Bug 2404788 - Root of live filesystem is labelled as tmpfs_t which prevents running pasta (which is used for podman)
Summary: Root of live filesystem is labelled as tmpfs_t which prevents running pasta (...
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: dracut
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: dracut-maint-list
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-10-17 19:21 UTC by Dick Marinus
Modified: 2025-12-22 20:13 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github dracut-ng dracut-ng issues 1042 0 None open LiveOS ISOs cannot boot when SELinux is enabled 2025-10-26 12:03:35 UTC

Description Dick Marinus 2025-10-17 19:21:28 UTC 
Description of problem:

Version-Release number of selected component (if applicable):108

How reproducible:


Steps to Reproduce:
1. Boot Fedora Workstation Live (ie. using qemu-kvm)
2. Run: pasta ip addr

Actual results:

Failed to remount /: Permission denied
Failed to sandbox process, exiting

Expected results:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host proto kernel_lo 
       valid_lft forever preferred_lft forever

Additional info:

This prevents usage of podman with SELinux enabled from a live booted system.

I think root should be labelled as system_u:object_r:root_t:s0

This is part of the dracut-live module.
Comment 1 Frederick Grose 2025-11-18 20:48:55 UTC 
If `chcon -t root_t / /run/overlayfs /run/ovltest` is added to `/usr/libexec/livesys/livesys-main`, which runs in Fedora soon after startup, the labels are set as desired. Is this remedy sufficient for the problem?
Comment 2 Dick Marinus 2025-11-21 10:16:07 UTC 
For sure. But I'd rather have this fixed in dracut-live instead of livesys-scripts as any live environment is suffering from this.
Comment 3 Frederick Grose 2025-12-22 20:13:09 UTC 
Cross referencing issue at dracut-ng: https://github.com/dracut-ng/dracut-ng/issues/1042
and Fedora SELinux mailing list: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.org/message/KWLKHKRHJOUXDBHNJ76O267BNM53FEPS/
Note You need to log in before you can comment on or make changes to this bug.