Bug 1776248
Summary: | SELinux is preventing /usr/bin/bash from read access on the file /usr/lib64/libc-2.30.so | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Lukas Slebodnik <lslebodn> |
Component: | container-selinux | Assignee: | Lokesh Mandvekar <lsm5> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 31 | CC: | amurdaca, bbaude, debarshir, dwalsh, jchaloup, jnovy, lsm5, lvrabec, mgrepl, mheon, plautrba, rh.container.bot, santiago, zpytela |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-09-11 14:13:51 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Lukas Slebodnik
2019-11-25 10:39:20 UTC
How to reproduce: Deterministic Versions: sh-5.0# rpm -q podman crun libseccomp containers-common selinux-policy container-selinux podman-1.6.2-2.fc31.x86_64 crun-0.10.6-1.fc31.x86_64 libseccomp-2.4.2-1.fc31.x86_64 containers-common-0.1.40-4.fc31.x86_64 selinux-policy-3.14.4-42.fc31.noarch container-selinux-2.119.0-2.fc31.noarch sh-5.0# uname -a Linux host.example.com 5.3.12-300.fc31.x86_64 #1 SMP Thu Nov 21 22:52:07 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux Steps: sh-5.0# cat test/Dockerfile FROM registry.fedoraproject.org/fedora:31 RUN groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcproxy sh-5.0# podman build -t test test/ STEP 1: FROM registry.fedoraproject.org/fedora:31 STEP 2: RUN groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcproxy Error: error building at STEP "RUN groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcproxy": error while running runtime: exit status 127 sh-5.0# ausearch -m avc -i ---- type=PROCTITLE msg=audit(11/25/2019 05:31:11.176:434) : proctitle=/bin/sh -c groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcpro type=PATH msg=audit(11/25/2019 05:31:11.176:434) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=808331 dev=00:25 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:container_file_t:s0:c4,c84 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(11/25/2019 05:31:11.176:434) : item=0 name=/bin/sh inode=26322653 dev=00:25 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:container_file_t:s0:c4,c84 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(11/25/2019 05:31:11.176:434) : cwd=/ type=OBJ_PID msg=audit(11/25/2019 05:31:11.176:434) : opid=30294 oauid=root ouid=root oses=4 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ocomm=sh type=OBJ_PID msg=audit(11/25/2019 05:31:11.176:434) : opid=30294 oauid=root ouid=root oses=4 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ocomm=sh type=EXECVE msg=audit(11/25/2019 05:31:11.176:434) : argc=3 a0=/bin/sh a1=-c a2=groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcproxy type=SYSCALL msg=audit(11/25/2019 05:31:11.176:434) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55d6e086cc50 a1=0x55d6e0870530 a2=0x55d6e086da70 a3=0x7f108f580ac0 items=2 ppid=30277 pid=30294 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sh exe=/usr/bin/bash subj=system_u:system_r:container_t:s0:c4,c84 key=(null) type=AVC msg=audit(11/25/2019 05:31:11.176:434) : avc: denied { read write } for pid=30294 comm=sh path=/dev/pts/0 dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c4,c84 tcontext=system_u:object_r:container_file_t:s0:c4,c84 tclass=chr_file permissive=0 type=AVC msg=audit(11/25/2019 05:31:11.176:434) : avc: denied { read write } for pid=30294 comm=sh path=/dev/pts/0 dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c4,c84 tcontext=system_u:object_r:container_file_t:s0:c4,c84 tclass=chr_file permissive=0 type=AVC msg=audit(11/25/2019 05:31:11.176:434) : avc: denied { read write } for pid=30294 comm=sh path=/dev/pts/0 dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c4,c84 tcontext=system_u:object_r:container_file_t:s0:c4,c84 tclass=chr_file permissive=0 type=AVC msg=audit(11/25/2019 05:31:11.176:434) : avc: denied { read write } for pid=30294 comm=sh path=/dev/pts/0 dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c4,c84 tcontext=system_u:object_r:container_file_t:s0:c4,c84 tclass=chr_file permissive=0 ---- type=PROCTITLE msg=audit(11/25/2019 05:31:11.178:435) : proctitle=/bin/sh -c groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcpro type=SYSCALL msg=audit(11/25/2019 05:31:11.178:435) : arch=x86_64 syscall=mprotect success=no exit=EACCES(Permission denied) a0=0x7f609f00a000 a1=0x19a000 a2=PROT_NONE a3=0x4 items=0 ppid=30277 pid=30294 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sh