Bug 1987049

Summary: inability to start container with runc caused by redundant seccomp rules
Product: Red Hat Enterprise Linux 8 Reporter: Kirill Kolyshkin <kolyshkin>
Component: podmanAssignee: Jindrich Novy <jnovy>
Status: CLOSED ERRATA QA Contact: Alex Jia <ajia>
Severity: medium Docs Contact:
Priority: urgent    
Version: 8.4CC: bbaude, dornelas, dwalsh, jligon, jnovy, kir, lsm5, mheon, pthomas, tsweeney, umohnani, ypu
Target Milestone: betaKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: podman-3.3.0-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1999262 (view as bug list) Environment:
Last Closed: 2021-11-09 17:40:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1999262    

Description Kirill Kolyshkin 2021-07-28 19:45:16 UTC 
Description of problem:

Please see https://github.com/containers/podman/issues/11031


Version-Release number of selected component (if applicable):

Podman 3.2.x plus recent containers-common.

How reproducible:

Always


Steps to Reproduce:
1. $ podman --runtime=runc run fedora echo it works

Actual results:

Error: unable to start container process: error adding seccomp filter rule for syscall bdflush: permission denied: OCI permission denied

(or similar)


Expected results:

it works

Additional info:

Proposed fix: https://github.com/containers/podman/pull/11039
Comment 2 Jindrich Novy 2021-07-30 09:33:36 UTC 
Can we get qa ack here please?
Comment 3 Jindrich Novy 2021-07-30 10:43:15 UTC 
Kir, does this need to go to podman-3.3 too or not?
Comment 6 Kir Kolyshkin 2021-07-30 18:36:06 UTC 
Not needed in podman 3.3 as of https://github.com/containers/podman/pull/10690/commits/b6662eed3f27ac5466501b046db4f1608845af61
Comment 10 Alex Jia 2021-08-06 09:41:31 UTC 
This bug has been verified on podman-3.3.0-2.module+el8.5.0+12136+c1ac9593.


[root@kvm-07-guest24 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.5 Beta (Ootpa)

[root@kvm-07-guest24 ~]# rpm -q runc podman kernel
runc-1.0.1-4.module+el8.5.0+12048+8939a3ea.x86_64
podman-3.3.0-2.module+el8.5.0+12136+c1ac9593.x86_64
kernel-4.18.0-325.el8.x86_64

[root@kvm-07-guest24 ~]# rpm -qf /usr/share/containers/seccomp.json
containers-common-1.4.0-4.module+el8.5.0+12136+c1ac9593.x86_64

[root@kvm-07-guest24 ~]# podman --runtime=runc run -it --rm quay.io/libpod/alpine:latest echo hello
hello
Comment 15 errata-xmlrpc 2021-11-09 17:40:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4154