1952651 – containers do not run in Fedora 34 IoT

Bug 1952651 - containers do not run in Fedora 34 IoT

Summary: containers do not run in Fedora 34 IoT

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	container-selinux
Sub Component:
Version:	34
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lokesh Mandvekar
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	IoT
TreeView+	depends on / blocked

Reported:	2021-04-22 18:09 UTC by Dennis Gilmore
Modified:	2021-07-16 03:44 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-06-11 13:02:38 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Dennis Gilmore 2021-04-22 18:09:52 UTC

Description of problem:

running a podman command to run homeassistant on Fedora 34 IoT networking does not work.


Version-Release number of selected component (if applicable):

libselinux-3.2-1.fc34.aarch64
libselinux-utils-3.2-1.fc34.aarch64
rpm-plugin-selinux-4.16.1.3-1.fc34.aarch64
selinux-policy-34-1.fc34.noarch
selinux-policy-targeted-34-1.fc34.noarch
container-selinux-2.158.0-1.gite78ac4f.fc34.noarch
python3-libselinux-3.2-1.fc34.aarch64
podman-plugins-3.1.0-1.fc34.aarch64
podman-3.1.0-1.fc34.aarch64

How reproducible:


Steps to Reproduce:
on a fedora 34 IoT system run 
1. podman run --init -d   --name homeassistant   --restart=unless-stopped   -v /etc/localtime:/etc/localtime:ro   -v /home/homeassistant:/config   --network=host   homeassistant/home-assistant:stable
2.
3.

Actual results:
the container does not work, after switching from enforcing to permissive mode I see

