Bug 1765818

type=AVC msg=audit(1572086705.196:5948): avc:  denied  { mac_admin } for  pid=3665 comm="dnf" capability=33  scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2 permissive=0


Hash: dnf,unconfined_t,unconfined_t,capability2,mac_admin

selinux-policy-3.14.3-46.fc30

On Fedora 31 I cannot longer reproduce this.

Miro, Did you remove container-selinux or something?  mac_admin means that dnf/rpm was attempting to put down a label that the kernel did not understand.
Podman executable is labeled based on the container-selinux package which should be installed before podman.

I would od

dnf reinstall container-selinux
dnf reinstall podman


And see if this cleans up the issue.

no, I was just running plain dnf upgrade. If there are some logs I can share, I will.

BTW this was not a regression in the new build, `dnf install 'podman < 2:1.6.2-2'`  failed in the same way with podman-2:1.2.0-2.git3bd528e.fc30.

Could you try the commands I listed above to see if the issue goes away.

Sorry, I cannot. I solved the problem by upgrading to Fedora 31. Feel free to close this, or I can provide more data from the logs, if there is something useful.

I ran into this error upgrading containers-common on an FC30 system.  Per this bugzilla, I installed container-selinux (it was not previously installed) and the problem went away.  Perhaps there is (or was) a missing dependency for container-selinux.

podman has container-selinux only as a soft dependency. I will turn it into a hard dep to be sure container-selinux is always installed prior to podman.

Maybe it can be conditionalized on selinux-policy?

  Requires:  (container-selinux if selinux-policy)

OTOH Im not sure if you can ever install podman without selinux-policy.

# rpm -q --requires container-selinux | grep selinux-policy
selinux-policy >= 3.14.4-43
selinux-policy-base >= 3.14.4-43
selinux-policy-targeted >= 3.14.4-43

so container-selinux already requires selinux-policy. The F30 spec file is way different than F31 (podman-remote subpackage missing, etc.) so I will leave it be for F30 and fix it for F31.

container-selinux already requires selinux-policy, but I proposed to only require container-selinux if selinux-policy is installed. That is completely orthogonal.


Imagine this scenario:

 1. selinux-policy is installed
 2. user installs podman
 3. container-selinux gets pulled in

And this scenario:

 1. selinux-policy is not installed, maybe this is a minimal container itself?
 2. user installs podman
 3. container-selinux does not get pulled in, and neither does selinux-policy



Anyway, I'm not sure "selinux-policy is not installed" is a realstic scenario.


------


Side note:

The error happens on transaction. The requires probably must be added as Requires(pre) and Requires(post) as well.

Miro - running podman without selinux-policy is more a question for Dan.

Dan, do you think scenario described by Miro would work? Meaning would it fly to run podman without selinux-policy in case of minimal containers?

I would prefer it stay a soft dependency for people wanting to run podman within a container.  Sucking in container-selinux pulls in selinux-policy and really swells the size of the container image.

Podman will run fine without selinux-policy.

If there is a construct in rpm to not install container-selinux is selinux-policy is not installed, I am fine with that.

Although for security in containers SELinux is the best tool that we have.

(In reply to Daniel Walsh from comment #15)
> If there is a construct in rpm to not install container-selinux is
> selinux-policy is not installed, I am fine with that.

There is:

Requires:  (container-selinux if selinux-policy)

LGTM

FEDORA-2020-9aae371366 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-9aae371366

podman-1.7.0-2.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-9aae371366

podman-1.7.0-3.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

podman-1.7.0-2.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.

In my case I have solved similar issue by grepping of broken label name (container_var_lib_t in my case), moving responsible binary policy file and reinstalling selinux-policy:

 1086  grep container_var_lib_t /etc/ -R # this pointed to /etc/selinux/targeted/contexts/files/file_contexts.bin as matching file.
 1087  dnf provides /etc/selinux/targeted/contexts/files/file_contexts.bin # checked which rpm provides it
 1088  mv /etc/selinux/targeted/contexts/files/file_contexts.bin /root/ # backing up
 1089  dnf reinstall selinux-policy-targeted # reinstalling the policy, post-install script will recompile removed binary policy file

This issue appeared after Fedora upgrade from 35 to 36, but I guess it is valid for any other release jump. Please update the doc, no need to reopen the ticket.