Description of problem: Ran as root: virt-bootstrap docker://fedora /var/lib/libvirt/filesystems/fedora-29 The result was: INFO : Checking cached layers INFO : Extracting container layers INFO : Extracting layer (1/1) with size: 85.70 MiB Traceback (most recent call last): File "/usr/bin/virt-bootstrap", line 11, in <module> load_entry_point('virt-bootstrap==1.1.0', 'console_scripts', 'virt-bootstrap')() File "/usr/lib/python3.7/site-packages/virtBootstrap/virt_bootstrap.py", line 334, in main progress_cb=args.status_only) File "/usr/lib/python3.7/site-packages/virtBootstrap/virt_bootstrap.py", line 148, in bootstrap progress=prog).unpack(dest) File "/usr/lib/python3.7/site-packages/virtBootstrap/sources/docker_source.py", line 307, in unpack utils.untar_layers(self.layers, dest, self.progress) File "/usr/lib/python3.7/site-packages/virtBootstrap/utils.py", line 344, in untar_layers safe_untar(tar_file, dest_dir) File "/usr/lib/python3.7/site-packages/virtBootstrap/utils.py", line 287, in safe_untar execute(virt_sandbox + params) File "/usr/lib/python3.7/site-packages/virtBootstrap/utils.py", line 264, in execute raise subprocess.CalledProcessError(proc.returncode, cmd_str) subprocess.CalledProcessError: Command 'virt-sandbox -c lxc:/// --name=bootstrap_2307045 -m host-bind:/mnt=/var/lib/libvirt/filesystems/dc1 -- /bin/tar xf /var/cache/virt-bootstrap/docker_images/0be2a68855d7bbbba01b447a79c873f137e6fb47362e79f2fd79c72575c9b73a -C /mnt --exclude dev/* --overwrite --absolute-names --acls --xattrs --selinux' returned non-zero exit status 1. SELinux is preventing libvirt_lxc from 'entrypoint' accesses on the file /etc/libvirt-sandbox/scratch/.libs/libvirt-sandbox-init-lxc. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /etc/libvirt-sandbox/scratch/.libs/libvirt-sandbox-init-lxc default label should be etc_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /etc/libvirt-sandbox/scratch/.libs/libvirt-sandbox-init-lxc ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that libvirt_lxc should be allowed entrypoint access on the libvirt-sandbox-init-lxc file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'libvirt_lxc' --raw | audit2allow -M my-libvirtlxc # semodule -X 300 -i my-libvirtlxc.pp Additional Information: Source Context system_u:system_r:container_t:s0:c703,c967 Target Context unconfined_u:object_r:virt_lxc_var_run_t:s0 Target Objects /etc/libvirt-sandbox/scratch/.libs/libvirt- sandbox-init-lxc [ file ] Source libvirt_lxc Source Path libvirt_lxc Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-47.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.19.15-300.fc29.x86_64 #1 SMP Mon Jan 14 16:32:35 UTC 2019 x86_64 x86_64 Alert Count 1 First Seen 2019-02-01 11:39:54 EST Last Seen 2019-02-01 11:39:54 EST Local ID 29cd8957-be89-46f2-95f5-070d8e337efb Raw Audit Messages type=AVC msg=audit(1549039194.626:35250): avc: denied { entrypoint } for pid=2306241 comm="libvirt_lxc" path="/etc/libvirt-sandbox/scratch/.libs/libvirt-sandbox-init-lxc" dev="tmpfs" ino=19863480 scontext=system_u:system_r:container_t:s0:c703,c967 tcontext=unconfined_u:object_r:virt_lxc_var_run_t:s0 tclass=file permissive=0 Hash: libvirt_lxc,container_t,virt_lxc_var_run_t,file,entrypoint Version-Release number of selected component: selinux-policy-3.14.2-47.fc29.noarch Additional info: component: selinux-policy reporter: libreport-2.9.7 hashmarkername: setroubleshoot kernel: 4.19.15-300.fc29.x86_64 type: libreport
Setting SELinux to permissive allowed me to collect a variety of AVCs when running the command again. # semanage permissive -a container_t # virt-bootstrap docker://fedora /var/lib/libvirt/filesystems/dc1 INFO : Checking cached layers INFO : Extracting container layers INFO : Extracting layer (1/1) with size: 85.70 MiB INFO : Download and extract completed! INFO : Files are stored in: /var/lib/libvirt/filesystems/dc1 # ausearch -se container_t --raw type=AVC msg=audit(1549039582.349:35294): avc: denied { entrypoint } for pid=2308728 comm="libvirt_lxc" path="/etc/libvirt-sandbox/scratch/.libs/libvirt-sandbox-init-lxc" dev="tmpfs" ino=19869514 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=unconfined_u:object_r:virt_lxc_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1549039582.350:35295): avc: denied { read write } for pid=2308728 comm="libvirt-sandbox" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:container_file_t:s0:c337,c817 tclass=chr_file permissive=1 type=AVC msg=audit(1549039582.350:35296): avc: denied { map } for pid=2308728 comm="libvirt-sandbox" path="/etc/libvirt-sandbox/scratch/.libs/libvirt-sandbox-init-lxc" dev="tmpfs" ino=19869514 