type=AVC msg=audit(1619112380.373:899666): avc:  denied  { write } for  pid=552924 comm="udevadm" name="uevent" dev="sysfs" ino=10484 scontext=system_u:system_r:container_t:s0:c568,c815 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112384.163:899668): avc:  denied  { write } for  pid=552939 comm="python3" name="homeassistant" dev="mmcblk0p3" ino=250884 scontext=system_u:system_r:container_t:s0:c568,c815 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112384.163:899669): avc:  denied  { add_name } for  pid=552939 comm="python3" name="deps" scontext=system_u:system_r:container_t:s0:c568,c815 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112384.163:899670): avc:  denied  { create } for  pid=552939 comm="python3" name="deps" scontext=system_u:system_r:container_t:s0:c568,c815 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112384.563:899672): avc:  denied  { create } for  pid=552939 comm="python3" name="configuration.yaml" scontext=system_u:system_r:container_t:s0:c568,c815 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112384.563:899673): avc:  denied  { write open } for  pid=552939 comm="python3" path="/config/configuration.yaml" dev="mmcblk0p3" ino=259891 scontext=system_u:system_r:container_t:s0:c568,c815 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112384.563:899674): avc:  denied  { ioctl } for  pid=552939 comm="python3" path="/config/configuration.yaml" dev="mmcblk0p3" ino=259891 ioctlcmd=0x5413 scontext=system_u:system_r:container_t:s0:c568,c815 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112384.583:899675): avc:  denied  { read } for  pid=552939 comm="python3" name=".HA_VERSION" dev="mmcblk0p3" ino=259894 scontext=system_u:system_r:container_t:s0:c568,c815 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112396.543:899676): avc:  denied  { write } for  pid=553352 comm="udevadm" name="uevent" dev="sysfs" ino=10484 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112400.723:899678): avc:  denied  { write } for  pid=553368 comm="python3" name="homeassistant" dev="mmcblk0p3" ino=250884 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112400.723:899680): avc:  denied  { read } for  pid=553368 comm="python3" name=".HA_VERSION" dev="mmcblk0p3" ino=259894 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112400.723:899681): avc:  denied  { open } for  pid=553368 comm="python3" path="/config/.HA_VERSION" dev="mmcblk0p3" ino=259894 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112400.723:899682): avc:  denied  { ioctl } for  pid=553368 comm="python3" path="/config/.HA_VERSION" dev="mmcblk0p3" ino=259894 ioctlcmd=0x5413 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112402.263:899683): avc:  denied  { add_name } for  pid=553368 comm="python3" name="home-assistant_v2.db" scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112402.263:899684): avc:  denied  { create } for  pid=553368 comm="python3" name="home-assistant_v2.db" scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112402.263:899685): avc:  denied  { write } for  pid=553368 comm="python3" path="/config/home-assistant_v2.db" dev="mmcblk0p3" ino=259900 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112402.283:899686): avc:  denied  { lock } for  pid=553368 comm="python3" path="/config/home-assistant_v2.db" dev="mmcblk0p3" ino=259900 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112402.283:899687): avc:  denied  { setattr } for  pid=553368 comm="python3" name="home-assistant_v2.db-journal" dev="mmcblk0p3" ino=259901 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112402.293:899688): avc:  denied  { remove_name } for  pid=553368 comm="python3" name="home-assistant_v2.db-journal" dev="mmcblk0p3" ino=259901 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112402.293:899689): avc:  denied  { unlink } for  pid=553368 comm="python3" name="home-assistant_v2.db-journal" dev="mmcblk0p3" ino=259901 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112402.303:899690): avc:  denied  { map } for  pid=553368 comm="python3" path="/config/home-assistant_v2.db-shm" dev="mmcblk0p3" ino=259902 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112404.593:899691): avc:  denied  { create } for  pid=553368 comm="python3" name=".cloud" scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112408.353:899693): avc:  denied  { write } for  pid=553368 comm="python3" name="blueprints" dev="mmcblk0p3" ino=259908 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112408.353:899694): avc:  denied  { add_name } for  pid=553368 comm="python3" name="automation" scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112408.363:899695): avc:  denied  { relabelfrom } for  pid=553368 comm="python3" name="motion_light.yaml" dev="mmcblk0p3" ino=259912 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619112408.373:899696): avc:  denied  { setattr } for  pid=553368 comm="python3" name="homeassistant" dev="mmcblk0p3" ino=259911 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112408.373:899697): avc:  denied  { relabelfrom } for  pid=553368 comm="python3" name="homeassistant" dev="mmcblk0p3" ino=259911 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112408.423:899698): avc:  denied  { remove_name } for  pid=553368 comm="python3" name="tmpfah9tsms" dev="mmcblk0p3" ino=259916 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619112408.423:899699): avc:  denied  { rename } for  pid=553368 comm="python3" name="tmpfah9tsms" dev="mmcblk0p3" ino=259916 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619113408.009:899720): avc:  denied  { read write } for  pid=553368 comm="python3" name="home-assistant_v2.db" dev="mmcblk0p3" ino=259900 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619113408.009:899721): avc:  denied  { open } for  pid=553368 comm="python3" path="/config/home-assistant_v2.db" dev="mmcblk0p3" ino=259900 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619113408.009:899722): avc:  denied  { lock } for  pid=553368 comm="python3" path="/config/home-assistant_v2.db" dev="mmcblk0p3" ino=259900 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619113408.019:899723): avc:  denied  { create } for  pid=553368 comm="python3" name="home-assistant_v2.db-wal" scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619113408.019:899724): avc:  denied  { setattr } for  pid=553368 comm="python3" name="home-assistant_v2.db-wal" dev="mmcblk0p3" ino=259921 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619113408.019:899725): avc:  denied  { map } for  pid=553368 comm="python3" path="/config/home-assistant_v2.db-shm" dev="mmcblk0p3" ino=259934 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619113408.049:899726): avc:  denied  { unlink } for  pid=553368 comm="python3" name="home-assistant_v2.db-shm" dev="mmcblk0p3" ino=259934 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619113430.629:899727): avc:  denied  { write } for  pid=553368 comm="python3" name=".storage" dev="mmcblk0p3" ino=259915 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619113430.629:899728): avc:  denied  { add_name } for  pid=553368 comm="python3" name="tmpxb6igo5e" scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619113430.629:899729): avc:  denied  { ioctl } for  pid=553368 comm="python3" path="/config/.storage/tmpxb6igo5e" dev="mmcblk0p3" ino=259921 ioctlcmd=0x5413 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619113430.629:899730): avc:  denied  { remove_name } for  pid=553368 comm="python3" name="tmpxb6igo5e" dev="mmcblk0p3" ino=259921 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619113430.639:899731): avc:  denied  { rename } for  pid=553368 comm="python3" name="tmpxb6igo5e" dev="mmcblk0p3" ino=259921 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619113641.008:899734): avc:  denied  { write } for  pid=553368 comm="python3" name="homeassistant" dev="mmcblk0p3" ino=250884 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619113641.008:899735): avc:  denied  { add_name } for  pid=553368 comm="python3" name="home-assistant_v2.db-wal" scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1619113641.028:899736): avc:  denied  { remove_name } for  pid=553368 comm="python3" name="home-assistant_v2.db-shm" dev="mmcblk0p3" ino=259934 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
 in the audit log. 

