Bug 1868590

Summary: error while loading shared libraries: librt.so.1: cannot change memory protections
Product: Red Hat Enterprise Linux 8 Reporter: Edward Shen <weshen>
Component: container-selinuxAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: atomic-bugs <atomic-bugs>
Severity: high Docs Contact:
Priority: unspecified    
Version: 8.3CC: jnovy
Target Milestone: betaFlags: pm-rhel: mirror+
Target Release: 8.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-19 13:03:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 1 Daniel Walsh 2020-08-13 11:00:46 UTC 
What AVCs were you seeing?
Comment 2 Edward Shen 2020-08-14 15:44:31 UTC 
(In reply to Daniel Walsh from comment #1)
> What AVCs were you seeing?

Sorry Dan, I forgot to attach the AVC.

type=AVC msg=audit(1597418827.397:717): avc:  denied  { read } for  pid=92580 comm="echo" path="/usr/lib64/librt-2.28.so" dev="dm-0" ino=1465051 scontext=system_u:system_r:container_t:s0:c211,c704 tcontext=system_u:object_r:container_file_t:s0:c461,c1011 tclass=file permissive=0
Comment 3 Daniel Walsh 2020-08-17 14:50:28 UTC 
This indicates that you have a container attempting to read content of a different container.

I am thinking you have mislabeled content under /var/lib/containers/

If you do podman system reset, do your containers start to work again?
Comment 4 Edward Shen 2020-08-19 13:03:35 UTC 
I don't have the ENV now. I borrowed a beaker machine with latest container-tools module, container-selinux version is newer - 2:2.144.0-1.module+el8.3.0+7655+435bcef7, this issue does not exist. Then removed it and installed the reported version, this issue didn't show up either. It might be the ENV issue. I'll close this as NOT A BUG.