SELinux is preventing /usr/bin/bash from read access on the file /usr/lib64/libc-2.30.so. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /usr/lib64/libc-2.30.so default label should be lib_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /usr/lib64/libc-2.30.so ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that bash should be allowed read access on the libc-2.30.so file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sh' --raw | audit2allow -M my-sh # semodule -X 300 -i my-sh.pp Additional Information: Source Context system_u:system_r:container_t:s0:c65,c73 Target Context unconfined_u:object_r:var_lib_t:s0 Target Objects /usr/lib64/libc-2.30.so [ file ] Source sh Source Path /usr/bin/bash Port <Unknown> Host host.example.com Source RPM Packages bash-5.0.7-3.fc31.x86_64 Target RPM Packages glibc-2.30-7.fc31.x86_64 Policy RPM selinux-policy-3.14.4-42.fc31.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name host.example.com Platform Linux host.example.com 5.3.12-300.fc31.x86_64 #1 SMP Thu Nov 21 22:52:07 UTC 2019 x86_64 x86_64 Alert Count 1 First Seen 2019-11-25 05:36:46 EST Last Seen 2019-11-25 05:36:46 EST Local ID a4e874a2-2540-44e7-ba63-62e961a5b558 Raw Audit Messages type=AVC msg=audit(1574678206.500:455): avc: denied { read } for pid=30541 comm="sh" path="/usr/lib64/libc-2.30.so" dev="dm-0" ino=808299 scontext=system_u:system_r:container_t:s0:c65,c73 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1574678206.500:455): arch=x86_64 syscall=mprotect success=yes exit=0 a0=7f1b47bb3000 a1=19a000 a2=0 a3=4 items=0 ppid=30523 pid=30541 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4 comm=sh exe=/usr/bin/bash subj=system_u:system_r:container_t:s0:c65,c73 key=(null) Hash: sh,container_t,var_lib_t,file,read
How to reproduce: Deterministic Versions: sh-5.0# rpm -q podman crun libseccomp containers-common selinux-policy container-selinux podman-1.6.2-2.fc31.x86_64 crun-0.10.6-1.fc31.x86_64 libseccomp-2.4.2-1.fc31.x86_64 containers-common-0.1.40-4.fc31.x86_64 selinux-policy-3.14.4-42.fc31.noarch container-selinux-2.119.0-2.fc31.noarch sh-5.0# uname -a Linux host.example.com 5.3.12-300.fc31.x86_64 #1 SMP Thu Nov 21 22:52:07 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux Steps: sh-5.0# cat test/Dockerfile FROM registry.fedoraproject.org/fedora:31 RUN groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcproxy sh-5.0# podman build -t test test/ STEP 1: FROM registry.fedoraproject.org/fedora:31 STEP 2: RUN groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcproxy Error: error building at STEP "RUN groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcproxy": error while running runtime: exit status 127 sh-5.0# ausearch -m avc -i ---- type=PROCTITLE msg=audit(11/25/2019 05:31:11.176:434) : proctitle=/bin/sh -c groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcpro type=PATH msg=audit(11/25/2019 05:31:11.176:434) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=808331 dev=00:25 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:container_file_t:s0:c4,c84 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(11/25/2019 05:31:11.176:434) : item=0 name=/bin/sh inode=26322653 dev=00:25 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:container_file_t:s0:c4,c84 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(11/25/2019 05:31:11.176:434) : cwd=/ type=OBJ_PID msg=audit(11/25/2019 05:31:11.176:434) : opid=30294 oauid=root ouid=root oses=4 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ocomm=sh type=OBJ_PID msg=audit(11/25/2019 05:31:11.176:434) : opid=30294 oauid=root ouid=root oses=4 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ocomm=sh type=EXECVE msg=audit(11/25/2019 05:31:11.176:434) : argc=3 a0=/bin/sh a1=-c