistant.log" dev="mmcblk0p3" ino=259917 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1
type=AVC msg=audit(1619287267.855:551): avc:  denied  { read } for  pid=1796 comm="python3" name=".HA_VERSION" dev="mmcblk0p3" ino=259894 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1
type=AVC msg=audit(1619287267.855:552): avc:  denied  { ioctl } for  pid=1796 comm="python3" path="/config/.HA_VERSION" dev="mmcblk0p3" ino=259894 ioctlcmd=0x5413 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1
type=AVC msg=audit(1619287268.915:553): avc:  denied  { lock } for  pid=1796 comm="python3" path="/config/home-assistant_v2.db" dev="mmcblk0p3" ino=259900 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1
type=AVC msg=audit(1619287268.915:554): avc:  denied  { write } for  pid=1796 comm="python3" name="homeassistant" dev="mmcblk0p3" ino=250884 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=dir permissive=1
type=AVC msg=audit(1619287268.915:555): avc:  denied  { add_name } for  pid=1796 comm="python3" name="home-assistant_v2.db-wal" scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=dir permissive=1
type=AVC msg=audit(1619287268.915:556): avc:  denied  { create } for  pid=1796 comm="python3" name="home-assistant_v2.db-wal" scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1
type=AVC msg=audit(1619287268.915:557): avc:  denied  { setattr } for  pid=1796 comm="python3" name="home-assistant_v2.db-wal" dev="mmcblk0p3" ino=250890 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1
type=AVC msg=audit(1619287268.925:558): avc:  denied  { remove_name } for  pid=1796 comm="python3" name="home-assistant_v2.db-shm" dev="mmcblk0p3" ino=259652 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=dir permissive=1
type=AVC msg=audit(1619287268.925:559): avc:  denied  { unlink } for  pid=1796 comm="python3" name="home-assistant_v2.db-shm" dev="mmcblk0p3" ino=259652 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1
type=AVC msg=audit(1619287273.645:561): avc:  denied  { rename } for  pid=1796 comm="python3" name="tmpqq7mj4zg" dev="mmcblk0p3" ino=250890 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1


If instead I run "podman run --init -d   --name homeassistant   --restart=unless-stopped   -v /etc/localtime:/etc/localtime:ro   -v /var/lib/homeassistant:/config:Z   --network=host   homeassistant/home-assistant:stable" I still get one denial:

type=AVC msg=audit(1619287145.126:537): avc:  denied  { write } for  pid=1262 comm="udevadm" name="uevent" dev="sysfs" ino=10484 scontext=system_u:system_r:container_t:s0:c286,c789 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1

should udevadm be able to run inside of a container?
Comment 3 Daniel Walsh 2021-04-26 22:52:47 UTC 
Currently we block this via SELinux, writing to sysfs `uevent`.  I do not believe this is going to work the way you expect,  IE Devices will not appear on the hosts /dev.

You can disable SELinux separation to see if it works.  If it does, I could consider adding this allow rule.
Comment 4 Red Hat Bugzilla 2023-09-12 03:55:36 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days