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=unconfined_u:object_r:virt_lxc_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1549039582.350:35297): avc: denied { read } for pid=2308728 comm="libvirt-sandbox" path="/etc/libvirt-sandbox/scratch/.libs/libvirt-sandbox-init-lxc" dev="tmpfs" ino=19869514 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=unconfined_u:object_r:virt_lxc_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1549039582.350:35298): avc: denied { execute } for pid=2308728 comm="libvirt-sandbox" path="/etc/libvirt-sandbox/scratch/.libs/libvirt-sandbox-init-lxc" dev="tmpfs" ino=19869514 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=unconfined_u:object_r:virt_lxc_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1549039582.350:35299): avc: denied { open } for pid=2308728 comm="libvirt-sandbox" path="/etc/libvirt-sandbox/scratch/.libs/ld.so" dev="tmpfs" ino=19869492 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=unconfined_u:object_r:virt_lxc_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1549039582.350:35300): avc: denied { execute_no_trans } for pid=2308728 comm="libvirt-sandbox" path="/etc/libvirt-sandbox/scratch/.libs/ld.so" dev="tmpfs" ino=19869492 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=unconfined_u:object_r:virt_lxc_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1549039582.355:35309): avc: denied { read } for pid=2308728 comm="ld.so" name="passwd" dev="dm-1" ino=757405 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 type=AVC msg=audit(1549039582.355:35310): avc: denied { open } for pid=2308728 comm="ld.so" path="/var/lib/sss/mc/passwd" dev="dm-1" ino=757405 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 type=AVC msg=audit(1549039582.355:35311): avc: denied { map } for pid=2308728 comm="ld.so" path="/var/lib/sss/mc/passwd" dev="dm-1" ino=757405 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 type=AVC msg=audit(1549039582.355:35312): avc: denied { write } for pid=2308728 comm="ld.so" name="nss" dev="dm-1" ino=35182816 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1 type=AVC msg=audit(1549039582.355:35313): avc: denied { connectto } for pid=2308728 comm="ld.so" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 type=AVC msg=audit(1549039582.358:35315): avc: denied { read write } for pid=2308728 comm="ld.so" name="1" dev="devpts" ino=4 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:container_file_t:s0:c337,c817 tclass=chr_file permissive=1 type=AVC msg=audit(1549039582.358:35316): avc: denied { open } for pid=2308728 comm="ld.so" path="/dev/tty2" dev="devpts" ino=4 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:container_file_t:s0:c337,c817 tclass=chr_file permissive=1 type=AVC msg=audit(1549039582.358:35317): avc: denied { ioctl } for pid=2308728 comm="ld.so" path="/dev/pts/0" dev="devpts" ino=3 ioctlcmd=0x5401 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:container_file_t:s0:c337,c817 tclass=chr_file permissive=1 type=AVC msg=audit(1549039582.361:35318): avc: denied { getattr } for pid=2308728 comm="ld.so" path="/dev/pts/2" dev="devpts" ino=5 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:container_file_t:s0:c337,c817 tclass=chr_file permissive=1 type=AVC msg=audit(1549039582.363:35319): avc: denied { read } for pid=2308745 comm="tar" name="0be2a68855d7bbbba01b447a79c873f137e6fb47362e79f2fd79c72575c9b73a" dev="dm-1" ino=134244215 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=1 type=AVC msg=audit(1549039582.363:35320): avc: denied { open } for pid=2308745 comm="tar" path="/var/cache/virt-bootstrap/docker_images/0be2a68855d7bbbba01b447a79c873f137e6fb47362e79f2fd79c72575c9b73a" dev="dm-1" ino=134244215 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=1 type=AVC msg=audit(1549039582.365:35321): avc: denied { ioctl } for pid=2308746 comm="gzip" path="/var/cache/virt-bootstrap/docker_images/0be2a68855d7bbbba01b447a79c873f137e6fb47362e79f2fd79c72575c9b73a" dev="dm-1" ino=134244215 ioctlcmd=0x5401 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=1 type=AVC msg=audit(1549039582.366:35322): avc: denied { write } for pid=2308745 comm="tar" name="dc1" dev="zfs" ino=45070 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=unconfined_u:object_r:virt_var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1549039582.366:35323): avc: denied { add_name } for pid=2308745 comm="tar" name="bin" scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=unconfined_u:object_r:virt_var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1549039582.366:35324): avc: denied { create } for pid=2308745 comm="tar" name="bin" scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=lnk_file