exe=/usr/bin/bash subj=system_u:system_r:container_t:s0:c4,c84 key=(null) type=AVC msg=audit(11/25/2019 05:31:11.178:435) : avc: denied { read } for pid=30294 comm=sh path=/usr/lib64/libc-2.30.so dev="dm-0" ino=808299 scontext=system_u:system_r:container_t:s0:c4,c84 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 AVCs in permissive mode sh-5.0# ausearch -m avc -i ---- type=PROCTITLE msg=audit(11/25/2019 05:42:01.744:472) : proctitle=/bin/sh -c groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcpro type=PATH msg=audit(11/25/2019 05:42:01.744:472) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=808331 dev=00:26 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:container_file_t:s0:c126,c467 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(11/25/2019 05:42:01.744:472) : item=0 name=/bin/sh inode=26322653 dev=00:26 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:container_file_t:s0:c126,c467 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(11/25/2019 05:42:01.744:472) : cwd=/ type=EXECVE msg=audit(11/25/2019 05:42:01.744:472) : argc=3 a0=/bin/sh a1=-c a2=groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcproxy type=SYSCALL msg=audit(11/25/2019 05:42:01.744:472) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x5613ca08ac50 a1=0x5613ca08e530 a2=0x5613ca08abb0 a3=0x7f7aa0c1cac0 items=2 ppid=30739 pid=30758 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=sh exe=/usr/bin/bash subj=system_u:system_r:container_t:s0:c126,c467 key=(null) type=AVC msg=audit(11/25/2019 05:42:01.744:472) : avc: denied { read write } for pid=30758 comm=sh path=/dev/pts/0 dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c126,c467 tcontext=system_u:object_r:container_file_t:s0:c126,c467 tclass=chr_file permissive=1 ---- type=PROCTITLE msg=audit(11/25/2019 05:42:01.745:473) : proctitle=/bin/sh -c groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcpro type=SYSCALL msg=audit(11/25/2019 05:42:01.745:473) : arch=x86_64 syscall=mprotect success=yes exit=0 a0=0x7ff32f47f000 a1=0x19a000 a2=PROT_NONE a3=0x4 items=0 ppid=30739 pid=30758 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=sh exe=/usr/bin/bash subj=system_u:system_r:container_t:s0:c126,c467 key=(null) type=AVC msg=audit(11/25/2019 05:42:01.745:473) : avc: denied { read } for pid=30758 comm=sh path=/usr/lib64/libc-2.30.so dev="dm-0" ino=808299 scontext=system_u:system_r:container_t:s0:c126,c467 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1 ---- type=PROCTITLE msg=audit(11/25/2019 05:42:01.746:474) : proctitle=/bin/sh -c groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcpro type=PATH msg=audit(11/25/2019 05:42:01.746:474) : item=0 name=/dev/tty inode=99223 dev=00:29 mode=character,666 ouid=root ogid=root rdev=05:00 obj=system_u:object_r:container_file_t:s0:c126,c467 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(11/25/2019 05:42:01.746:474) : cwd=/ type=SYSCALL msg=audit(11/25/2019 05:42:01.746:474) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x556d0e2a02df a2=O_RDWR|O_NONBLOCK a3=0x0 items=1 ppid=30739 pid=30758 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=sh exe=/usr/bin/bash subj=system_u:system_r:container_t:s0:c126,c467 key=(null) type=AVC msg=audit(11/25/2019 05:42:01.746:474) : avc: denied { open } for pid=30758 comm=sh path=/dev/tty dev="tmpfs" ino=99223 scontext=system_u:system_r:container_t:s0:c126,c467 tcontext=system_u:object_r:container_file_t:s0:c126,c467 tclass=chr_file permissive=1 ---- type=PROCTITLE msg=audit(11/25/2019 05:42:01.747:475) : proctitle=/bin/sh -c groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcpro type=SYSCALL msg=audit(11/25/2019 05:42:01.747:475) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x2 a1=TIOCGPGRP a2=0x7fffc9021514 a3=0x30 items=0 ppid=30739 pid=30758 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=sh exe=/usr/bin/bash subj=system_u:system_r:container_t:s0:c126,c467 key=(null) type=AVC msg=audit(11/25/2019 05:42:01.747:475) : avc: denied { ioctl } for pid=30758 comm=sh path=/dev/pts/0 dev="devpts" ino=3 ioctlcmd=TIOCGPGRP scontext=system_u:system_r:container_t:s0:c126,c467 tcontext=system_u:object_r:container_file_t:s0:c126,c467 tclass=chr_file permissive=1 ---- type=PROCTITLE msg=audit(11/25/2019 05:42:01.749:476) : proctitle=groupadd -g 288 kdcproxy type=SYSCALL msg=audit(11/25/2019 05:42:01.749:476) : arch=x86_64 syscall=socket success=yes exit=3 a0=netlink