While testing osp-17.1 on rhel-9.2, I hit a SELinux denial: /var/log/audit/audit.log.1:type=AVC msg=audit(1674049903.359:22746): avc: denied { open } for pid=69064 comm="yum_update.sh" path="/tmp/yum_update.sh" dev="vda4" ino=176236830 scontext=system_u:system_r:container_t:s0:c568,c599 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0 After some checks, this call is from within the modification image role[1][2][3]. The script is passed as a volume to buildah, and it's missing the appropiate ":z" flag. I'd suspect a change in the SELinux container policy in el-9.2. I proposed a patch upstream already, but we'll need it asap downstream in order to get proper el-9.2 support for 17.1 CI (and customers, and everything). I also got a proactive backport plus a testproject in order to ensure it's passing right - so far, so good, will do the appropriate follow-up in this BZ + patches on due time. [1] https://opendev.org/openstack/ansible-role-tripleo-modify-image/src/branch/master/tasks/yum_update_buildah.yml#L38-L42 [2] https://opendev.org/openstack/ansible-role-tripleo-modify-image/src/branch/master/tasks/yum_update_buildah.yml#L109 [3] https://opendev.org/openstack/ansible-role-tripleo-modify-image/src/branch/master/tasks/yum_update_buildah.yml#L133
*** Bug 2167724 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Release of components for Red Hat OpenStack Platform 17.1 (Wallaby)), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2023:4577