Description of problem: When trying to create a fifo file in an unpriviledged container it is blocked by selinux: $ rpm -qi container-selinux Name : container-selinux Epoch : 2 Version : 2.85 Release : 1.git92af7fd.fc29 Architecture: noarch Install Date: Fr 15 Mär 2019 14:42:45 CET Group : Unspecified Size : 38790 License : GPLv2 Signature : RSA/SHA256, Fr 01 Mär 2019 12:01:48 CET, Key ID a20aa56b429476b4 Source RPM : container-selinux-2.85-1.git92af7fd.fc29.src.rpm Build Date : Do 28 Feb 2019 20:54:39 CET Build Host : buildhw-04.phx2.fedoraproject.org Relocations : (not relocatable) Packager : Fedora Project Vendor : Fedora Project URL : https://github.com/projectatomic/container-selinux Bug URL : https://bugz.fedoraproject.org/container-selinux Summary : SELinux policies for container runtimes Description : SELinux policy modules for use with container runtimes. $ rpm -qi podman Name : podman Epoch : 1 Version : 1.1.2 Release : 1.git0ad9b6b.fc29 Architecture: x86_64 Install Date: Fr 15 Mär 2019 14:43:13 CET Group : Unspecified Size : 38176514 License : ASL 2.0 Signature : RSA/SHA256, Di 05 Mär 2019 20:11:27 CET, Key ID a20aa56b429476b4 Source RPM : podman-1.1.2-1.git0ad9b6b.fc29.src.rpm Build Date : Di 05 Mär 2019 19:11:30 CET Build Host : buildhw-08.phx2.fedoraproject.org Relocations : (not relocatable) Packager : Fedora Project Vendor : Fedora Project URL : https://podman.io/ Bug URL : https://bugz.fedoraproject.org/podman Summary : Manage Pods, Containers and Container Images Description : Manage Pods, Containers and Container Images libpod provides a library for applications looking to use the Container Pod concept popularized by Kubernetes. $ id uid=1000(mh) gid=1000(mh) groups=1000(mh),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 $ podman run -it fedora:29 /bin/bash Trying to pull docker.io/library/fedora:29...Getting image source signatures Copying blob 01eb078129a0 [======================================] 85.8MiB / 85.8MiB Copying config d09302f77c [======================================] 2.0KiB / 2.0KiB Writing manifest to image destination Storing signatures [root@62059d4ee3c0 /]# mkfifo /tmp/a mkfifo: cannot create fifo '/tmp/a': Permission denied SELinux is preventing mkfifo from 'create' accesses on the fifo_file a. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that mkfifo should be allowed create access on the a fifo_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'mkfifo' --raw | audit2allow -M my-mkfifo # semodule -X 300 -i my-mkfifo.pp Additional Information: Source Context system_u:system_r:container_t:s0:c189,c377 Target Context system_u:object_r:fusefs_t:s0 Target Objects a [ fifo_file ] Source mkfifo Source Path mkfifo Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-51.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.20.16-200.fc29.x86_64 #1 SMP Thu Mar 14 15:10:22 UTC 2019 x86_64 x86_64 Alert Count 1 First Seen 2019-03-27 23:20:46 CET Last Seen 2019-03-27 23:20:46 CET Local ID 1b0c4248-5169-472f-85e4-33fcdc17612d Raw Audit Messages type=AVC msg=audit(1553725246.502:2928): avc: denied { create } for pid=9755 comm="mkfifo" name="a" scontext=system_u:system_r:container_t:s0:c189,c377 tcontext=system_u:object_r:fusefs_t:s0 tclass=fifo_file permissive=0 Hash: mkfifo,container_t,fusefs_t,fifo_file,create
I would recommend that you mount a tmpfs there. But we should probably fix this.
It actually happens when building an image with the gitlab-omnibus package, while likely expect these fifo files to be present later, so imho the tmpfs is not super practical.
Fixed in container-selinux-2.94-1.git1e99f1d.fc29.noarch
I can confirm that this update fixes the issue
Please update the karma.
container-selinux-2.95-1.gite3ebc68.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-9e36ddd5a5
container-selinux-2.95-1.gite3ebc68.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-00c60ff381
container-selinux-2.95-1.gite3ebc68.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-00c60ff381
container-selinux-2.95-1.gite3ebc68.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-9e36ddd5a5
container-selinux-2.95-1.gite3ebc68.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
container-selinux-2.95-1.gite3ebc68.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.