search

containers / buildah

A tool that facilitates building OCI images.
https://buildah.io
Apache License 2.0
7.32k stars 772 forks source link

rootless podman build on overlay backing store gives selinux denials #1158

Closed dustymabe closed 5 years ago

dustymabe commented 5 years ago

Version info:

Fedora 29 Atomic Host

``` [vagrant@vanilla-f29-atomic ~]$ rpm -q podman kernel selinux-policy-targeted podman-0.10.1.3-4.gitdb08685.fc29.x86_64 kernel-4.18.16-300.fc29.x86_64 selinux-policy-targeted-3.14.2-41.fc29.noarch [vagrant@vanilla-f29-atomic ~]$ [vagrant@vanilla-f29-atomic ~]$ rpm-ostree status State: idle Warning: failed to query journal: address not available AutomaticUpdates: disabled Deployments: ● ostree://fedora-atomic:fedora/29/x86_64/testing/atomic-host Version: 29.20181105.0 (2018-11-05T02:49:51Z) BaseCommit: 7c4e99977aabfe6464df95c9b7dfec85420e1c7c29ac8b76d219ee4756146cce GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4 LayeredPackages: fuse-sshfs ostree://fedora-atomic:fedora/29/x86_64/atomic-host Version: 29.20181025.1 (2018-10-25T14:46:54Z) BaseCommit: 4a999b4b303b47468ff1464051a14fd075d2e7b8bb647584b7cc80fed48cf27b GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4 LayeredPackages: fuse-sshfs [vagrant@vanilla-f29-atomic ~]$ podman info host: BuildahVersion: 1.5-dev Conmon: package: podman-0.10.1.3-4.gitdb08685.fc29.x86_64 path: /usr/libexec/podman/conmon version: 'conmon version 1.12.0-dev, commit: 1f741a8b8381375b068b147605704a02a91167a2-dirty' Distribution: distribution: fedora version: "29" MemFree: 1591836672 MemTotal: 4134961152 OCIRuntime: package: runc-1.0.0-57.dev.git9e5aa74.fc29.x86_64 path: /usr/bin/runc version: |- runc version 1.0.0-rc5+dev commit: ff195010cbfd3c62a98a3fd2f7a1e1594afdda1a spec: 1.0.1-dev SwapFree: 0 SwapTotal: 0 arch: amd64 cpus: 4 hostname: vanilla-f29-atomic kernel: 4.18.16-300.fc29.x86_64 os: linux uptime: 16m 9.88s insecure registries: registries: [] registries: registries: - docker.io - registry.fedoraproject.org - quay.io - registry.access.redhat.com - registry.centos.org store: ContainerStore: number: 2 GraphDriverName: overlay GraphOptions: - overlay.mount_program=/usr/bin/fuse-overlayfs GraphRoot: /var/home/vagrant/.local/share/containers/storage GraphStatus: Backing Filesystem: xfs Native Overlay Diff: "false" Supports d_type: "true" ImageStore: number: 5 RunRoot: /run/user/1000/run ```

Description

I'm experimenting with using overlay as the backend since the vfs backend uses a lot of disk space. Once I finally got it configured right I'm seeing selinux denials on Fedora 29.

