Description of problem:
Attempted to use podman to run a clair container.
SELinux is preventing clair from 'write' accesses on the directory /dev/shm.
***** Plugin restorecon (99.5 confidence) suggests ************************
If you want to fix the label.
/dev/shm default label should be tmpfs_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /dev/shm
***** Plugin catchall (1.49 confidence) suggests **************************
If you believe that clair should be allowed write access on the shm directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'clair' --raw | audit2allow -M my-clair
# semodule -X 300 -i my-clair.pp
Additional Information:
Source Context system_u:system_r:container_t:s0:c419,c542
Target Context system_u:object_r:tmp_t:s0
Target Objects /dev/shm [ dir ]
Source clair
Source Path clair
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.5-45.fc32.noarch
Local Policy RPM selinux-policy-targeted-3.14.5-45.fc32.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 5.9.11-100.fc32.x86_64 #1 SMP Tue
Nov 24 19:16:53 UTC 2020 x86_64 x86_64
Alert Count 2
First Seen 2020-12-15 16:30:50 EST
Last Seen 2020-12-15 16:30:50 EST
Local ID fdb57832-dc00-4e88-8397-cace6676fbc5
Raw Audit Messages
type=AVC msg=audit(1608067850.250:873): avc: denied { write } for pid=11509 comm="clair" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:container_t:s0:c419,c542 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
Hash: clair,container_t,tmp_t,dir,write
Version-Release number of selected component:
selinux-policy-targeted-3.14.5-45.fc32.noarch
Additional info:
component: selinux-policy
reporter: libreport-2.13.1
hashmarkername: setroubleshoot
kernel: 5.9.11-100.fc32.x86_64
type: libreport
What was the podman command used to start the container? This looks like the volume inserted into the container needs to be relabeled with the :Z or :z.
Or SELinux needs to be disabled --security-opt label=disabled
Description of problem: Attempted to use podman to run a clair container. SELinux is preventing clair from 'write' accesses on the directory /dev/shm. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /dev/shm default label should be tmpfs_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /dev/shm ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that clair should be allowed write access on the shm directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'clair' --raw | audit2allow -M my-clair # semodule -X 300 -i my-clair.pp Additional Information: Source Context system_u:system_r:container_t:s0:c419,c542 Target Context system_u:object_r:tmp_t:s0 Target Objects /dev/shm [ dir ] Source clair Source Path clair Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.5-45.fc32.noarch Local Policy RPM selinux-policy-targeted-3.14.5-45.fc32.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.9.11-100.fc32.x86_64 #1 SMP Tue Nov 24 19:16:53 UTC 2020 x86_64 x86_64 Alert Count 2 First Seen 2020-12-15 16:30:50 EST Last Seen 2020-12-15 16:30:50 EST Local ID fdb57832-dc00-4e88-8397-cace6676fbc5 Raw Audit Messages type=AVC msg=audit(1608067850.250:873): avc: denied { write } for pid=11509 comm="clair" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:container_t:s0:c419,c542 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 Hash: clair,container_t,tmp_t,dir,write Version-Release number of selected component: selinux-policy-targeted-3.14.5-45.fc32.noarch Additional info: component: selinux-policy reporter: libreport-2.13.1 hashmarkername: setroubleshoot kernel: 5.9.11-100.fc32.x86_64 type: libreport