Expected results:

the container to run
Additional info:

Comment 1 Daniel Walsh 2021-04-23 10:12:31 UTC

You are attempting to leak and entire homedirectory into a container and SELinux is rightly blocking the access.  If you need to do this you need to disable SELinux container separation or play around with udica.

I would run the following command.

 podman run --init -d  --security-opt label=disable --name homeassistant   --restart=unless-stopped   --tz=local   -v /home/homeassistant:/config   --network=host   homeassistant/home-assistant:stable

BTW Notice the --tz flag.

Comment 2 Dennis Gilmore 2021-04-24 18:10:47 UTC

as the directory was just a directory containing config files I moved it to /var/lib/homeassistant

running "podman run --init -d   --name homeassistant   --restart=unless-stopped   -v /etc/localtime:/etc/localtime:ro   -v /var/lib/homeassistant:/config   --network=host   homeassistant/home-assistant:stable" I get:

type=AVC msg=audit(1619287263.705:547): avc:  denied  { write } for  pid=1780 comm="udevadm" name="uevent" dev="sysfs" ino=10484 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619287267.855:549): avc:  denied  { write } for  pid=1796 comm="python3" name="home-assistant.log" dev="mmcblk0p3" ino=259917 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1
type=AVC msg=audit(1619287267.855:551): avc:  denied  { read } for  pid=1796 comm="python3" name=".HA_VERSION" dev="mmcblk0p3" ino=259894 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1
type=AVC msg=audit(1619287267.855:552): avc:  denied  { ioctl } for  pid=1796 comm="python3" path="/config/.HA_VERSION" dev="mmcblk0p3" ino=259894 ioctlcmd=0x5413 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1
type=AVC msg=audit(1619287268.915:553): avc:  denied  { lock } for  pid=1796 comm="python3" path="/config/home-assistant_v2.db" dev="mmcblk0p3" ino=259900 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1
type=AVC msg=audit(1619287268.915:554): avc:  denied  { write } for  pid=1796 comm="python3" name="homeassistant" dev="mmcblk0p3" ino=250884 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=dir permissive=1
type=AVC msg=audit(1619287268.915:555): avc:  denied  { add_name } for  pid=1796 comm="python3" name="home-assistant_v2.db-wal" scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=dir permissive=1
type=AVC msg=audit(1619287268.915:556): avc:  denied  { create } for  pid=1796 comm="python3" name="home-assistant_v2.db-wal" scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1
type=AVC msg=audit(1619287268.915:557): avc:  denied  { setattr } for  pid=1796 comm="python3" name="home-assistant_v2.db-wal" dev="mmcblk0p3" ino=250890 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1
type=AVC msg=audit(1619287268.925:558): avc:  denied  { remove_name } for  pid=1796 comm="python3" name="home-assistant_v2.db-shm" dev="mmcblk0p3" ino=259652 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=dir permissive=1
type=AVC msg=audit(1619287268.925:559): avc:  denied  { unlink } for  pid=1796 comm="python3" name="home-assistant_v2.db-shm" dev="mmcblk0p3" ino=259652 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1
type=AVC msg=audit(1619287273.645:561): avc:  denied  { rename } for  pid=1796 comm="python3" name="tmpqq7mj4zg" dev="mmcblk0p3" ino=250890 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1


If instead I run "podman run --init -d   --name homeassistant   --restart=unless-stopped   -v /etc/localtime:/etc/localtime:ro   -v /var/lib/homeassistant:/config:Z   --network=host   homeassistant/home-assistant:stable" I still get one denial:

type=AVC msg=audit(1619287145.126:537): avc:  denied  { write } for  pid=1262 comm="udevadm" name="uevent" dev="sysfs" ino=10484 scontext=system_u:system_r:container_t:s0:c286,c789 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1

should udevadm be able to run inside of a container?

Comment 3 Daniel Walsh 2021-04-26 22:52:47 UTC

Currently we block this via SELinux, writing to sysfs `uevent`.  I do not believe this is going to work the way you expect,  IE Devices will not appear on the hosts /dev.

You can disable SELinux separation to see if it works.  If it does, I could consider adding this allow rule.

Comment 4 Dennis Gilmore 2021-07-16 03:44:47 UTC

clearing needinfo

Note You need to log in before you can comment on or make changes to this bug.