``` $ sudo ausearch -m avc ---- time->Tue Nov 6 03:29:42 2018 type=PROCTITLE msg=audit(1541474982.067:1152): proctitle="(null)" type=SYSCALL msg=audit(1541474982.067:1152): arch=c000003e syscall=59 success=no exit=-13 a0=c000080918 a1=c000088ee0 a2=c000161d40 a3=0 items=0 ppid=4611 pid=4629 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=8 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:container_t:s0:c517,c774 key=(null) type=AVC msg=audit(1541474982.067:1152): avc: denied { map } for pid=4629 comm="sh" path="/usr/bin/bash" dev="fuse" ino=13037 scontext=system_u:system_r:container_t:s0:c517,c774 tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=0 ---- time->Tue Nov 6 03:37:15 2018 type=PROCTITLE msg=audit(1541475435.334:1189): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D757365722D72756E74696D652D6469720073746F700031303030 type=SYSCALL msg=audit(1541475435.334:1189): arch=c000003e syscall=257 success=no exit=-13 a0=3 a1=559344e64883 a2=f0800 a3=0 items=0 ppid=1 pid=5108 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-user-ru" exe="/usr/lib/systemd/systemd-user-runtime-dir" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1541475435.334:1189): avc: denied { read } for pid=5108 comm="systemd-user-ru" name="runc" dev="tmpfs" ino=40051 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:container_runtime_tmpfs_t:s0 tclass=dir permissive=0 ---- time->Tue Nov 6 03:37:15 2018 type=PROCTITLE msg=audit(1541475435.334:1190): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D757365722D72756E74696D652D6469720073746F700031303030 type=SYSCALL msg=audit(1541475435.334:1190): arch=c000003e syscall=257 success=no exit=-13 a0=3 a1=559344e6489b a2=f0800 a3=0 items=0 ppid=1 pid=5108 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-user-ru" exe="/usr/lib/systemd/systemd-user-runtime-dir" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1541475435.334:1190): avc: denied { read } for pid=5108 comm="systemd-user-ru" name="libpod" dev="tmpfs" ino=37236 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:container_runtime_tmpfs_t:s0 tclass=dir permissive=0 ---- time->Tue Nov 6 03:37:15 2018 type=PROCTITLE msg=audit(1541475435.334:1191): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D757365722D72756E74696D652D6469720073746F700031303030 type=SYSCALL msg=audit(1541475435.334:1191): arch=c000003e syscall=257 success=no exit=-13 a0=3 a1=559344e648bb a2=f0800 a3=0 items=0 ppid=1 pid=5108 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-user-ru" exe="/usr/lib/systemd/systemd-user-runtime-dir" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1541475435.334:1191): avc: denied { read } for pid=5108 comm="systemd-user-ru" name="run" dev="tmpfs" ino=37233 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:container_runtime_tmpfs_t:s0 tclass=dir permissive=0 ---- time->Tue Nov 6 03:38:51 2018 type=PROCTITLE msg=audit(1541475531.656:487): proctitle="(null)" type=SYSCALL msg=audit(1541475531.656:487): arch=c000003e syscall=59 success=no exit=-13 a0=c0000807a8 a1=c000088900 a2=c000183f50 a3=0 items=0 ppid=2211 pid=2230 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=4 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:container_t:s0:c496,c601 key=(null) type=AVC msg=audit(1541475531.656:487): avc: denied { map } for pid=2230 comm="sh" path="/usr/bin/bash" dev="fuse" ino=13037 scontext=system_u:system_r:container_t:s0:c496,c601 tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=0 ---- time->Tue Nov 6 03:39:11 2018 type=PROCTITLE msg=audit(1541475551.254:489): proctitle="(null)" type=SYSCALL msg=audit(1541475551.254:489): arch=c000003e syscall=59 success=no exit=-13 a0=c0000e87a8 a1=c0000e4900 a2=c000171f50 a3=0 items=0 ppid=2335 pid=2354 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:container_t:s0:c44,c896 key=(null) type=AVC msg=audit(1541475551.254:489): avc: denied { map } for pid=2354 comm="sh" path="/usr/bin/bash" dev="fuse" ino=13037 scontext=system_u:system_r:container_t:s0:c44,c896 tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=0 ---- time->Tue Nov 6 03:40:21 2018 type=PROCTITLE msg=audit(1541475621.983:497): proctitle="(null)" type=SYSCALL msg=audit(1541475621.983:497): arch=c000003e syscall=59 success=no exit=-13 a0=c0000fc0e8 a1=c000084900 a2=c000079f50 a3=0 items=0 ppid=2609 pid=2629 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:container_t:s0:c624,c1014 key=(null) type=AVC msg=audit(1541475621.983:497): avc: denied { map } for pid=2629 comm="sh" path="/usr/bin/bash" dev="fuse" ino=2534 scontext=system_u:system_r:container_t:s0:c624,c1014 tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=0 ---- time->Tue Nov 6 03:41:50 2018 type=PROCTITLE msg=audit(1541475710.257:513): proctitle=2F62696E2F7368002D63002E2F6275696C642E736820636F6E6669677572655F79756D5F7265706F73 type=SYSCALL msg=audit(1541475710.257:513): arch=c000003e syscall=59 success=yes exit=0 a0=c0000ee768 a1=c0000ec900 a2=c000159f50 a3=0 items=0 ppid=2767 pid=2787 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:container_t:s0:c689,c742 key=(null) type=AVC msg=audit(1541475710.257:513): avc: denied { read execute } for pid=2787 comm="sh" path="/usr/bin/bash" dev="fuse" ino=2534 scontext=system_u:system_r:container_t:s0:c689,c742 tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1541475710.257:513): avc: denied { map } for pid=2787 comm="sh" path="/usr/bin/bash" dev="fuse" ino=2534 scontext=system_u:system_r:container_t:s0:c689,c742 tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=1 ---- time->Tue Nov 6 03:41:50 2018 type=PROCTITLE msg=audit(1541475710.260:514): proctitle=2F62696E2F7368002D63002E2F6275696C642E736820636F6E6669677572655F79756D5F7265706F73 type=SYSCALL msg=audit(1541475710.260:514): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7fc88304f90d a2=80000 a3=0 items=0 ppid=2767 pid=2787 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:container_t:s0:c689,c742 key=(null) type=AVC msg=audit(1541475710.260:514): avc: denied { open } for pid=2787 comm="sh" path="/etc/ld.so.cache" dev="fuse" ino=67149040 scontext=system_u:system_r:container_t:s0:c689,c742 tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=1 ---- time->Tue Nov 6 03:41:50 2018 type=PROCTITLE msg=audit(1541475710.260:515): proctitle=2F62696E2F7368002D63002E2F6275696C642E736820636F6E6669677572655F79756D5F7265706F73 type=SYSCALL msg=audit(1541475710.260:515): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7fc883257ce0 a2=80000 a3=0 items=0 ppid=2767 pid=2787 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:container_t:s0:c689,c742 key=(null) type=AVC msg=audit(1541475710.260:515): avc: denied { read } for pid=2787 comm="sh" name="lib64" dev="fuse" ino=36279557 scontext=system_u:system_r:container_t:s0:c689,c742 tcontext=system_u:object_r:fusefs_t:s0 tclass=lnk_file permissive=1 ---- time->Tue Nov 6 03:41:50 2018 type=PROCTITLE msg=audit(1541475710.264:516): proctitle=2F62696E2F7368002D63002E2F6275696C642E736820636F6E6669677572655F79756D5F7265706F73 type=SYSCALL msg=audit(1541475710.264:516): arch=c000003e syscall=59 success=yes exit=0 a0=55adaa7c1e20 a1=55adaa7c1ef0 a2=55adaa7c0190 a3=55adaa7b7010 items=0 ppid=2767 pid=2787 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="build.sh" exe="/usr/bin/bash" subj=system_u:system_r:container_t:s0:c689,c742 key=(null) type=AVC msg=audit(1541475710.264:516): avc: denied { execute_no_trans } for pid=2787 comm="sh" path="/root/containerbuild/build.sh" dev="fuse" ino=67155188 scontext=system_u:system_r:container_t:s0:c689,c742 tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=1 ---- time->Tue Nov 6 03:41:50 2018 type=PROCTITLE msg=audit(1541475710.270:517): proctitle=2F62696E2F7368002D63002E2F6275696C642E736820636F6E6669677572655F79756D5F7265706F73 type=SYSCALL msg=audit(1541475710.270:517): arch=c000003e syscall=16 success=no exit=-38 a0=3 a1=5401 a2=7ffcd9e3dc80 a3=55b1bdde6010 items=0 ppid=2767 pid=2787 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="build.sh" exe="/usr/bin/bash" subj=system_u:system_r:container_t:s0:c689,c742 key=(null) type=AVC msg=audit(1541475710.270:517): avc: denied { ioctl } for pid=2787 comm="build.sh" path="/root/containerbuild/build.sh" dev="fuse" ino=67155188 ioctlcmd=0x5401 scontext=system_u:system_r:container_t:s0:c689,c742 tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=1 ---- time->Tue Nov 6 03:41:50 2018 type=PROCTITLE msg=audit(1541475710.271:518): proctitle=2F62696E2F7368002D63002E2F6275696C642E736820636F6E6669677572655F79756D5F7265706F73 type=SYSCALL msg=audit(1541475710.271:518): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=55b1bde00280 a2=241 a3=1b6 items=0 ppid=2767 pid=2787 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="build.sh" exe="/usr/bin/bash" subj=system_u:system_r:container_t:s0:c689,c742 key=(null) type=AVC msg=audit(1541475710.271:518): avc: denied { write } for pid=2787 comm="build.sh" path="/etc/yum.repos.d/fahc.repo" dev="fuse" ino=67155195 scontext=system_u:system_r:container_t:s0:c689,c742 tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1541475710.271:518): avc: denied { create } for pid=2787 comm="build.sh" name="fahc.repo" scontext=system_u:system_r:container_t:s0:c689,c742 tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1541475710.271:518): avc: denied { add_name } for pid=2787 comm="build.sh" name="fahc.repo" scontext=system_u:system_r:container_t:s0:c689,c742 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1541475710.271:518): avc: denied { write } for pid=2787 comm="build.sh" name="yum.repos.d" dev="fuse" ino=36276718 scontext=system_u:system_r:container_t:s0:c689,c742 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir permissive=1 ---- time->Tue Nov 6 03:41:50 2018 type=PROCTITLE msg=audit(1541475710.364:519): proctitle=2F7573722F62696E2F636F72657574696C73002D2D636F72657574696C732D70726F672D73686562616E673D6D76002F7573722F62696E2F6D76002F6574632F79756D2E7265706F732E642F6665646F72612D636973636F2D6F70656E683236342E7265706F2E6E6577002F6574632F79756D2E7265706F732E642F6665646F type=SYSCALL msg=audit(1541475710.364:519): arch=c000003e syscall=316 success=yes exit=0 a0=ffffff9c a1=7ffc19121ef7 a2=ffffff9c a3=7ffc19121f27 items=0 ppid=2787 pid=2865 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="mv" exe="/usr/bin/coreutils" subj=system_u:system_r:container_t:s0:c689,c742 key=(null) type=AVC msg=audit(1541475710.364:519): avc: denied { unlink } for pid=2865 comm="mv" name="fedora-cisco-openh264.repo" dev="fuse" ino=36276719 scontext=system_u:system_r:container_t:s0:c689,c742 tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1541475710.364:519): avc: denied { rename } for pid=2865 comm="mv" name="fedora-cisco-openh264.repo.new" dev="fuse" ino=67155196 scontext=system_u:system_r:container_t:s0:c689,c742 tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1541475710.364:519): avc: denied { remove_name } for pid=2865 comm="mv" name="fedora-cisco-openh264.repo.new" dev="fuse" ino=67155196 scontext=system_u:system_r:container_t:s0:c689,c742 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir permissive=1 ---- time->Tue Nov 6 03:41:53 2018 type=PROCTITLE msg=audit(1541475713.194:520): proctitle=2F62696E2F7368002D63002E2F6275696C642E736820696E7374616C6C5F72706D73 type=SYSCALL msg=audit(1541475713.194:520): arch=c000003e syscall=59 success=yes exit=0 a0=c00007e7b8 a1=c000084900 a2=c000192000 a3=0 items=0 ppid=3213 pid=3232 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:container_t:s0:c178,c272 key=(null) type=AVC msg=audit(1541475713.194:520): avc: denied { read execute } for pid=3232 comm="sh" path="/usr/bin/bash" dev="fuse" ino=2534 scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1541475713.194:520): avc: denied { map } for pid=3232 comm="sh" path="/usr/bin/bash" dev="fuse" ino=2534 scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=1 ---- time->Tue Nov 6 03:41:53 2018 type=PROCTITLE msg=audit(1541475713.196:521): proctitle=2F62696E2F7368002D63002E2F6275696C642E736820696E7374616C6C5F72706D73 type=SYSCALL msg=audit(1541475713.196:521): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7f0e05f2d90d a2=80000 a3=0 items=0 ppid=3213 pid=3232 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:container_t:s0:c178,c272 key=(null) type=AVC msg=audit(1541475713.196:521): avc: denied { open } for pid=3232 comm="sh" path="/etc/ld.so.cache" dev="fuse" ino=67149040 scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=1 ---- time->Tue Nov 6 03:41:53 2018 type=PROCTITLE msg=audit(1541475713.196:522): proctitle=2F62696E2F7368002D63002E2F6275696C642E736820696E7374616C6C5F72706D73 type=SYSCALL msg=audit(1541475713.196:522): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7f0e06135ce0 a2=80000 a3=0 items=0 ppid=3213 pid=3232 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:container_t:s0:c178,c272 key=(null) type=AVC msg=audit(1541475713.196:522): avc: denied { read } for pid=3232 comm="sh" name="lib64" dev="fuse" ino=36279557 scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=lnk_file permissive=1 ---- time->Tue Nov 6 03:41:53 2018 type=PROCTITLE msg=audit(1541475713.202:523): proctitle=2F62696E2F7368002D63002E2F6275696C642E736820696E7374616C6C5F72706D73 type=SYSCALL msg=audit(1541475713.202:523): arch=c000003e syscall=59 success=yes exit=0 a0=555f778f6cd0 a1=555f778f6eb0 a2=555f778f5180 a3=555f778ec010 items=0 ppid=3213 pid=3232 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="build.sh" exe="/usr/bin/bash" subj=system_u:system_r:container_t:s0:c178,c272 key=(null) type=AVC msg=audit(1541475713.202:523): avc: denied { execute_no_trans } for pid=3232 comm="sh" path="/root/containerbuild/build.sh" dev="fuse" ino=67155188 scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=1 ---- time->Tue Nov 6 03:41:53 2018 type=PROCTITLE msg=audit(1541475713.209:524): proctitle=2F62696E2F7368002D63002E2F6275696C642E736820696E7374616C6C5F72706D73 