a2=groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcproxy type=SYSCALL msg=audit(11/25/2019 05:31:11.176:434) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55d6e086cc50 a1=0x55d6e0870530 a2=0x55d6e086da70 a3=0x7f108f580ac0 items=2 ppid=30277 pid=30294 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sh exe=/usr/bin/bash subj=system_u:system_r:container_t:s0:c4,c84 key=(null) type=AVC msg=audit(11/25/2019 05:31:11.176:434) : avc: denied { read write } for pid=30294 comm=sh path=/dev/pts/0 dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c4,c84 tcontext=system_u:object_r:container_file_t:s0:c4,c84 tclass=chr_file permissive=0 type=AVC msg=audit(11/25/2019 05:31:11.176:434) : avc: denied { read write } for pid=30294 comm=sh path=/dev/pts/0 dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c4,c84 tcontext=system_u:object_r:container_file_t:s0:c4,c84 tclass=chr_file permissive=0 type=AVC msg=audit(11/25/2019 05:31:11.176:434) : avc: denied { read write } for pid=30294 comm=sh path=/dev/pts/0 dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c4,c84 tcontext=system_u:object_r:container_file_t:s0:c4,c84 tclass=chr_file permissive=0 type=AVC msg=audit(11/25/2019 05:31:11.176:434) : avc: denied { read write } for pid=30294 comm=sh path=/dev/pts/0 dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c4,c84 tcontext=system_u:object_r:container_file_t:s0:c4,c84 tclass=chr_file permissive=0 ---- type=PROCTITLE msg=audit(11/25/2019 05:31:11.178:435) : proctitle=/bin/sh -c groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcpro type=SYSCALL msg=audit(11/25/2019 05:31:11.178:435) : arch=x86_64 syscall=mprotect success=no exit=EACCES(Permission denied) a0=0x7f609f00a000 a1=0x19a000 a2=PROT_NONE a3=0x4 items=0 ppid=30277 pid=30294 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=sh exe=/usr/bin/bash subj=system_u:system_r:container_t:s0:c4,c84 key=(null) type=AVC msg=audit(11/25/2019 05:31:11.178:435) : avc: denied { read } for pid=30294 comm=sh path=/usr/lib64/libc-2.30.so dev="dm-0" ino=808299 scontext=system_u:system_r:container_t:s0:c4,c84 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
AVCs in permissive mode sh-5.0# ausearch -m avc -i ---- type=PROCTITLE msg=audit(11/25/2019 05:42:01.744:472) : proctitle=/bin/sh -c groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcpro type=PATH msg=audit(11/25/2019 05:42:01.744:472) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=808331 dev=00:26 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:container_file_t:s0:c126,c467 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(11/25/2019 05:42:01.744:472) : item=0 name=/bin/sh inode=26322653 dev=00:26 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:container_file_t:s0:c126,c467 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(11/25/2019 05:42:01.744:472) : cwd=/ type=EXECVE msg=audit(11/25/2019 05:42:01.744:472) : argc=3 a0=/bin/sh a1=-c a2=groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcproxy type=SYSCALL msg=audit(11/25/2019 05:42:01.744:472) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x5613ca08ac50 a1=0x5613ca08e530 a2=0x5613ca08abb0 a3=0x7f7aa0c1cac0 items=2 ppid=30739 pid=30758 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=sh exe=/usr/bin/bash subj=system_u:system_r:container_t:s0:c126,c467 key=(null) type=AVC msg=audit(11/25/2019 05:42:01.744:472) : avc: denied { read write } for pid=30758 comm=sh path=/dev/pts/0 dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c126,c467 tcontext=system_u:object_r:container_file_t:s0:c126,c467 tclass=chr_file permissive=1 ---- type=PROCTITLE msg=audit(11/25/2019 05:42:01.745:473) : proctitle=/bin/sh -c groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcpro type=SYSCALL msg=audit(11/25/2019 