Bug 2436646 - SELinux denial breaks fontquery-diff tool since Fedora-Rawhide-20260127.n.0
Summary: SELinux denial breaks fontquery-diff tool since Fedora-Rawhide-20260127.n.0
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-02-04 07:41 UTC by Adam Williamson
Modified: 2026-02-19 14:28 UTC (History)
9 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-i18n fontquery issues 12 0 None open fontquery crashes in Fedora Rawhide since Fedora-Rawhide-20260127.n.0 2026-02-04 07:53:20 UTC

Description Adam Williamson 2026-02-04 07:41:44 UTC 
Since Fedora-Rawhide-20260127.n.0 , the fontquery-diff tool - https://github.com/fedora-i18n/fontquery - which we use in an openQA test to check Fedora's default font configuration has been crashing, apparently due to an SELinux denial. In the system journal, we see this:

Feb 04 16:07:51 fedora podman[5580]: 2026-02-04 16:07:51.20861048 +0900 JST m=+0.198138761 container init 78fb7ae06814828082154097d65c9796df0db895915a236370ab27f10956f4f8 (image=ghcr.io/fedora-i18n/fontquery/fedora/minimal:rawhide, name=heuristic_lumiere, org.opencontainers.image.description=Base image based on Fedora for fontquery, org.opencontainers.image.vendor=Fedora Project, description=Working environment for fontquery - minimal, org.opencontainers.image.ref.name=fontquery/fedora/base, org.opencontainers.image.title=fedora, io.buildah.version=1.33.7, org.opencontainers.image.source=https://github.com/fedora-i18n/fontquery, org.opencontainers.image.url=https://fedoraproject.org/, org.opencontainers.image.licenses=MIT, org.opencontainers.image.version=rawhide)
Feb 04 16:07:51 fedora podman[5580]: 2026-02-04 16:07:51.21548228 +0900 JST m=+0.205010561 container start 78fb7ae06814828082154097d65c9796df0db895915a236370ab27f10956f4f8 (image=ghcr.io/fedora-i18n/fontquery/fedora/minimal:rawhide, name=heuristic_lumiere, org.opencontainers.image.description=Base image based on Fedora for fontquery, org.opencontainers.image.title=fedora, org.opencontainers.image.source=https://github.com/fedora-i18n/fontquery, org.opencontainers.image.url=https://fedoraproject.org/, org.opencontainers.image.vendor=Fedora Project, io.buildah.version=1.33.7, description=Working environment for fontquery - minimal, org.opencontainers.image.ref.name=fontquery/fedora/base, org.opencontainers.image.licenses=MIT, org.opencontainers.image.version=rawhide)
Feb 04 16:07:51 fedora podman[5580]: 2026-02-04 16:07:51.21973072 +0900 JST m=+0.209259001 container attach 78fb7ae06814828082154097d65c9796df0db895915a236370ab27f10956f4f8 (image=ghcr.io/fedora-i18n/fontquery/fedora/minimal:rawhide, name=heuristic_lumiere, org.opencontainers.image.ref.name=fontquery/fedora/base, org.opencontainers.image.version=rawhide, org.opencontainers.image.description=Base image based on Fedora for fontquery, org.opencontainers.image.title=fedora, io.buildah.version=1.33.7, description=Working environment for fontquery - minimal, org.opencontainers.image.source=https://github.com/fedora-i18n/fontquery, org.opencontainers.image.url=https://fedoraproject.org/, org.opencontainers.image.licenses=MIT, org.opencontainers.image.vendor=Fedora Project)
Feb 04 16:07:51 fedora audit[5608]: AVC avc:  denied  { read } for  pid=5608 comm="fontquery-clien" path="/usr/lib64/libc.so.6" dev="dm-1" ino=19432597 scontext=system_u:system_r:container_t:s0:c732,c795 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
Feb 04 16:07:51 fedora heuristic_lumiere[5606]: /usr/bin/python3: error while loading shared libraries: /lib64/libc.so.6: cannot apply additional memory protection after relocation: Permission denied
Feb 04 16:07:51 fedora conmon[5606]: conmon 78fb7ae0681482808215 <nwarn>: Failed to open cgroups file: /sys/fs/cgroup/user.slice/user-1000.slice/user/user.slice/libpod-78fb7ae06814828082154097d65c9796df0db895915a236370ab27f10956f4f8.scope/container/memory.events
Feb 04 16:07:51 fedora systemd[2953]: libpod-78fb7ae06814828082154097d65c9796df0db895915a236370ab27f10956f4f8.scope: Consumed 55ms CPU time over 127ms wall clock time, 20.3M memory peak, 38.7M read from disk.
Feb 04 16:07:51 fedora podman[5615]: 2026-02-04 16:07:51.3603764 +0900 JST m=+0.029566961 container died 78fb7ae06814828082154097d65c9796df0db895915a236370ab27f10956f4f8 (image=ghcr.io/fedora-i18n/fontquery/fedora/minimal:rawhide, name=heuristic_lumiere, org.opencontainers.image.title=fedora, org.opencontainers.image.version=rawhide, org.opencontainers.image.description=Base image based on Fedora for fontquery, org.opencontainers.image.source=https://github.com/fedora-i18n/fontquery, org.opencontainers.image.url=https://fedoraproject.org/, org.opencontainers.image.vendor=Fedora Project, io.buildah.version=1.33.7, description=Working environment for fontquery - minimal, org.opencontainers.image.licenses=MIT, org.opencontainers.image.ref.name=fontquery/fedora/base)
Feb 04 16:07:51 fedora podman[5615]: 2026-02-04 16:07:51.40612708 +0900 JST m=+0.075317641 container remove 78fb7ae06814828082154097d65c9796df0db895915a236370ab27f10956f4f8 (image=ghcr.io/fedora-i18n/fontquery/fedora/minimal:rawhide, name=heuristic_lumiere, org.opencontainers.image.description=Base image based on Fedora for fontquery, org.opencontainers.image.url=https://fedoraproject.org/, description=Working environment for fontquery - minimal, org.opencontainers.image.title=fedora, org.opencontainers.image.version=rawhide, io.buildah.version=1.33.7, org.opencontainers.image.source=https://github.com/fedora-i18n/fontquery, org.opencontainers.image.vendor=Fedora Project, org.opencontainers.image.licenses=MIT, org.opencontainers.image.ref.name=fontquery/fedora/base)
Feb 04 16:07:51 fedora python3[5495]: detected unhandled Python exception in '/usr/bin/fontquery-diff'