type=SYSCALL msg=audit(1541475713.209:524): arch=c000003e syscall=16 success=no exit=-38 a0=3 a1=5401 a2=7ffeb562a6f0 a3=558610e8e010 items=0 ppid=3213 pid=3232 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="build.sh" exe="/usr/bin/bash" subj=system_u:system_r:container_t:s0:c178,c272 key=(null) type=AVC msg=audit(1541475713.209:524): avc: denied { ioctl } for pid=3232 comm="build.sh" path="/root/containerbuild/build.sh" dev="fuse" ino=67155188 ioctlcmd=0x5401 scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=1 ---- time->Tue Nov 6 03:41:53 2018 type=PROCTITLE msg=audit(1541475713.536:525): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F646E66002D790064697374726F2D73796E63 type=SYSCALL msg=audit(1541475713.536:525): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7f907140d950 a2=a00c2 a3=180 items=0 ppid=3232 pid=3255 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="dnf" exe="/usr/bin/python3.6" subj=system_u:system_r:container_t:s0:c178,c272 key=(null) type=AVC msg=audit(1541475713.536:525): avc: denied { write } for pid=3255 comm="dnf" path="/tmp/6dm_1mlr" dev="fuse" ino=67214925 scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1541475713.536:525): avc: denied { create } for pid=3255 comm="dnf" name="6dm_1mlr" scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1541475713.536:525): avc: denied { add_name } for pid=3255 comm="dnf" name="6dm_1mlr" scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1541475713.536:525): avc: denied { write } for pid=3255 comm="dnf" name="tmp" dev="fuse" ino=6146 scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir permissive=1 ---- time->Tue Nov 6 03:41:53 2018 type=PROCTITLE msg=audit(1541475713.538:526): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F646E66002D790064697374726F2D73796E63 type=SYSCALL msg=audit(1541475713.538:526): arch=c000003e syscall=87 success=yes exit=0 a0=7f907140d950 a1=0 a2=7f90825049a0 a3=7f907140d810 items=0 ppid=3232 pid=3255 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="dnf" exe="/usr/bin/python3.6" subj=system_u:system_r:container_t:s0:c178,c272 key=(null) type=AVC msg=audit(1541475713.538:526): avc: denied { unlink } for pid=3255 comm="dnf" name="6dm_1mlr" dev="fuse" ino=67214925 scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1541475713.538:526): avc: denied { remove_name } for pid=3255 comm="dnf" name="6dm_1mlr" dev="fuse" ino=67214925 scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir permissive=1 ---- time->Tue Nov 6 03:41:53 2018 type=PROCTITLE msg=audit(1541475713.539:527): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F646E66002D790064697374726F2D73796E63 type=SYSCALL msg=audit(1541475713.539:527): arch=c000003e syscall=190 success=yes exit=0 a0=4 a1=7f907e6577e0 a2=7f907e65af50 a3=1 items=0 ppid=3232 pid=3255 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="dnf" exe="/usr/bin/python3.6" subj=system_u:system_r:container_t:s0:c178,c272 key=(null) type=AVC msg=audit(1541475713.539:527): avc: denied { setattr } for pid=3255 comm="dnf" name="tmpke9a8eha" dev="fuse" ino=67214925 scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=1 ---- time->Tue Nov 6 03:41:53 2018 type=PROCTITLE msg=audit(1541475713.543:528): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F646E66002D790064697374726F2D73796E63 type=SYSCALL msg=audit(1541475713.543:528): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=7 a2=7ffcce3fa970 a3=1a4 items=0 ppid=3232 pid=3255 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="dnf" exe="/usr/bin/python3.6" subj=system_u:system_r:container_t:s0:c178,c272 key=(null) type=AVC msg=audit(1541475713.543:528): avc: denied { lock } for pid=3255 comm="dnf" path="/var/lib/rpm/.dbenv.lock" dev="fuse" ino=36280815 scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=1 ---- time->Tue Nov 6 03:41:53 2018 type=PROCTITLE msg=audit(1541475713.549:529): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F646E66002D790064697374726F2D73796E63 type=SYSCALL msg=audit(1541475713.549:529): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7f907142c980 a2=80441 a3=1b6 items=0 ppid=3232 pid=3255 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="dnf" exe="/usr/bin/python3.6" subj=system_u:system_r:container_t:s0:c178,c272 key=(null) type=AVC msg=audit(1541475713.549:529): avc: denied { append } for pid=3255 comm="dnf" path="/var/log/dnf.log" dev="fuse" ino=67214930 scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=1 ---- time->Tue Nov 6 03:41:54 2018 type=PROCTITLE msg=audit(1541475714.686:530): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F646E66002D790064697374726F2D73796E63 