Bug 1776248

Summary: SELinux is preventing /usr/bin/bash from read access on the file /usr/lib64/libc-2.30.so
Product: [Fedora] Fedora Reporter: Lukas Slebodnik <lslebodn>
Component: container-selinuxAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 31CC: amurdaca, bbaude, debarshir, dwalsh, jchaloup, jnovy, lsm5, lvrabec, mgrepl, mheon, plautrba, rh.container.bot, santiago, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-11 14:13:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukas Slebodnik 2019-11-25 10:39:20 UTC 
SELinux is preventing /usr/bin/bash from read access on the file /usr/lib64/libc-2.30.so.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/usr/lib64/libc-2.30.so default label should be lib_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /usr/lib64/libc-2.30.so

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that bash should be allowed read access on the libc-2.30.so file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sh' --raw | audit2allow -M my-sh
# semodule -X 300 -i my-sh.pp


Additional Information:
Source Context                system_u:system_r:container_t:s0:c65,c73
Target Context                unconfined_u:object_r:var_lib_t:s0
Target Objects                /usr/lib64/libc-2.30.so [ file ]
Source                        sh
Source Path                   /usr/bin/bash
Port                          <Unknown>
Host                          host.example.com
Source RPM Packages           bash-5.0.7-3.fc31.x86_64
Target RPM Packages           glibc-2.30-7.fc31.x86_64
Policy RPM                    selinux-policy-3.14.4-42.fc31.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     host.example.com
Platform                      Linux host.example.com
                              5.3.12-300.fc31.x86_64 #1 SMP Thu Nov 21 22:52:07
                              UTC 2019 x86_64 x86_64
Alert Count                   1
First Seen                    2019-11-25 05:36:46 EST
Last Seen                     2019-11-25 05:36:46 EST
Local ID                      a4e874a2-2540-44e7-ba63-62e961a5b558

Raw Audit Messages
type=AVC msg=audit(1574678206.500:455): avc:  denied  { read } for  pid=30541 comm="sh" path="/usr/lib64/libc-2.30.so" dev="dm-0" ino=808299 scontext=system_u:system_r:container_t:s0:c65,c73 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1

type=SYSCALL msg=audit(1574678206.500:455): arch=x86_64 syscall=mprotect success=yes exit=0 a0=7f1b47bb3000 a1=19a000 a2=0 a3=4 items=0 ppid=30523 pid=30541 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4 comm=sh exe=/usr/bin/bash subj=system_u:system_r:container_t:s0:c65,c73 key=(null)

Hash: sh,container_t,var_lib_t,file,read
Comment 1 Lukas Slebodnik 2019-11-25 10:42:16 UTC 
How to reproduce:
Deterministic

Versions:
sh-5.0# rpm -q podman crun libseccomp containers-common selinux-policy container-selinux
podman-1.6.2-2.fc31.x86_64
crun-0.10.6-1.fc31.x86_64
libseccomp-2.4.2-1.fc31.x86_64
containers-common-0.1.40-4.fc31.x86_64
selinux-policy-3.14.4-42.fc31.noarch
container-selinux-2.119.0-2.fc31.noarch
sh-5.0# uname -a
Linux host.example.com 5.3.12-300.fc31.x86_64 #1 SMP Thu Nov 21 22:52:07 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Steps:
sh-5.0# cat test/Dockerfile 
FROM registry.fedoraproject.org/fedora:31 
 