as you can see, fontquery-diff does some stuff with containers. I'm CCing atagoh, the maintainer, who can provide more details if necessary.

In the 20260127.n.0 compose itself, the fontquery and selinux-policy packages didn't change, nor did podman; but glibc did. However, this *could* also be triggered by changes to the container images fontquery uses - those images may have changed between the last successful run of the test and the first failure.

The tool runs fine if I set SELinux to permissive mode, so it's definitely the denial causing the crash.
Comment 1 Zdenek Pytela 2026-02-04 13:54:58 UTC 
I am not familiar with the setup which is what I would need for assessing, but this:

Feb 04 16:07:51 fedora audit[5608]: AVC avc:  denied  { read } for  pid=5608 comm="fontquery-clien" path="/usr/lib64/libc.so.6" dev="dm-1" ino=19432597 scontext=system_u:system_r:container_t:s0:c732,c795 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0

indicates incorrect label of libc.so.6.

One more note: while this is true most of the time:
> The tool runs fine if I set SELinux to permissive mode, so it's definitely the denial causing the crash.
it is not always.
Comment 2 John Eckersberg 2026-02-19 14:28:08 UTC 
I'm seeing a similar issue with glibc in upstream bootc CI, running against both f44 and c10s - https://github.com/bootc-dev/bootc/pull/1986#issuecomment-3927539765

Will require a bit more digging on my end but wanted to drop a note here before I lose track of it.
Note You need to log in before you can comment on or make changes to this bug.