type=SYSCALL msg=audit(1541475714.686:530): arch=c000003e syscall=83 success=yes exit=0 a0=7f90713d9050 a1=1c0 a2=7f90825049a0 a3=69 items=0 ppid=3232 pid=3255 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="dnf" exe="/usr/bin/python3.6" subj=system_u:system_r:container_t:s0:c178,c272 key=(null) type=AVC msg=audit(1541475714.686:530): avc: denied { create } for pid=3255 comm="dnf" name="dnf-bahloyf6" scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir permissive=1 ---- time->Tue Nov 6 03:41:55 2018 type=PROCTITLE msg=audit(1541475715.290:531): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F646E66002D790064697374726F2D73796E63 type=SYSCALL msg=audit(1541475715.290:531): arch=c000003e syscall=82 success=yes exit=0 a0=7f90713ab310 a1=7f907146dd10 a2=7f90825049a0 a3=0 items=0 ppid=3232 pid=3255 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="dnf" exe="/usr/bin/python3.6" subj=system_u:system_r:container_t:s0:c178,c272 key=(null) type=AVC msg=audit(1541475715.290:531): avc: denied { reparent } for pid=3255 comm="dnf" name="repodata" dev="fuse" ino=134361847 scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1541475715.290:531): avc: denied { rename } for pid=3255 comm="dnf" name="repodata" dev="fuse" ino=134361847 scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir permissive=1 ---- time->Tue Nov 6 03:41:55 2018 type=PROCTITLE msg=audit(1541475715.291:532): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F646E66002D790064697374726F2D73796E63 type=SYSCALL msg=audit(1541475715.291:532): arch=c000003e syscall=84 success=yes exit=0 a0=7f9071397c90 a1=0 a2=7f90825049a0 a3=0 items=0 ppid=3232 pid=3255 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="dnf" exe="/usr/bin/python3.6" subj=system_u:system_r:container_t:s0:c178,c272 key=(null) type=AVC msg=audit(1541475715.291:532): avc: denied { rmdir } for pid=3255 comm="dnf" name="dnf-bahloyf6" dev="fuse" ino=100835402 scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir permissive=1 ---- time->Tue Nov 6 03:41:55 2018 type=PROCTITLE msg=audit(1541475715.299:533): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F646E66002D790064697374726F2D73796E63 type=SYSCALL msg=audit(1541475715.299:533): arch=c000003e syscall=82 success=yes exit=0 a0=56229ac894c0 a1=56229aa5c2a0 a2=7ffcce3fab78 a3=56229a664010 items=0 ppid=3232 pid=3255 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="dnf" exe="/usr/bin/python3.6" subj=system_u:system_r:container_t:s0:c178,c272 key=(null) type=AVC msg=audit(1541475715.299:533): avc: denied { rename } for pid=3255 comm="dnf" name="dustymabe-ignition.solv.mdlTTv" dev="fuse" ino=67214946 scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=1 ---- time->Tue Nov 6 03:42:20 2018 type=PROCTITLE msg=audit(1541475740.590:540): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F646E66002D790064697374726F2D73796E63 type=SYSCALL msg=audit(1541475740.590:540): arch=c000003e syscall=83 success=yes exit=0 a0=7f907013c908 a1=1ed a2=7f90825049a0 a3=69 items=0 ppid=3232 pid=3255 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="dnf" exe="/usr/bin/python3.6" subj=system_u:system_r:container_t:s0:c178,c272 key=(null) type=AVC msg=audit(1541475740.590:540): avc: denied { create } for pid=3255 comm="dnf" name="fedora-f21308f6293b3270" scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1541475740.590:540): avc: denied { add_name } for pid=3255 comm="dnf" name="fedora-f21308f6293b3270" scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1541475740.590:540): avc: denied { write } for pid=3255 comm="dnf" name="dnf" dev="fuse" ino=100668574 scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir permissive=1 ---- time->Tue Nov 6 03:42:20 2018 type=PROCTITLE msg=audit(1541475740.592:541): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F646E66002D790064697374726F2D73796E63 type=SYSCALL msg=audit(1541475740.592:541): arch=c000003e syscall=82 success=yes exit=0 a0=7f90713ab790 a1=7f90713a0190 a2=7f90825049a0 a3=7f90713a09e0 items=0 ppid=3232 pid=3255 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="dnf" exe="/usr/bin/python3.6" subj=system_u:system_r:container_t:s0:c178,c272 key=(null) type=AVC msg=audit(1541475740.592:541): avc: denied { reparent } for pid=3255 comm="dnf" name="repodata" dev="fuse" ino=100835403 scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1541475740.592:541): avc: denied { rename } for pid=3255 comm="dnf" name="repodata" dev="fuse" ino=100835403 scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1541475740.592:541): avc: denied { remove_name } for pid=3255 comm="dnf" name="repodata" dev="fuse" ino=100835403 scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir permissive=1 ---- time->Tue Nov 6 03:42:20 2018 type=PROCTITLE msg=audit(1541475740.593:542): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F646E66002D790064697374726F2D73796E63 type=SYSCALL msg=audit(1541475740.593:542): arch=c000003e syscall=84 success=yes exit=0 a0=7f90701582b8 a1=0 a2=7f90825049a0 a3=7f9070158260 items=0 ppid=3232 pid=3255 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="dnf" exe="/usr/bin/python3.6" subj=system_u:system_r:container_t:s0:c178,c272 key=(null) type=AVC msg=audit(1541475740.593:542): avc: denied { rmdir } for pid=3255 comm="dnf" name="dnf-dmuv392n" dev="fuse" ino=67214973 scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir permissive=1 ---- time->Tue Nov 6 03:42:50 2018 type=PROCTITLE msg=audit(1541475770.136:543): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F646E66002D790064697374726F2D73796E63 type=SYSCALL msg=audit(1541475770.136:543): arch=c000003e syscall=92 success=yes exit=0 a0=56229aa6c9e0 a1=0 a2=0 a3=0 items=0 ppid=3232 pid=3255 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="dnf" exe="/usr/bin/python3.6" subj=system_u:system_r:container_t:s0:c178,c272 key=(null) type=AVC msg=audit(1541475770.136:543): avc: denied { setattr } for pid=3255 comm="dnf" name=".build-id" dev="fuse" ino=100666379 scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir permissive=1 ---- time->Tue Nov 6 03:42:50 2018 type=PROCTITLE msg=audit(1541475770.137:544): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F646E66002D790064697374726F2D73796E63 type=SYSCALL msg=audit(1541475770.137:544): arch=c000003e syscall=88 success=yes exit=0 a0=56229acf78de a1=56229a9a44c0 a2=56229ae55520 a3=0 items=0 ppid=3232 pid=3255 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="dnf" exe="/usr/bin/python3.6" subj=system_u:system_r:container_t:s0:c178,c272 key=(null) type=AVC msg=audit(1541475770.137:544): avc: denied { create } for pid=3255 comm="dnf" name="8e87ac1f3e6451ce5fdc95eb281245f7f9f0e7;5be10db9" scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=lnk_file permissive=1 ---- time->Tue Nov 6 03:42:50 2018 type=PROCTITLE msg=audit(1541475770.138:545): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F646E66002D790064697374726F2D73796E63 type=SYSCALL msg=audit(1541475770.138:545): arch=c000003e syscall=94 success=yes exit=0 a0=56229a9a44c0 a1=0 a2=0 a3=0 items=0 ppid=3232 pid=3255 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="dnf" exe="/usr/bin/python3.6" subj=system_u:system_r:container_t:s0:c178,c272 key=(null) type=AVC msg=audit(1541475770.138:545): avc: denied { setattr } for pid=3255 comm="dnf" name="8e87ac1f3e6451ce5fdc95eb281245f7f9f0e7;5be10db9" dev="fuse" ino=0 scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=lnk_file permissive=1 ---- time->Tue Nov 6 03:42:50 2018 type=PROCTITLE msg=audit(1541475770.138:546): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F646E66002D790064697374726F2D73796E63 type=SYSCALL msg=audit(1541475770.138:546): arch=c000003e syscall=82 success=yes exit=0 a0=56229a9a44c0 a1=56229ae2bb70 a2=ffffffffffffff80 a3=7f907015d000 items=0 ppid=3232 pid=3255 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="dnf" exe="/usr/bin/python3.6" subj=system_u:system_r:container_t:s0:c178,c272 key=(null) type=AVC msg=audit(1541475770.138:546): avc: denied { rename } for pid=3255 comm="dnf" name="8e87ac1f3e6451ce5fdc95eb281245f7f9f0e7;5be10db9" dev="fuse" ino=0 scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=lnk_file permissive=1 ---- time->Tue Nov 6 03:42:50 2018 type=PROCTITLE msg=audit(1541475770.139:547): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F646E66002D790064697374726F2D73796E63 type=SYSCALL msg=audit(1541475770.139:547): arch=c000003e syscall=82 success=yes exit=0 a0=56229ae48960 a1=56229aa6c9e0 a2=7ffcce3f9fb0 a3=7f907015d000 items=0 ppid=3232 pid=3255 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="dnf" exe="/usr/bin/python3.6" subj=system_u:system_r:container_t:s0:c178,c272 key=(null) type=AVC msg=audit(1541475770.139:547): avc: denied { unlink } for pid=3255 comm="dnf" name="libzstd.so.1" dev="fuse" ino=36280078 scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=lnk_file permissive=1 ---- time->Tue Nov 6 03:42:53 2018 type=PROCTITLE msg=audit(1541475773.306:548): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F646E66002D790064697374726F2D73796E63 type=SYSCALL msg=audit(1541475773.306:548): arch=c000003e syscall=86 success=yes exit=0 a0=56229ae589e0 a1=56229ab96d70 a2=20 