Description of problem: buildah run doesn't seem to work (without any output) if selinux is in enforcing state If setenforce 0 is issued, then buildah run works. Version-Release number of selected component (if applicable): buildah-1.0-3.gitfe204e4.fc29.x86_64 libselinux-utils-2.8-2.fc29.x86_64 libselinux-2.8-2.fc29.x86_64 selinux-policy-targeted-3.14.2-26.fc29.noarch container-selinux-2.67-2.git042f7cf.fc29.noarch rpm-plugin-selinux-4.14.2-0.rc1.1.fc29.1.x86_64 selinux-policy-3.14.2-26.fc29.noarch python3-libselinux-2.8-2.fc29.x86_64 kernel-4.18.0-0.rc4.git0.1.fc29.x86_64
Please attach AVC messages. You might want to run yum reinstall container-selinux restorecon -R -v /var/lib/containers If labeling got screwed up in these directories.
This is from /var/log/messages when I issue "buildah run fedora-working-container bash" Jul 13 14:46:53 localhost kernel: SELinux: mount invalid. Same superblock, different security settings for (dev mqueue, type mqueue) Jul 13 14:46:53 localhost audit[8761]: AVC avc: denied { read write } for pid=8761 comm="bash" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c285,c480 tcontext=system_u:object_r:container_file_t:s0:c285,c480 tclass=chr_file permissive=0 Jul 13 14:46:53 localhost audit[8761]: AVC avc: denied { read write } for pid=8761 comm="bash" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c285,c480 tcontext=system_u:object_r:container_file_t:s0:c285,c480 tclass=chr_file permissive=0 Jul 13 14:46:53 localhost audit[8761]: AVC avc: denied { read write } for pid=8761 comm="bash" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c285,c480 tcontext=system_u:object_r:container_file_t:s0:c285,c480 tclass=chr_file permissive=0 Jul 13 14:46:53 localhost audit[8761]: AVC avc: denied { read write } for pid=8761 comm="bash" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c285,c480 tcontext=system_u:object_r:container_file_t:s0:c285,c480 tclass=chr_file permissive=0 Jul 13 14:46:53 localhost audit[8761]: AVC avc: denied { map } for pid=8761 comm="bash" path="/usr/bin/bash" dev="dm-0" ino=1299039 scontext=system_u:system_r:container_t:s0:c285,c480 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 Jul 13 14:46:53 localhost audit[8761]: ANOM_ABEND auid=1000 uid=0 gid=0 ses=1 subj=system_u:system_r:container_t:s0:c285,c480 pid=8761 comm="bash" exe="/usr/bin/bash" sig=11 res=1
Did container-selinux install correctly? yum reinstall container-selinux grep expand-check /etc/selinux/semanage.conf This field should be expand-check=0
(In reply to Daniel Walsh from comment #3) > Did container-selinux install correctly? > > > yum reinstall container-selinux > > grep expand-check /etc/selinux/semanage.conf > > This field should be > expand-check=0 ... Reinstalled: container-selinux-2:2.67-2.git042f7cf.fc29.noarch Complete! [root@alessiopc alessio]# grep expand-check /etc/selinux/semanage.conf # expand-check check neverallow rules when executing all semanage expand-check = 1
Change the expand-check to = 0
What is the buildah command you are running?
buildah-1.2-1.gitbe87762.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-d9a8457274
buildah-1.2-1.gitbe87762.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0eb77f53f4
buildah-1.2-1.gitbe87762.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0eb77f53f4
buildah-1.2-1.gitbe87762.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-d9a8457274
(In reply to Daniel Walsh from comment #6) > What is the buildah command you are running? This one, for instance buildah run fedora-working-container /bin/bash
(In reply to Daniel Walsh from comment #5) > Change the expand-check to = 0 Even with this option, the issue remains
Alessio, can we communicate on IRC. I think this is a configuration issue. Since no one else is reporting problems. I am dwalsh on #buildah on freenode.
buildah-1.2-1.gitbe87762.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
buildah-1.2-1.gitbe87762.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.