05:42:01.745:473) : arch=x86_64 syscall=mprotect success=yes exit=0 a0=0x7ff32f47f000 a1=0x19a000 a2=PROT_NONE a3=0x4 items=0 ppid=30739 pid=30758 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=sh exe=/usr/bin/bash subj=system_u:system_r:container_t:s0:c126,c467 key=(null) type=AVC msg=audit(11/25/2019 05:42:01.745:473) : avc: denied { read } for pid=30758 comm=sh path=/usr/lib64/libc-2.30.so dev="dm-0" ino=808299 scontext=system_u:system_r:container_t:s0:c126,c467 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1 ---- type=PROCTITLE msg=audit(11/25/2019 05:42:01.746:474) : proctitle=/bin/sh -c groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcpro type=PATH msg=audit(11/25/2019 05:42:01.746:474) : item=0 name=/dev/tty inode=99223 dev=00:29 mode=character,666 ouid=root ogid=root rdev=05:00 obj=system_u:object_r:container_file_t:s0:c126,c467 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(11/25/2019 05:42:01.746:474) : cwd=/ type=SYSCALL msg=audit(11/25/2019 05:42:01.746:474) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x556d0e2a02df a2=O_RDWR|O_NONBLOCK a3=0x0 items=1 ppid=30739 pid=30758 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=sh exe=/usr/bin/bash subj=system_u:system_r:container_t:s0:c126,c467 key=(null) type=AVC msg=audit(11/25/2019 05:42:01.746:474) : avc: denied { open } for pid=30758 comm=sh path=/dev/tty dev="tmpfs" ino=99223 scontext=system_u:system_r:container_t:s0:c126,c467 tcontext=system_u:object_r:container_file_t:s0:c126,c467 tclass=chr_file permissive=1 ---- type=PROCTITLE msg=audit(11/25/2019 05:42:01.747:475) : proctitle=/bin/sh -c groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcpro type=SYSCALL msg=audit(11/25/2019 05:42:01.747:475) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x2 a1=TIOCGPGRP a2=0x7fffc9021514 a3=0x30 items=0 ppid=30739 pid=30758 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=sh exe=/usr/bin/bash subj=system_u:system_r:container_t:s0:c126,c467 key=(null) type=AVC msg=audit(11/25/2019 05:42:01.747:475) : avc: denied { ioctl } for pid=30758 comm=sh path=/dev/pts/0 dev="devpts" ino=3 ioctlcmd=TIOCGPGRP scontext=system_u:system_r:container_t:s0:c126,c467 tcontext=system_u:object_r:container_file_t:s0:c126,c467 tclass=chr_file permissive=1 ---- type=PROCTITLE msg=audit(11/25/2019 05:42:01.749:476) : proctitle=groupadd -g 288 kdcproxy type=SYSCALL msg=audit(11/25/2019 05:42:01.749:476) : arch=x86_64 syscall=socket success=yes exit=3 a0=netlink a1=SOCK_RAW a2=igp a3=0x20 items=0 ppid=30758 pid=30764 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=groupadd exe=/usr/sbin/groupadd subj=system_u:system_r:container_t:s0:c126,c467 key=(null) type=AVC msg=audit(11/25/2019 05:42:01.749:476) : avc: denied { create } for pid=30764 comm=groupadd scontext=system_u:system_r:container_t:s0:c126,c467 tcontext=system_u:system_r:container_t:s0:c126,c467 tclass=netlink_audit_socket permissive=1 ---- type=PROCTITLE msg=audit(11/25/2019 05:42:01.762:478) : proctitle=groupadd -g 288 kdcproxy type=PATH msg=audit(11/25/2019 05:42:01.762:478) : item=4 name=(null) inode=17778372 dev=fd:00 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:container_file_t:s0:c126,c467 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(11/25/2019 05:42:01.762:478) : item=3 name=(null) inode=25559805 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:container_file_t:s0:c126,c467 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(11/25/2019 05:42:01.762:478) : item=2 name=(null) nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(11/25/2019 05:42:01.762:478) : item=1 name=(null) inode=25559805 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:container_file_t:s0:c126,c467 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(11/25/2019 