RUN groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcproxy 
sh-5.0# podman build -t test test/ 
STEP 1: FROM registry.fedoraproject.org/fedora:31 
STEP 2: RUN groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcproxy 
Error: error building at STEP "RUN groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcproxy": error while running runtime: exit status 127 
sh-5.0# ausearch -m avc -i 
---- 
type=PROCTITLE msg=audit(11/25/2019 05:31:11.176:434) : proctitle=/bin/sh -c groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcpro 
type=PATH msg=audit(11/25/2019 05:31:11.176:434) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=808331 dev=00:25 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:container_file_t:s0:c4,c84 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(11/25/2019 05:31:11.176:434) : item=0 name=/bin/sh inode=26322653 dev=00:25 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:container_file_t:s0:c4,c84 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/25/2019 05:31:11.176:434) : cwd=/ 
type=OBJ_PID msg=audit(11/25/2019 05:31:11.176:434) : opid=30294 oauid=root ouid=root oses=4 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ocomm=sh 
type=OBJ_PID msg=audit(11/25/2019 05:31:11.176:434) : opid=30294 oauid=root ouid=root oses=4 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ocomm=sh 
type=EXECVE msg=audit(11/25/2019 05:31:11.176:434) : argc=3 a0=/bin/sh a1=-c a2=groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcproxy 
type=SYSCALL msg=audit(11/25/2019 05:31:11.176:434) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55d6e086cc50 a1=0x55d6e0870530 a2=0x55d6e086da70 a3=0x7f108f580ac0 items=2 ppid=30277 pid=30294 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sh exe=/usr/bin/bash subj=system_u:system_r:container_t:s0:c4,c84 key=(null) 
type=AVC msg=audit(11/25/2019 05:31:11.176:434) : avc:  denied  { read write } for  pid=30294 comm=sh path=/dev/pts/0 dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c4,c84 tcontext=system_u:object_r:container_file_t:s0:c4,c84 tclass=chr_file permissive=0 
type=AVC msg=audit(11/25/2019 05:31:11.176:434) : avc:  denied  { read write } for  pid=30294 comm=sh path=/dev/pts/0 dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c4,c84 tcontext=system_u:object_r:container_file_t:s0:c4,c84 tclass=chr_file permissive=0 
type=AVC msg=audit(11/25/2019 05:31:11.176:434) : avc:  denied  { read write } for  pid=30294 comm=sh path=/dev/pts/0 dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c4,c84 tcontext=system_u:object_r:container_file_t:s0:c4,c84 tclass=chr_file permissive=0 
type=AVC msg=audit(11/25/2019 05:31:11.176:434) : avc:  denied  { read write } for  pid=30294 comm=sh path=/dev/pts/0 dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c4,c84 tcontext=system_u:object_r:container_file_t:s0:c4,c84 tclass=chr_file permissive=0 
---- 
type=PROCTITLE msg=audit(11/25/2019 05:31:11.178:435) : proctitle=/bin/sh -c groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcpro 
type=SYSCALL msg=audit(11/25/2019 05:31:11.178:435) : arch=x86_64 syscall=mprotect success=no exit=EACCES(Permission denied) a0=0x7f609f00a000 a1=0x19a000 a2=PROT_NONE a3=0x4 items=0 ppid=30277 pid=30294 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sh exe=/usr/bin/bash subj=system_u:system_r:container_t:s0:c4,c84 key=(null) 
type=AVC msg=audit(11/25/2019 05:31:11.178:435) : avc:  denied  { read } for  pid=30294 comm=sh path=/usr/lib64/libc-2.30.so dev="dm-0" ino=808299 scontext=system_u:system_r:container_t:s0:c4,c84 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
Comment 2 Lukas Slebodnik 2019-11-25 10:43:15 UTC 
AVCs in permissive mode

