Bug 1516454

Summary: Buildah bud fails with permission denied on /var/lib/apt/lists
Product: Red Hat Enterprise Linux 7 Reporter: Micah Abbott <miabbott>
Component: buildahAssignee: Frantisek Kluknavsky <fkluknav>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.4CC: ddarrah, dwalsh, extras-qa, gscrivan, lfriedma, lsm5, tsweeney, ypu
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1516431 Environment:
Last Closed: 2017-11-30 18:47:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1516431    
Bug Blocks:    

Description Micah Abbott 2017-11-22 16:14:47 UTC 
This should affect the RHEL release of 'buildah' if not fixed

+++ This bug was initially created as a clone of Bug #1516431 +++

Description of problem: When creating the "whalesays" container, privilege errors on the /var/lib/apt/lists directory are seen


Version-Release number of selected component (if applicable): Buildah 0.7

Steps to Reproduce:
1. Install latest Fedora 27 Server
2. Install: 
buildah-0.7-1.gitb7e3320.fc27.x86_64.rpm 
skopeo-containers-0.1.26-1.git2e8377a.fc27.x86_64.rpm
container-selinux-2.33-1.fc27.noarch.rpm

3.  Use this Dockerfile: 

FROM docker/whalesay:latest
RUN apt-get -y update && apt-get install -y fortunes
CMD /usr/games/fortune -a | cowsay

and then run this command:

buildah bud -f Dockerfile -t whale-says

Actual results:

STEP 2: RUN apt-get -y update && apt-get install -y fortunes
E: Could not open lock file /var/lib/apt/lists/lock - open (13:
Permission denied)
E: Unable to lock directory /var/lib/apt/lists/
E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission
denied)
E: Unable to lock the administration directory (/var/lib/dpkg/), are you
root?
error building: error building at step
{Env:[PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin]
Command:run Args:[apt-get -y update && apt-get install -y fortunes]
Flags:[] Attrs:map[] Message:RUN apt-get -y update && apt-get install -y
fortunes Original:RUN apt-get -y update && apt-get install -y fortunes}:
exit status 100

journalctl is showing:


Nov 21 19:40:21 localhost.localdomain audit[1]: SERVICE_STOP pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:sys
tem_r:init_t:s0 msg='unit=rhel-push-plugin comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res
=success'
Nov 21 19:40:40 localhost.localdomain kernel: SELinux: mount invalid. 
Same superblock, different security settings for (
dev mqueue, type mqueue)
Nov 21 19:40:40 localhost.localdomain audit[3586]: AVC avc:  denied  {
write } for  pid=3586 comm="apt-get" name="lists"
dev="overlay" ino=154020
scontext=system_u:system_r:container_t:s0:c94,c830
tcontext=unconfined_u:object_r:container_shar
e_t:s0 tclass=dir permissive=0
Nov 21 19:40:40 localhost.localdomain audit[3586]: AVC avc:  denied  {
write } for  pid=3586 comm="apt-get" name="lock" d
ev="overlay" ino=154026
scontext=system_u:system_r:container_t:s0:c94,c830
tcontext=unconfined_u:object_r:container_share
_t:s0 tclass=file permissive=0
Nov 21 19:40:40 localhost.localdomain audit[3586]: AVC avc:  denied  {
write } for  pid=3586 comm="apt-get" name="dpkg" d
ev="overlay" ino=154002
scontext=system_u:system_r:container_t:s0:c94,c830
tcontext=unconfined_u:object_r:container_share
_t:s0 tclass=dir permissive=0
Nov 21 19:40:40 localhost.localdomain audit[3586]: AVC avc:  denied  {
write } for  pid=3586 comm="apt-get" name="lock" d
ev="overlay" ino=154027
scontext=system_u:system_r:container_t:s0:c94,c830
tcontext=unconfined_u:object_r:container_share
_t:s0 tclass=file permissive=0
Nov 21 19:55:05 localhost.localdomain dhclient[1027]: DHCPREQUEST on
ens3 to 192.168.122.1 port 67 (xid=0x5db5c03b)


Expected results: Container to build without issue.

--- Additional comment from Daniel Walsh on 2017-11-22 10:48:09 EST ---

Fixed in buildah 1.8.
Comment 9 errata-xmlrpc 2017-11-30 18:47:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3360