Bug 1592489

Summary: unable to run containers; fork/exec /usr/sbin/iptables: permission denied
Product: [Fedora] Fedora Reporter: Micah Abbott <miabbott>
Component: podmanAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: lsm5
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: podman-0.6.4-1.gitd5beb2f.fc28 podman-0.6.4-1.gitd5beb2f.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-28 14:08:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Micah Abbott 2018-06-18 16:05:22 UTC 
Using the latest Fedora Rawhide Atomic Host, I am unable to run containers using `podman`.  The `run` appears to fail due to an SELinux denial:

# rpm-ostree status
State: idle; auto updates disabled
Deployments:
● ostree://rawhide:fedora/rawhide/x86_64/atomic-host
                   Version: Rawhide.20180616.n.0 (2018-06-16 09:30:08)
                    Commit: 1055dea1f99991fb56d5ae9e29cc6ff52fa01970555f82fcc8e929c7f717907f

# rpm -q container-selinux podman runc selinux-policy
container-selinux-2.64-1.gitdfaf8fd.fc29.noarch
podman-0.6.4-1.gitb43677c.fc29.x86_64
runc-1.0.0-36.gitad0f525.fc29.x86_64
selinux-policy-3.14.2-25.fc29.noarch

# podman run -it --rm registry.fedoraproject.org/fedora echo 'hello'                                                                                                                  
Trying to pull registry.fedoraproject.org/fedora...Getting image source signatures
Copying blob sha256:bd02462c6d09de67de291323a7b926313b0e0838b423ea51563ef2293c67ff2d
 85.56 MB / 85.56 MB [=====================================================] 10s
Copying config sha256:75aeb7f897fdff7569c8bf1bc33c32823eb6c5baad9ac7dfa501ce284d795116
 1.27 KB / 1.27 KB [========================================================] 0s
Writing manifest to image destination
Storing signatures
ERRO[0023] `iptables -t filter -D FORWARD -s 10.88.0.2 ! -o 10.88.0.2 -j ACCEPT` failed:   (fork/exec /usr/sbin/iptables: permission denied)                               

# journalctl -b | grep 'avc:  denied'
Jun 18 15:59:11 micah-f28ah-vm0618a audit[1453]: AVC avc:  denied  { read write } for  pid=1453 comm="echo" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c134,c903 tcontext=system_u:object_r:container_file_t:s0:c134,c903 tclass=chr_file permissive=0
Jun 18 15:59:11 micah-f28ah-vm0618a audit[1453]: AVC avc:  denied  { read write } for  pid=1453 comm="echo" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c134,c903 tcontext=system_u:object_r:container_file_t:s0:c134,c903 tclass=chr_file permissive=0
Jun 18 15:59:11 micah-f28ah-vm0618a audit[1453]: AVC avc:  denied  { read write } for  pid=1453 comm="echo" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c134,c903 tcontext=system_u:object_r:container_file_t:s0:c134,c903 tclass=chr_file permissive=0
Jun 18 15:59:11 micah-f28ah-vm0618a audit[1453]: AVC avc:  denied  { read write } for  pid=1453 comm="echo" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c134,c903 tcontext=system_u:object_r:container_file_t:s0:c134,c903 tclass=chr_file permissive=0
Jun 18 15:59:11 micah-f28ah-vm0618a audit[1453]: AVC avc:  denied  { map } for  pid=1453 comm="echo" path="/usr/bin/coreutils" dev="dm-0" ino=29003 scontext=system_u:system_r:container_t:s0:c134,c903 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
Jun 18 15:59:12 micah-f28ah-vm0618a audit[1476]: AVC avc:  denied  { entrypoint } for  pid=1476 comm="podman" path="/usr/sbin/xtables-multi" dev="dm-0" ino=46410208 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file permissive=0


Could be the same as RHBZ#1592488
Comment 1 Fedora Update System 2018-06-22 21:19:22 UTC 
podman-0.6.4-1.gitd5beb2f.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-5142d70592
Comment 2 Fedora Update System 2018-06-22 21:19:38 UTC 
podman-0.6.4-1.gitd5beb2f.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2b96ea9fec
Comment 3 Fedora Update System 2018-06-23 18:55:59 UTC 
podman-0.6.4-1.gitd5beb2f.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-5142d70592
Comment 4 Fedora Update System 2018-06-23 21:21:51 UTC 
podman-0.6.4-1.gitd5beb2f.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2b96ea9fec
Comment 5 Micah Abbott 2018-06-25 16:05:32 UTC 
VERIFIED with podman-0.6.4-1.gitd5beb2f.fc28
Comment 6 Fedora Update System 2018-06-28 14:08:46 UTC 
podman-0.6.4-1.gitd5beb2f.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2018-07-03 14:11:08 UTC 
podman-0.6.4-1.gitd5beb2f.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.