sh-5.0# ausearch -m avc -i
----
type=PROCTITLE msg=audit(11/25/2019 05:42:01.744:472) : proctitle=/bin/sh -c groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcpro 
type=PATH msg=audit(11/25/2019 05:42:01.744:472) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=808331 dev=00:26 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:container_file_t:s0:c126,c467 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(11/25/2019 05:42:01.744:472) : item=0 name=/bin/sh inode=26322653 dev=00:26 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:container_file_t:s0:c126,c467 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/25/2019 05:42:01.744:472) : cwd=/ 
type=EXECVE msg=audit(11/25/2019 05:42:01.744:472) : argc=3 a0=/bin/sh a1=-c a2=groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcproxy 
type=SYSCALL msg=audit(11/25/2019 05:42:01.744:472) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x5613ca08ac50 a1=0x5613ca08e530 a2=0x5613ca08abb0 a3=0x7f7aa0c1cac0 items=2 ppid=30739 pid=30758 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=sh exe=/usr/bin/bash subj=system_u:system_r:container_t:s0:c126,c467 key=(null) 
type=AVC msg=audit(11/25/2019 05:42:01.744:472) : avc:  denied  { read write } for  pid=30758 comm=sh path=/dev/pts/0 dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c126,c467 tcontext=system_u:object_r:container_file_t:s0:c126,c467 tclass=chr_file permissive=1 
----
type=PROCTITLE msg=audit(11/25/2019 05:42:01.745:473) : proctitle=/bin/sh -c groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcpro 
type=SYSCALL msg=audit(11/25/2019 05:42:01.745:473) : arch=x86_64 syscall=mprotect success=yes exit=0 a0=0x7ff32f47f000 a1=0x19a000 a2=PROT_NONE a3=0x4 items=0 ppid=30739 pid=30758 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=sh exe=/usr/bin/bash subj=system_u:system_r:container_t:s0:c126,c467 key=(null) 
type=AVC msg=audit(11/25/2019 05:42:01.745:473) : avc:  denied  { read } for  pid=30758 comm=sh path=/usr/lib64/libc-2.30.so dev="dm-0" ino=808299 scontext=system_u:system_r:container_t:s0:c126,c467 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(11/25/2019 05:42:01.746:474) : proctitle=/bin/sh -c groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcpro 
type=PATH msg=audit(11/25/2019 05:42:01.746:474) : item=0 name=/dev/tty inode=99223 dev=00:29 mode=character,666 ouid=root ogid=root rdev=05:00 obj=system_u:object_r:container_file_t:s0:c126,c467 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/25/2019 05:42:01.746:474) : cwd=/ 
type=SYSCALL msg=audit(11/25/2019 05:42:01.746:474) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x556d0e2a02df a2=O_RDWR|O_NONBLOCK a3=0x0 items=1 ppid=30739 pid=30758 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=sh exe=/usr/bin/bash subj=system_u:system_r:container_t:s0:c126,c467 key=(null) 
type=AVC msg=audit(11/25/2019 05:42:01.746:474) : avc:  denied  { open } for  pid=30758 comm=sh path=/dev/tty dev="tmpfs" ino=99223 scontext=system_u:system_r:container_t:s0:c126,c467 tcontext=system_u:object_r:container_file_t:s0:c126,c467 tclass=chr_file permissive=1 
----
type=PROCTITLE msg=audit(11/25/2019 05:42:01.747:475) : proctitle=/bin/sh -c groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcpro 
type=SYSCALL msg=audit(11/25/2019 05:42:01.747:475) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x2 a1=TIOCGPGRP a2=0x7fffc9021514 a3=0x30 items=0 ppid=30739 pid=30758 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=sh exe=/usr/bin/bash subj=system_u:system_r:container_t:s0:c126,c467 key=(null) 
type=AVC msg=audit(11/25/2019 05:42:01.747:475) : avc:  denied  { ioctl } for  pid=30758 comm=sh path=/dev/pts/0 dev="devpts" ino=3 ioctlcmd=TIOCGPGRP scontext=system_u:system_r:container_t:s0:c126,c467 tcontext=system_u:object_r:container_file_t:s0:c126,c467 tclass=chr_file permissive=1 
----
type=PROCTITLE msg=audit(11/25/2019 05:42:01.749:476) : proctitle=groupadd -g 288 kdcproxy 
type=SYSCALL msg=audit(11/25/2019 05:42:01.749:476) : arch=x86_64 syscall=socket success=yes exit=3 a0=netlink a1=SOCK_RAW a2=igp a3=0x20 items=0 ppid=30758 pid=30764 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=groupadd exe=/usr/sbin/groupadd subj=system_u:system_r:container_t:s0:c126,c467 key=(null) 
type=AVC msg=audit(11/25/2019 05:42:01.749:476) : avc:  denied  { create } for  pid=30764 comm=groupadd scontext=system_u:system_r:container_t:s0:c126,c467 tcontext=system_u:system_r:container_t:s0:c126,c467 tclass=netlink_audit_socket permissive=1 
----
type=PROCTITLE msg=audit(11/25/2019 05:42:01.762:478) : proctitle=groupadd -g 288 kdcproxy 
type=PATH msg=audit(11/25/2019 05:42:01.762:478) : item=4 name=(null) inode=17778372 dev=fd:00 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:container_file_t:s0:c126,c467 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(11/25/2019 05:42:01.762:478) : item=3 name=(null) inode=25559805 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:container_file_t:s0:c126,c467 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(11/25/2019 05:42:01.762:478) : item=2 name=(null) nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(11/25/2019 05:42:01.762:478) : item=1 name=(null) inode=25559805 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:container_file_t:s0:c126,c467 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(11/25/2019 05:42:01.762:478) : item=0 name=/etc/gshadow inode=26321756 dev=00:26 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:container_file_t:s0:c126,c467 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/25/2019 05:42:01.762:478) : cwd=/ 
