Using the latest Fedora Rawhide Atomic Host, I am unable to run containers using `podman`. The `run` appears to fail due to an SELinux denial: # rpm-ostree status State: idle; auto updates disabled Deployments: ● ostree://rawhide:fedora/rawhide/x86_64/atomic-host Version: Rawhide.20180616.n.0 (2018-06-16 09:30:08) Commit: 1055dea1f99991fb56d5ae9e29cc6ff52fa01970555f82fcc8e929c7f717907f # rpm -q container-selinux podman runc selinux-policy container-selinux-2.64-1.gitdfaf8fd.fc29.noarch podman-0.6.4-1.gitb43677c.fc29.x86_64 runc-1.0.0-36.gitad0f525.fc29.x86_64 selinux-policy-3.14.2-25.fc29.noarch # podman run -it --rm registry.fedoraproject.org/fedora echo 'hello' Trying to pull registry.fedoraproject.org/fedora...Getting image source signatures Copying blob sha256:bd02462c6d09de67de291323a7b926313b0e0838b423ea51563ef2293c67ff2d 85.56 MB / 85.56 MB [=====================================================] 10s Copying config sha256:75aeb7f897fdff7569c8bf1bc33c32823eb6c5baad9ac7dfa501ce284d795116 1.27 KB / 1.27 KB [========================================================] 0s Writing manifest to image destination Storing signatures ERRO[0023] `iptables -t filter -D FORWARD -s 10.88.0.2 ! -o 10.88.0.2 -j ACCEPT` failed: (fork/exec /usr/sbin/iptables: permission denied) # journalctl -b | grep 'avc: denied' Jun 18 15:59:11 micah-f28ah-vm0618a audit[1453]: AVC avc: denied { read write } for pid=1453 comm="echo" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c134,c903 tcontext=system_u:object_r:container_file_t:s0:c134,c903 tclass=chr_file permissive=0 Jun 18 15:59:11 micah-f28ah-vm0618a audit[1453]: AVC avc: denied { read write } for pid=1453 comm="echo" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c134,c903 tcontext=system_u:object_r:container_file_t:s0:c134,c903 tclass=chr_file permissive=0 Jun 18 15:59:11 micah-f28ah-vm0618a audit[1453]: AVC avc: denied { read write } for pid=1453 comm="echo" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c134,c903 tcontext=system_u:object_r:container_file_t:s0:c134,c903 tclass=chr_file permissive=0 Jun 18 15:59:11 micah-f28ah-vm0618a audit[1453]: AVC avc: denied { read write } for pid=1453 comm="echo" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c134,c903 tcontext=system_u:object_r:container_file_t:s0:c134,c903 tclass=chr_file permissive=0 Jun 18 15:59:11 micah-f28ah-vm0618a audit[1453]: AVC avc: denied { map } for pid=1453 comm="echo" path="/usr/bin/coreutils" dev="dm-0" ino=29003 scontext=system_u:system_r:container_t:s0:c134,c903 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 Jun 18 15:59:12 micah-f28ah-vm0618a audit[1476]: AVC avc: denied { entrypoint } for pid=1476 comm="podman" path="/usr/sbin/xtables-multi" dev="dm-0" ino=46410208 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file permissive=0 Could be the same as RHBZ#1592488
podman-0.6.4-1.gitd5beb2f.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-5142d70592
podman-0.6.4-1.gitd5beb2f.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2b96ea9fec
podman-0.6.4-1.gitd5beb2f.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-5142d70592
podman-0.6.4-1.gitd5beb2f.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2b96ea9fec
VERIFIED with podman-0.6.4-1.gitd5beb2f.fc28
podman-0.6.4-1.gitd5beb2f.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
podman-0.6.4-1.gitd5beb2f.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.