permissive=1 type=AVC msg=audit(1549039582.366:35325): avc: denied { setattr } for pid=2308745 comm="tar" name="bin" dev="zfs" ino=38477 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=lnk_file permissive=1 type=AVC msg=audit(1549039582.366:35326): avc: denied { create } for pid=2308745 comm="tar" name="boot" scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1549039582.366:35327): avc: denied { setattr } for pid=2308745 comm="tar" name="boot" dev="zfs" ino=38480 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1549039582.367:35328): avc: denied { write } for pid=2308745 comm="tar" name="etc" dev="zfs" ino=38486 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1549039582.367:35329): avc: denied { add_name } for pid=2308745 comm="tar" name=".pwd.lock" scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1549039582.367:35330): avc: denied { create } for pid=2308745 comm="tar" name=".pwd.lock" scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1549039582.367:35331): avc: denied { write open } for pid=2308745 comm="tar" path="/mnt/etc/.pwd.lock" dev="zfs" ino=38489 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1549039582.367:35332): avc: denied { setattr } for pid=2308745 comm="tar" name=".pwd.lock" dev="zfs" ino=38489 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1549039582.466:35333): avc: denied { dac_override } for pid=2308745 comm="tar" capability=1 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:system_r:container_t:s0:c337,c817 tclass=capability permissive=1 type=AVC msg=audit(1549039582.470:35334): avc: denied { chown } for pid=2308745 comm="tar" capability=0 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:system_r:container_t:s0:c337,c817 tclass=capability permissive=1 type=AVC msg=audit(1549039582.470:35335): avc: denied { fowner } for pid=2308745 comm="tar" capability=3 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:system_r:container_t:s0:c337,c817 tclass=capability permissive=1 type=AVC msg=audit(1549039582.470:35336): avc: denied { fsetid } for pid=2308745 comm="tar" capability=4 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:system_r:container_t:s0:c337,c817 tclass=capability permissive=1 type=AVC msg=audit(1549039583.311:35337): avc: denied { dac_override } for pid=2308745 comm="tar" capability=1 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:system_r:container_t:s0:c337,c817 tclass=capability permissive=1 type=AVC msg=audit(1549039585.146:35338): avc: denied { chown } for pid=2308745 comm="tar" capability=0 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:system_r:container_t:s0:c337,c817 tclass=capability permissive=1 type=AVC msg=audit(1549039585.147:35339): avc: denied { fsetid } for pid=2308745 comm="tar" capability=4 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:system_r:container_t:s0:c337,c817 tclass=capability permissive=1 type=AVC msg=audit(1549039586.422:35340): avc: denied { fowner } for pid=2308745 comm="tar" capability=3 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:system_r:container_t:s0:c337,c817 tclass=capability permissive=1 type=AVC msg=audit(1549039586.520:35341): avc: denied { sys_admin } for pid=2308728 comm="ld.so" capability=21 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:system_r:container_t:s0:c337,c817 tclass=capability permissive=1 type=AVC msg=audit(1549039586.520:35342): avc: denied { unmount } for pid=2308728 comm="ld.so" scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 type=AVC msg=audit(1549039586.673:35343): avc: denied { dac_read_search } for pid=2308728 comm="ld.so" capability=2 scontext=system_u:system_r:container_t:s0:c337,c817 tcontext=system_u:system_r:container_t:s0:c337,c817 tclass=capability permissive=1
What exactly are you trying to do. It looks like you are running a something in container that should not be contained.
I agree it probably shouldn't be contained, but it is virt-bootstrap that is spawning the container. I don't know why it wants to do that just to copy some files around.
The idea is that virt-bootstrap is downloading a container image from a registry using skopeo, then it extracts each layer to a specified destination directory. In order to improve security when extracting the container image layers, tar is being called within a constrained environment created with virt-sandbox (using lxc:/// or qemu:///session).
Sure, then it should run the container without SELinux separation podman run --security-opt lable=disabled ...
Oops podman run --security-opt label=disable ...
Thank you for reporting this issue. It should be fixed in the next release.