type=SYSCALL msg=audit(11/25/2019 05:42:01.762:478) : arch=x86_64 syscall=openat success=yes exit=6 a0=0xffffff9c a1=0x55829d0c88e0 a2=O_RDWR|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW a3=0x0 items=5 ppid=30758 pid=30764 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=groupadd exe=/usr/sbin/groupadd subj=system_u:system_r:container_t:s0:c126,c467 key=(null) 
type=AVC msg=audit(11/25/2019 05:42:01.762:478) : avc:  denied  { dac_override } for  pid=30764 comm=groupadd capability=dac_override  scontext=system_u:system_r:container_t:s0:c126 c467 tcontext=system_u:system_r:container_t:s0:c126 c467 tclass=capability permissive=1 
----
type=PROCTITLE msg=audit(11/25/2019 05:42:01.790:479) : proctitle=groupadd -g 288 kdcproxy 
type=SYSCALL msg=audit(11/25/2019 05:42:01.790:479) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x0 a1=0x7fffcd9ccc30 a2=0x7fffcd9ccc30 a3=0x7fffcd9cbe50 items=0 ppid=30758 pid=30764 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=groupadd exe=/usr/sbin/groupadd subj=system_u:system_r:container_t:s0:c126,c467 key=(null) 
type=AVC msg=audit(11/25/2019 05:42:01.790:479) : avc:  denied  { getattr } for  pid=30764 comm=groupadd path=/dev/pts/0 dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c126,c467 tcontext=system_u:object_r:container_file_t:s0:c126,c467 tclass=chr_file permissive=1 
----
type=PROCTITLE msg=audit(11/25/2019 05:42:01.790:480) : proctitle=groupadd -g 288 kdcproxy
type=SOCKADDR msg=audit(11/25/2019 05:42:01.790:480) : saddr={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 } 
type=SYSCALL msg=audit(11/25/2019 05:42:01.790:480) : arch=x86_64 syscall=sendto success=yes exit=120 a0=0x3 a1=0x7fffcd9c8780 a2=0x78 a3=0x0 items=0 ppid=30758 pid=30764 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=groupadd exe=/usr/sbin/groupadd subj=system_u:system_r:container_t:s0:c126,c467 key=(null) 
type=AVC msg=audit(11/25/2019 05:42:01.790:480) : avc:  denied  { audit_write } for  pid=30764 comm=groupadd capability=audit_write  scontext=system_u:system_r:container_t:s0:c126 c467 tcontext=system_u:system_r:container_t:s0:c126 c467 tclass=capability permissive=1 
type=AVC msg=audit(11/25/2019 05:42:01.790:480) : avc:  denied  { nlmsg_relay } for  pid=30764 comm=groupadd scontext=system_u:system_r:container_t:s0:c126,c467 tcontext=system_u:system_r:container_t:s0:c126,c467 tclass=netlink_audit_socket permissive=1 
----
type=PROCTITLE msg=audit(11/25/2019 05:42:01.896:484) : proctitle=useradd -u 288 -g 288 -c KDC Proxy User -d /var/lib/kdcproxy -s /sbin/nologin kdcproxy 
type=PATH msg=audit(11/25/2019 05:42:01.896:484) : item=0 name=/var/lib/kdcproxy inode=17778374 dev=00:26 mode=dir,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:container_file_t:s0:c126,c467 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/25/2019 05:42:01.896:484) : cwd=/ 
type=SYSCALL msg=audit(11/25/2019 05:42:01.896:484) : arch=x86_64 syscall=chown success=yes exit=0 a0=0x7fff66c48f0a a1=unknown(288) a2=unknown(288) a3=0x7f5c2d629ac0 items=1 ppid=30758 pid=30772 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=useradd exe=/usr/sbin/useradd subj=system_u:system_r:container_t:s0:c126,c467 key=(null) 
type=AVC msg=audit(11/25/2019 05:42:01.896:484) : avc:  denied  { chown } for  pid=30772 comm=useradd capability=chown  scontext=system_u:system_r:container_t:s0:c126 c467 tcontext=system_u:system_r:container_t:s0:c126 c467 tclass=capability permissive=1 
----
type=PROCTITLE msg=audit(11/25/2019 05:42:01.896:485) : proctitle=useradd -u 288 -g 288 -c KDC Proxy User -d /var/lib/kdcproxy -s /sbin/nologin kdcproxy 
type=PATH msg=audit(11/25/2019 05:42:01.896:485) : item=0 name=/var/lib/kdcproxy inode=17778374 dev=00:26 mode=dir,000 ouid=unknown(288) ogid=unknown(288) rdev=00:00 obj=system_u:object_r:container_file_t:s0:c126,c467 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/25/2019 05:42:01.896:485) : cwd=/ 
type=SYSCALL msg=audit(11/25/2019 05:42:01.896:485) : arch=x86_64 syscall=chmod success=yes exit=0 a0=0x7fff66c48f0a a1=0700 a2=0x3f a3=0x7f5c2d629ac0 items=1 ppid=30758 pid=30772 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=useradd exe=/usr/sbin/useradd subj=system_u:system_r:container_t:s0:c126,c467 key=(null) 
type=AVC msg=audit(11/25/2019 05:42:01.896:485) : avc:  denied  { fsetid } for  pid=30772 comm=useradd capability=fsetid  scontext=system_u:system_r:container_t:s0:c126 c467 tcontext=system_u:system_r:container_t:s0:c126 c467 tclass=capability permissive=1 
type=AVC msg=audit(11/25/2019 05:42:01.896:485) : avc:  denied  { fowner } for  pid=30772 comm=useradd capability=fowner  scontext=system_u:system_r:container_t:s0:c126 c467 tcontext=system_u:system_r:container_t:s0:c126 c467 tclass=capability permissive=1
Comment 3 Daniel Walsh 2019-11-25 13:43:17 UTC 
This looks like container-selinux failed to install properly.