05:42:01.762:478) : item=0 name=/etc/gshadow inode=26321756 dev=00:26 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:container_file_t:s0:c126,c467 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(11/25/2019 05:42:01.762:478) : cwd=/ type=SYSCALL msg=audit(11/25/2019 05:42:01.762:478) : arch=x86_64 syscall=openat success=yes exit=6 a0=0xffffff9c a1=0x55829d0c88e0 a2=O_RDWR|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW a3=0x0 items=5 ppid=30758 pid=30764 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=groupadd exe=/usr/sbin/groupadd subj=system_u:system_r:container_t:s0:c126,c467 key=(null) type=AVC msg=audit(11/25/2019 05:42:01.762:478) : avc: denied { dac_override } for pid=30764 comm=groupadd capability=dac_override scontext=system_u:system_r:container_t:s0:c126 c467 tcontext=system_u:system_r:container_t:s0:c126 c467 tclass=capability permissive=1 ---- type=PROCTITLE msg=audit(11/25/2019 05:42:01.790:479) : proctitle=groupadd -g 288 kdcproxy type=SYSCALL msg=audit(11/25/2019 05:42:01.790:479) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x0 a1=0x7fffcd9ccc30 a2=0x7fffcd9ccc30 a3=0x7fffcd9cbe50 items=0 ppid=30758 pid=30764 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=groupadd exe=/usr/sbin/groupadd subj=system_u:system_r:container_t:s0:c126,c467 key=(null) type=AVC msg=audit(11/25/2019 05:42:01.790:479) : avc: denied { getattr } for pid=30764 comm=groupadd path=/dev/pts/0 dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c126,c467 tcontext=system_u:object_r:container_file_t:s0:c126,c467 tclass=chr_file permissive=1 ---- type=PROCTITLE msg=audit(11/25/2019 05:42:01.790:480) : proctitle=groupadd -g 288 kdcproxy type=SOCKADDR msg=audit(11/25/2019 05:42:01.790:480) : saddr={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 } type=SYSCALL msg=audit(11/25/2019 05:42:01.790:480) : arch=x86_64 syscall=sendto success=yes exit=120 a0=0x3 a1=0x7fffcd9c8780 a2=0x78 a3=0x0 items=0 ppid=30758 pid=30764 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=groupadd exe=/usr/sbin/groupadd subj=system_u:system_r:container_t:s0:c126,c467 key=(null) type=AVC msg=audit(11/25/2019 05:42:01.790:480) : avc: denied { audit_write } for pid=30764 comm=groupadd capability=audit_write scontext=system_u:system_r:container_t:s0:c126 c467 tcontext=system_u:system_r:container_t:s0:c126 c467 tclass=capability permissive=1 type=AVC msg=audit(11/25/2019 05:42:01.790:480) : avc: denied { nlmsg_relay } for pid=30764 comm=groupadd scontext=system_u:system_r:container_t:s0:c126,c467 tcontext=system_u:system_r:container_t:s0:c126,c467 tclass=netlink_audit_socket permissive=1 ---- type=PROCTITLE msg=audit(11/25/2019 05:42:01.896:484) : proctitle=useradd -u 288 -g 288 -c KDC Proxy User -d /var/lib/kdcproxy -s /sbin/nologin kdcproxy type=PATH msg=audit(11/25/2019 05:42:01.896:484) : item=0 name=/var/lib/kdcproxy inode=17778374 dev=00:26 mode=dir,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:container_file_t:s0:c126,c467 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(11/25/2019 05:42:01.896:484) : cwd=/ type=SYSCALL msg=audit(11/25/2019 05:42:01.896:484) : arch=x86_64 syscall=chown success=yes exit=0 a0=0x7fff66c48f0a a1=unknown(288) a2=unknown(288) a3=0x7f5c2d629ac0 items=1 ppid=30758 pid=30772 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=useradd exe=/usr/sbin/useradd subj=system_u:system_r:container_t:s0:c126,c467 key=(null) type=AVC msg=audit(11/25/2019 05:42:01.896:484) : avc: denied { chown } for pid=30772 comm=useradd capability=chown scontext=system_u:system_r:container_t:s0:c126 c467 tcontext=system_u:system_r:container_t:s0:c126 c467 tclass=capability permissive=1 ---- type=PROCTITLE msg=audit(11/25/2019 05:42:01.896:485) : proctitle=useradd -u 288 -g 288 -c KDC Proxy User -d /var/lib/kdcproxy -s /sbin/nologin kdcproxy type=PATH msg=audit(11/25/2019 05:42:01.896:485) : item=0 name=/var/lib/kdcproxy inode=17778374 dev=00:26 mode=dir,000 ouid=unknown(288) ogid=unknown(288) rdev=00:00 obj=system_u:object_r:container_file_t:s0:c126,c467 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(11/25/2019 05:42:01.896:485) : cwd=/ type=SYSCALL msg=audit(11/25/2019 05:42:01.896:485) : arch=x86_64 syscall=chmod success=yes exit=0 a0=0x7fff66c48f0a a1=0700 a2=0x3f a3=0x7f5c2d629ac0 items=1 ppid=30758 pid=30772 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=useradd exe=/usr/sbin/useradd subj=system_u:system_r:container_t:s0:c126,c467 key=(null) type=AVC msg=audit(11/25/2019 05:42:01.896:485) : avc: denied { fsetid } for pid=30772 comm=useradd capability=fsetid scontext=system_u:system_r:container_t:s0:c126 c467 tcontext=system_u:system_r:container_t:s0:c126 c467 tclass=capability permissive=1 type=AVC msg=audit(11/25/2019 05:42:01.896:485) : avc: denied { fowner } for pid=30772 comm=useradd capability=fowner scontext=system_u:system_r:container_t:s0:c126 c467 tcontext=system_u:system_r:container_t:s0:c126 c467 tclass=capability permissive=1
This looks like container-selinux failed to install properly. dnf reinstall container-selinux Something has gone wrong with the container-selinux and selinux-policy package.
sh# dnf reinstall -y container-selinux Updating Subscription Management repositories. Unable to read consumer identity This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Last metadata expiration check: 1:44:27 ago on Mon 25 Nov 2019 07:01:25 AM EST. Dependencies resolved. ========================================================================================================== Package Architecture Version Repository Size ========================================================================================================== Reinstalling: container-selinux noarch 2:2.119.0-2.fc31 updates 48 k Transaction Summary ========================================================================================================== Total download size: 48 k Installed size: 43 k Downloading Packages: container-selinux-2.119.0-2.fc31.noarch.rpm 83 kB/s | 48 kB 00:00 ---------------------------------------------------------------------------------------------------------- Total 60 kB/s | 48 kB 00:00 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Reinstalling : container-selinux-2:2.119.0-2.fc31.noarch 1/2 Running scriptlet: container-selinux-2:2.119.0-2.fc31.noarch 1/2 Conflicting name type transition rules Binary policy creation failed at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1786 Failed to generate binary /usr/sbin/semodule: Failed! Cleanup : container-selinux-2:2.119.0-2.fc31.noarch 2/2 Running scriptlet: container-selinux-2:2.119.0-2.fc31.noarch 2/2 Verifying : container-selinux-2:2.119.0-2.fc31.noarch 1/2 Verifying : container-selinux-2:2.119.0-2.fc31.noarch 2/2 Installed products updated. Reinstalled: container-selinux-2:2.119.0-2.fc31.noarch Complete! sh# podman build -t test test STEP 1: FROM registry.fedoraproject.org/fedora:31 STEP 2: RUN groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcproxy Error: error building at STEP "RUN groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcproxy": error while running runtime: exit status 127
Downgrade to selinux-policy-3.14.4-41.fc31.noarch + reinstall container-selinux helped
Moving to container-selinux based on comment in https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e
And combined bodhi update with selinux-policy-3.14.4-42.fc31 would be ideal :-)
can't reproduce with container-selinux-2.144.0-3.fc33.noarch and selinux-policy-3.14.6-25.fc33.noarch. Closing, please reopen if it still occurs.