a1=SOCK_RAW a2=igp a3=0x20 items=0 ppid=30758 pid=30764 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=groupadd exe=/usr/sbin/groupadd subj=system_u:system_r:container_t:s0:c126,c467 key=(null) type=AVC msg=audit(11/25/2019 05:42:01.749:476) : avc: denied { create } for pid=30764 comm=groupadd scontext=system_u:system_r:container_t:s0:c126,c467 tcontext=system_u:system_r:container_t:s0:c126,c467 tclass=netlink_audit_socket permissive=1 ---- type=PROCTITLE msg=audit(11/25/2019 05:42:01.762:478) : proctitle=groupadd -g 288 kdcproxy type=PATH msg=audit(11/25/2019 05:42:01.762:478) : item=4 name=(null) inode=17778372 dev=fd:00 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:container_file_t:s0:c126,c467 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(11/25/2019 05:42:01.762:478) : item=3 name=(null) inode=25559805 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:container_file_t:s0:c126,c467 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(11/25/2019 05:42:01.762:478) : item=2 name=(null) nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(11/25/2019 05:42:01.762:478) : item=1 name=(null) inode=25559805 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:container_file_t:s0:c126,c467 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(11/25/2019 05:42:01.762:478) : item=0 name=/etc/gshadow inode=26321756 dev=00:26 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:container_file_t:s0:c126,c467 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(11/25/2019 05:42:01.762:478) : cwd=/ type=SYSCALL msg=audit(11/25/2019 05:42:01.762:478) : arch=x86_64 syscall=openat success=yes exit=6 a0=0xffffff9c a1=0x55829d0c88e0 a2=O_RDWR|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW a3=0x0 items=5 ppid=30758 pid=30764 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=groupadd exe=/usr/sbin/groupadd subj=system_u:system_r:container_t:s0:c126,c467 key=(null) type=AVC msg=audit(11/25/2019 05:42:01.762:478) : avc: denied { dac_override } for pid=30764 comm=groupadd capability=dac_override scontext=system_u:system_r:container_t:s0:c126 c467 tcontext=system_u:system_r:container_t:s0:c126 c467 tclass=capability permissive=1 ---- type=PROCTITLE msg=audit(11/25/2019 05:42:01.790:479) : proctitle=groupadd -g 288 kdcproxy type=SYSCALL msg=audit(11/25/2019 05:42:01.790:479) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x0 a1=0x7fffcd9ccc30 a2=0x7fffcd9ccc30 a3=0x7fffcd9cbe50 items=0 ppid=30758 pid=30764 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=groupadd exe=/usr/sbin/groupadd subj=system_u:system_r:container_t:s0:c126,c467 key=(null) type=AVC msg=audit(11/25/2019 05:42:01.790:479) : avc: denied { getattr } for pid=30764 comm=groupadd path=/dev/pts/0 dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c126,c467 tcontext=system_u:object_r:container_file_t:s0:c126,c467 tclass=chr_file permissive=1 ---- type=PROCTITLE msg=audit(11/25/2019 05:42:01.790:480) : proctitle=groupadd -g 288 kdcproxy type=SOCKADDR msg=audit(11/25/2019 05:42:01.790:480) : saddr={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 } type=SYSCALL msg=audit(11/25/2019 05:42:01.790:480) : arch=x86_64 syscall=sendto success=yes exit=120 a0=0x3 a1=0x7fffcd9c8780 a2=0x78 a3=0x0 items=0 ppid=30758 pid=30764 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=groupadd exe=/usr/sbin/groupadd subj=system_u:system_r:container_t:s0:c126,c467 key=(null) type=AVC msg=audit(11/25/2019 05:42:01.790:480) : avc: denied { audit_write } for pid=30764 comm=groupadd capability=audit_write scontext=system_u:system_r:container_t:s0:c126 c467 tcontext=system_u:system_r:container_t:s0:c126 c467 tclass=capability permissive=1 type=AVC msg=audit(11/25/2019 05:42:01.790:480) : avc: denied { nlmsg_relay } for pid=30764 comm=groupadd scontext=system_u:system_r:container_t:s0:c126,c467 tcontext=system_u:system_r:container_t:s0:c126,c467 tclass=netlink_audit_socket permissive=1 ---- type=PROCTITLE msg=audit(11/25/2019 05:42:01.896:484) : proctitle=useradd -u 288 -g 288 -c KDC Proxy User -d /var/lib/kdcproxy -s /sbin/nologin kdcproxy type=PATH msg=audit(11/25/2019 05:42:01.896:484) : item=0 name=/var/lib/kdcproxy inode=17778374 dev=00:26 mode=dir,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:container_file_t:s0:c126,c467 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(11/25/2019 05:42:01.896:484) : cwd=/ type=SYSCALL msg=audit(11/25/2019 