dnf reinstall container-selinux

Something has gone wrong with the container-selinux and selinux-policy package.
Comment 4 Lukas Slebodnik 2019-11-25 13:48:04 UTC 
sh# dnf reinstall -y container-selinux
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Last metadata expiration check: 1:44:27 ago on Mon 25 Nov 2019 07:01:25 AM EST.
Dependencies resolved.
==========================================================================================================
 Package                       Architecture       Version                       Repository           Size
==========================================================================================================
Reinstalling:
 container-selinux             noarch             2:2.119.0-2.fc31              updates              48 k

Transaction Summary
==========================================================================================================

Total download size: 48 k
Installed size: 43 k
Downloading Packages:
container-selinux-2.119.0-2.fc31.noarch.rpm                                83 kB/s |  48 kB     00:00    
----------------------------------------------------------------------------------------------------------
Total                                                                      60 kB/s |  48 kB     00:00     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                  1/1 
  Reinstalling     : container-selinux-2:2.119.0-2.fc31.noarch                                        1/2 
  Running scriptlet: container-selinux-2:2.119.0-2.fc31.noarch                                        1/2 
Conflicting name type transition rules
Binary policy creation failed at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1786
Failed to generate binary
/usr/sbin/semodule:  Failed!

  Cleanup          : container-selinux-2:2.119.0-2.fc31.noarch                                        2/2 
  Running scriptlet: container-selinux-2:2.119.0-2.fc31.noarch                                        2/2 
  Verifying        : container-selinux-2:2.119.0-2.fc31.noarch                                        1/2 
  Verifying        : container-selinux-2:2.119.0-2.fc31.noarch                                        2/2 
Installed products updated.

Reinstalled:
  container-selinux-2:2.119.0-2.fc31.noarch                                                               

Complete!

sh# podman build -t test test
STEP 1: FROM registry.fedoraproject.org/fedora:31
STEP 2: RUN groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcproxy
Error: error building at STEP "RUN groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcproxy": error while running runtime: exit status 127
Comment 5 Lukas Slebodnik 2019-11-25 14:11:10 UTC 
Downgrade to selinux-policy-3.14.4-41.fc31.noarch + reinstall container-selinux helped
Comment 6 Lukas Slebodnik 2019-11-25 15:12:48 UTC 
Moving to container-selinux based on comment in https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e
Comment 7 Lukas Slebodnik 2019-11-25 15:14:15 UTC 
And combined bodhi update with selinux-policy-3.14.4-42.fc31 would be ideal :-)
Comment 8 Lokesh Mandvekar 2020-09-11 14:13:51 UTC 
can't reproduce with container-selinux-2.144.0-3.fc33.noarch and selinux-policy-3.14.6-25.fc33.noarch.

Closing, please reopen if it still occurs.