a3=b items=0 ppid=3232 pid=3255 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="dnf" exe="/usr/bin/python3.6" subj=system_u:system_r:container_t:s0:c178,c272 key=(null) type=AVC msg=audit(1541475773.306:548): avc: denied { link } for pid=3255 comm="dnf" name="__init__.cpython-36.opt-1.pyc" dev="fuse" ino=67718642 scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=1 ---- time->Tue Nov 6 03:45:17 2018 type=PROCTITLE msg=audit(1541475917.111:549): proctitle=6770672D6167656E74002D2D686F6D65646972002F746D702F746D703165326761307162002D2D7573652D7374616E646172642D736F636B6574002D2D6461656D6F6E type=SYSCALL msg=audit(1541475917.111:549): arch=c000003e syscall=49 success=yes exit=0 a0=3 a1=55c7776d6610 a2=1e a3=55c7776c7010 items=0 ppid=3232 pid=17172 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="gpg-agent" exe="/usr/bin/gpg-agent" subj=system_u:system_r:container_t:s0:c178,c272 key=(null) type=AVC msg=audit(1541475917.111:549): avc: denied { create } for pid=17172 comm="gpg-agent" name="S.gpg-agent" scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=sock_file permissive=1 ---- time->Tue Nov 6 03:45:17 2018 type=PROCTITLE msg=audit(1541475917.111:550): proctitle=6770672D6167656E74002D2D686F6D65646972002F746D702F746D703165326761307162002D2D7573652D7374616E646172642D736F636B6574002D2D6461656D6F6E type=SYSCALL msg=audit(1541475917.111:550): arch=c000003e syscall=90 success=yes exit=0 a0=55c7776d6612 a1=1c0 a2=0 a3=55c7776c7010 items=0 ppid=3232 pid=17172 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="gpg-agent" exe="/usr/bin/gpg-agent" subj=system_u:system_r:container_t:s0:c178,c272 key=(null) type=AVC msg=audit(1541475917.111:550): avc: denied { setattr } for pid=17172 comm="gpg-agent" name="S.gpg-agent" dev="fuse" ino=0 scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=sock_file permissive=1 ---- time->Tue Nov 6 03:45:17 2018 type=PROCTITLE msg=audit(1541475917.111:551): proctitle=6770672D6167656E74002D2D686F6D65646972002F746D702F746D703165326761307162002D2D7573652D7374616E646172642D736F636B6574002D2D6461656D6F6E type=SYSCALL msg=audit(1541475917.111:551): arch=c000003e syscall=49 success=yes exit=0 a0=4 a1=55c7776d6610 a2=24 a3=21 items=0 ppid=3232 pid=17172 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="gpg-agent" exe="/usr/bin/gpg-agent" subj=system_u:system_r:container_t:s0:c178,c272 key=(null) type=AVC msg=audit(1541475917.111:551): avc: denied { create } for pid=17172 comm="gpg-agent" name="S.gpg-agent.extra" scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=sock_file permissive=1 ---- time->Tue Nov 6 03:45:17 2018 type=PROCTITLE msg=audit(1541475917.112:552): proctitle=67706732002D2D656E61626C652D7370656369616C2D66696C656E616D6573002D2D6261746368002D2D6E6F2D736B2D636F6D6D656E7473002D2D7374617475732D6664003233002D2D6E6F2D747479002D2D636861727365740075746638002D2D656E61626C652D70726F67726573732D66696C746572002D2D657869742D type=SYSCALL msg=audit(1541475917.112:552): arch=c000003e syscall=42 success=yes exit=0 a0=6 a1=7ffe9ae93fa0 a2=1e a3=2000000 items=0 ppid=3232 pid=17170 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="gpg2" exe="/usr/bin/gpg2" subj=system_u:system_r:container_t:s0:c178,c272 key=(null) type=AVC msg=audit(1541475917.112:552): avc: denied { write } for pid=17170 comm="gpg2" name="S.gpg-agent" dev="fuse" ino=0 scontext=system_u:system_r:container_t:s0:c178,c272 tcontext=system_u:object_r:fusefs_t:s0 tclass=sock_file permissive=1 ```

If I setenforce 0 then my build continues. Is this a known issue?

giuseppe commented 5 years ago

could you try if setting the selinux boolean virt_sandbox_use_fusefs make a difference?

@rhatdan since we are going to use fuse-overlayfs as the default for rootless containers, should we change the default value for the boolean?

rhatdan commented 5 years ago

We need to make the change in the spec file, to turn the boolean on, on initial update. then not change it again.

@lsm5 Could you look into this?

Basically once we make fuse-overlayfs the default we need to turn on the virt_sandbox_use_fusefs boolean.

We only want to do this once on initial install and on the first upgrade when we make the change. We don't want to change this afterwards, since if an ADMIN does a

setsebool -P virt_sandbox_use_fusefs 0

We don't want an update to override him.

I think we make this change in containers-common by adding a default nonroot-storage.conf file. And set the boolean there. That way we don't have to handle this in podman and buildah.

lsm5 commented 5 years ago

ack, will do

rhatdan commented 5 years ago

This is fixed in the current release.