05:42:01.896:484) : arch=x86_64 syscall=chown success=yes exit=0 a0=0x7fff66c48f0a a1=unknown(288) a2=unknown(288) a3=0x7f5c2d629ac0 items=1 ppid=30758 pid=30772 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=useradd exe=/usr/sbin/useradd subj=system_u:system_r:container_t:s0:c126,c467 key=(null) type=AVC msg=audit(11/25/2019 05:42:01.896:484) : avc: denied { chown } for pid=30772 comm=useradd capability=chown scontext=system_u:system_r:container_t:s0:c126 c467 tcontext=system_u:system_r:container_t:s0:c126 c467 tclass=capability permissive=1 ---- type=PROCTITLE msg=audit(11/25/2019 05:42:01.896:485) : proctitle=useradd -u 288 -g 288 -c KDC Proxy User -d /var/lib/kdcproxy -s /sbin/nologin kdcproxy type=PATH msg=audit(11/25/2019 05:42:01.896:485) : item=0 name=/var/lib/kdcproxy inode=17778374 dev=00:26 mode=dir,000 ouid=unknown(288) ogid=unknown(288) rdev=00:00 obj=system_u:object_r:container_file_t:s0:c126,c467 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(11/25/2019 05:42:01.896:485) : cwd=/ type=SYSCALL msg=audit(11/25/2019 05:42:01.896:485) : arch=x86_64 syscall=chmod success=yes exit=0 a0=0x7fff66c48f0a a1=0700 a2=0x3f a3=0x7f5c2d629ac0 items=1 ppid=30758 pid=30772 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=useradd exe=/usr/sbin/useradd subj=system_u:system_r:container_t:s0:c126,c467 key=(null) type=AVC msg=audit(11/25/2019 05:42:01.896:485) : avc: denied { fsetid } for pid=30772 comm=useradd capability=fsetid scontext=system_u:system_r:container_t:s0:c126 c467 tcontext=system_u:system_r:container_t:s0:c126 c467 tclass=capability permissive=1 type=AVC msg=audit(11/25/2019 05:42:01.896:485) : avc: denied { fowner } for pid=30772 comm=useradd capability=fowner scontext=system_u:system_r:container_t:s0:c126 c467 tcontext=system_u:system_r:container_t:s0:c126 c467 tclass=capability permissive=1 This looks like container-selinux failed to install properly. dnf reinstall container-selinux Something has gone wrong with the container-selinux and selinux-policy package. sh# dnf reinstall -y container-selinux Updating Subscription Management repositories. Unable to read consumer identity This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Last metadata expiration check: 1:44:27 ago on Mon 25 Nov 2019 07:01:25 AM EST. Dependencies resolved. ========================================================================================================== Package Architecture Version Repository Size ========================================================================================================== Reinstalling: container-selinux noarch 2:2.119.0-2.fc31 updates 48 k Transaction Summary ========================================================================================================== Total download size: 48 k Installed size: 43 k Downloading Packages: container-selinux-2.119.0-2.fc31.noarch.rpm 83 kB/s | 48 kB 00:00 ---------------------------------------------------------------------------------------------------------- Total 60 kB/s | 48 kB 00:00 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Reinstalling : container-selinux-2:2.119.0-2.fc31.noarch 1/2 Running scriptlet: container-selinux-2:2.119.0-2.fc31.noarch 1/2 Conflicting name type transition rules Binary policy creation failed at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1786 Failed to generate binary /usr/sbin/semodule: Failed! Cleanup : container-selinux-2:2.119.0-2.fc31.noarch 2/2 Running scriptlet: container-selinux-2:2.119.0-2.fc31.noarch 2/2 Verifying : container-selinux-2:2.119.0-2.fc31.noarch 1/2 Verifying : container-selinux-2:2.119.0-2.fc31.noarch 2/2 Installed products updated. Reinstalled: container-selinux-2:2.119.0-2.fc31.noarch Complete! sh# podman build -t test test STEP 1: FROM registry.fedoraproject.org/fedora:31 STEP 2: RUN groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcproxy Error: error building at STEP "RUN groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcproxy": error while running runtime: exit status 127 Downgrade to selinux-policy-3.14.4-41.fc31.noarch + reinstall container-selinux helped Moving to container-selinux based on comment in https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e And combined bodhi update with selinux-policy-3.14.4-42.fc31 would be ideal :-) can't reproduce with container-selinux-2.144.0-3.fc33.noarch and selinux-policy-3.14.6-25.fc33.noarch. Closing, please reopen if it still occurs. |