The command that evokes the AVC to FAIL is rlWaitForSocket. The test starts the OpenSSL server and waits for the process to start. rlWaitForSocket pauses script execution until the local socket starts listening. Affects fedora 42 and fedora rawhide. Reproducible: Always Steps to Reproduce: The commands are run with the beaeklib testing library 1. Clone the repository (choosing the branch f42/rawhide) -b f42 ---> for fedora 42 -b main ---> for fedora rawhide rlRun "git clone -b f42 git:QUBIP/pq-container.git" 2. Go inside the directory rlRun "pushd pq-container" 2. Build and run the container. rlRun "podman build -t pq-container ." rlRun "podman run -dt localhost/pq-container" 3. Execute the test rlRun "podman exec -ti $container_id ./test.sh" Actual Results: [ ERROR ] AVC check: FAIL ---- type=AVC msg=audit(09/03/2025 07:05:49.708:2186) : avc: denied { nlmsg_read } for pid=34626 comm=ss scontext=system_u:system_r:container_t:s0:c6,c1002 tcontext=system_u:system_r:container_t:s0:c6,c1002 tclass=netlink_tcpdiag_socket permissive=0 Expected Results: AVC check: OK Additional Information: This bug seems to be similar to the bug described: https://bugzilla.redhat.com/show_bug.cgi?id=2090800
Here's a smaller reproducer that doesn't use beakerlib or custom containers: podman run fedora:42 /bin/sh -c 'dnf -y install ss && ss -nl --tcp' sudo ausearch -m avc -ts recent That gives me time->Thu Sep 4 14:58:20 2025 type=AVC msg=audit(1756990700.051:18565): avc: denied { nlmsg_read } for pid=1738878 comm="ss" scontext=system_u:system_r:container_t:s0:c113,c412 tcontext=system_u:system_r:container_t:s0:c113,c412 tclass=netlink_tcpdiag_socket permissive=0 with container-selinux-2.240.0-1.fc42 podman-5.5.2-1.fc42 iproute-0:6.12.0-3.fc42
Do you see this with container-selinux v2.241.0 https://bodhi.fedoraproject.org/updates/FEDORA-2025-ed320aaa31 ?
Never mind, I see it on rawhide with container-selinux from the latest main. I'll create a PR upstream.
Yep, same denial with container-selinux-2.241.0-1.fc42
PTAL https://github.com/containers/container-selinux/pull/399 . To test out the changes, follow the copr installation instructions at: https://dashboard.packit.dev/jobs/copr/2753744
in my testing, that 1d55427ba5c8e79a-container-selinux-2.241.0-1.20250904150520265949.pr399.9.g681bed9.fc42.noarch.rpm does make the AVC denial go away
FEDORA-2025-a9062c828c (container-selinux-2.242.0-1.fc43) has been submitted as an update to Fedora 43. https://bodhi.fedoraproject.org/updates/FEDORA-2025-a9062c828c
FEDORA-2025-70af4a4430 (container-selinux-2.242.0-1.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2025-70af4a4430
FEDORA-2025-d08a78f5e8 (container-selinux-2.242.0-1.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2025-d08a78f5e8
FEDORA-2025-70af4a4430 has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-70af4a4430` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-70af4a4430 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-a9062c828c has been pushed to the Fedora 43 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-a9062c828c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-a9062c828c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-d08a78f5e8 has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-d08a78f5e8` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-d08a78f5e8 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-70af4a4430 (container-selinux-2.242.0-1.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2025-d08a78f5e8 (container-selinux-2.242.0-1.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2025-a9062c828c (container-selinux-2.242.0-1.fc43) has been pushed to the Fedora 43 stable repository. If problem still persists, please make note of it in this bug report.