rhatdan
commented
4 years ago This should have been opened against container-selinux not buildah.
Closed smijolovic closed 4 years ago
rhatdan
commented
4 years ago This should have been opened against container-selinux not buildah.
smijolovic
commented
4 years ago I will do that.
For compliance purposes, our development environment does not allow unconfined SELinux users. We use the staff SEUSER, and that is not working.
Our user: uid=2100(rpmbuild) gid=2100(rpmbuild) groups=2100(rpmbuild),510(logs) context=staff_u:staff_r:staff_t:s0
Home mount in fstab: /dev/mapper/chaasm-home /home xfs defaults 0 0
Home directory for rpmbuild: drwx------. 19 rpmbuild rpmbuild staff_u:object_r:user_home_dir_t:s0 4096 Apr 20 21:31 rpmbuild
more /etc/subuid rpmbuild:100000:65536 more /etc/subgid rpmbuild:100000:65536
When trying to build a flannel image in buildah using either the dockerfile or converting it to a buildah script, it fails when SELinux is in enforced mode.
Both are able to pull the alpine image (after building an SELinux policy) but can not run the image and then it fails.
With buildah bud... $BUILDAH_ISOLATION=rootless buildah bud -t 0.12.0-amd64 -f $BUILD_FLANNEL/src/github.com/coreos/flannel/Dockerfile.amd64 --log-level=debug .
DEBU running [buildah-in-a-user-namespace bud -t v0.12.0-amd64 -f /home/rpmbuild/nimbus8/flannel-build/src/github.com/coreos/flannel/Dockerfile.amd64 --log-level=debug .] with environment [BUILDAH_ISOLATION=rootless LS_COLORS=rs=0:di=38;5;33:ln=38;5;51:mh=00:pi=40;38;5;11:so=38;5;13:do=38;5;5:bd=48;5;232;38;5;11:cd=48;5;232;38;5;3:or=48;5;232;38;5;9:mi=01;05;37;41:su=48;5;196;38;5;15:sg=48;5;11;38;5;16:ca=48;5;196;38;5;226:tw=48;5;10;38;5;16:ow=48;5;10;38;5;21:st=48;5;21;38;5;15:ex=38;5;40:.tar=38;5;9:.tgz=38;5;9:.arc=38;5;9:.arj=38;5;9:.taz=38;5;9:.lha=38;5;9:.lz4=38;5;9:.lzh=38;5;9:.lzma=38;5;9:.tlz=38;5;9:.txz=38;5;9:.tzo=38;5;9:.t7z=38;5;9:.zip=38;5;9:.z=38;5;9:.dz=38;5;9:.gz=38;5;9:.lrz=38;5;9:.lz=38;5;9:.lzo=38;5;9:.xz=38;5;9:.zst=38;5;9:.tzst=38;5;9:.bz2=38;5;9:.bz=38;5;9:.tbz=38;5;9:.tbz2=38;5;9:.tz=38;5;9:.deb=38;5;9:.rpm=38;5;9:.jar=38;5;9:.war=38;5;9:.ear=38;5;9:.sar=38;5;9:.rar=38;5;9:.alz=38;5;9:.ace=38;5;9:.zoo=38;5;9:.cpio=38;5;9:.7z=38;5;9:.rz=38;5;9:.cab=38;5;9:.wim=38;5;9:.swm=38;5;9:.dwm=38;5;9:.esd=38;5;9:.jpg=38;5;13:.jpeg=38;5;13:.mjpg=38;5;13:.mjpeg=38;5;13:.gif=38;5;13:.bmp=38;5;13:.pbm=38;5;13:.pgm=38;5;13:.ppm=38;5;13:.tga=38;5;13:.xbm=38;5;13:.xpm=38;5;13:.tif=38;5;13:.tiff=38;5;13:.png=38;5;13:.svg=38;5;13:.svgz=38;5;13:.mng=38;5;13:.pcx=38;5;13:.mov=38;5;13:.mpg=38;5;13:.mpeg=38;5;13:.m2v=38;5;13:.mkv=38;5;13:.webm=38;5;13:.ogm=38;5;13:.mp4=38;5;13:.m4v=38;5;13:.mp4v=38;5;13:.vob=38;5;13:.qt=38;5;13:.nuv=38;5;13:.wmv=38;5;13:.asf=38;5;13:.rm=38;5;13:.rmvb=38;5;13:.flc=38;5;13:.avi=38;5;13:.fli=38;5;13:.flv=38;5;13:.gl=38;5;13:.dl=38;5;13:.xcf=38;5;13:.xwd=38;5;13:.yuv=38;5;13:.cgm=38;5;13:.emf=38;5;13:.ogv=38;5;13:.ogx=38;5;13:.aac=38;5;45:.au=38;5;45:.flac=38;5;45:.m4a=38;5;45:.mid=38;5;45:.midi=38;5;45:.mka=38;5;45:.mp3=38;5;45:.mpc=38;5;45:.ogg=38;5;45:.ra=38;5;45:.wav=38;5;45:.oga=38;5;45:.opus=38;5;45:.spx=38;5;45:*.xspf=38;5;45: SSH_CONNECTION=172.16.37.1 65215 172.16.37.187 22 LANG=en_US.UTF-8 HISTCONTROL=ignoredups HISTTIMEFORMAT=[ %FT%T ] HOSTNAME=localhost.localdomain OLDPWD=/home/rpmbuild/nimbus8/flannel-build/src/github.com/coreos XDG_SESSION_ID=3 USER=rpmbuild GOPATH=/home/rpmbuild/nimbus8/flannel-build SELINUX_ROLE_REQUESTED= PWD=/home/rpmbuild/nimbus8/flannel-build/src/github.com/coreos/flannel HOME=/home/rpmbuild SSH_CLIENT=172.16.37.1 65215 22 SELINUX_LEVEL_REQUESTED= TMPDIR=/home/rpmbuild/nimbus8/flannel-build/tmp SSH_TTY=/dev/pts/1 MAIL=/var/spool/mail/rpmbuild SHELL=/bin/bash TERM=xterm-256color SELINUX_USE_CURRENT_RANGE= TMOUT=600 SHLVL=2 LOGNAME=rpmbuild DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/2100/bus XDG_RUNTIMEDIR=/run/user/2100 PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/rpmbuild/.local/bin:/home/rpmbuild/bin:/usr/local/go14/bin:/usr/local/gotools/bin HISTSIZE=1000 LESSOPEN=||/usr/bin/lesspipe.sh %s =/usr/bin/buildah _CONTAINERS_USERNS_CONFIGURED=1], UID map [{ContainerID:0 HostID:2100 Size:1} {ContainerID:1 HostID:100000 Size:65536}], and GID map [{ContainerID:0 HostID:2100 Size:1} {ContainerID:1 HostID:100000 Size:65536}] WARN error running newuidmap: exit status 1: newuidmap: write to uid_map failed: Operation not permitted WARN falling back to single mapping
DEBU Pull Policy for pull [PullIfNewer]
DEBU umask value too restrictive. Forcing it to 022 DEBU [graphdriver] trying provided driver "overlay" DEBU overlay: mount_program=/usr/bin/fuse-overlayfs DEBU overlay: mount_program=/usr/bin/fuse-overlayfs DEBU backingFs=xfs, projectQuotaSupported=false, useNativeDiff=false, usingMetacopy=false DEBU reading local Dockerfile "/home/rpmbuild/nimbus8/flannel-build/src/github.com/coreos/flannel/Dockerfile.amd64" DEBU base: "alpine"
DEBU FROM "alpine"
STEP 1: FROM alpine
Pulls the image. Then when it tries to execute a run in the docker file:
STEP 4: RUN apk add --no-cache iproute2 net-tools ca-certificates iptables strongswan && update-ca-certificates DEBU RUN imagebuilder.Run{Shell:true, Args:[]string{"apk add --no-cache iproute2 net-tools ca-certificates iptables strongswan && update-ca-certificates"}}, docker.Config{Hostname:"", Domainname:"", User:"", Memory:0, MemorySwap:0, MemoryReservation:0, KernelMemory:0, CPUShares:0, CPUSet:"", PortSpecs:[]string(nil), ExposedPorts:map[docker.Port]struct {}{}, PublishService:"", StopSignal:"", StopTimeout:0, Env:[]string{"FLANNEL_ARCH=amd64", "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "", "FLANNEL_ARCH=amd64"}, Cmd:[]string{"/bin/sh"}, Shell:[]string{}, Healthcheck:(*docker.HealthConfig)(nil), DNS:[]string(nil), Image:"", Volumes:map[string]struct {}{}, VolumeDriver:"", WorkingDir:"", MacAddress:"", Entrypoint:[]string{}, SecurityOpts:[]string(nil), OnBuild:[]string{}, Mounts:[]docker.Mount(nil), Labels:map[string]string{"maintainer":"Tom Denham tom@tigera.io"}, AttachStdin:false, AttachStdout:false, AttachStderr:false, ArgsEscaped:false, Tty:false, OpenStdin:false, StdinOnce:false, NetworkDisabled:false, VolumesFrom:""} DEBU using "/home/rpmbuild/nimbus8/flannel-build/tmp/buildah283664328" to hold bundle data DEBU Forcing use of an IPC namespace.
DEBU Forcing use of a PID namespace.
DEBU Forcing use of a user namespace.
DEBU Resources: &buildah.CommonBuildOptions{AddHost:[]string{}, CgroupParent:"", CPUPeriod:0x0, CPUQuota:0, CPUShares:0x0, CPUSetCPUs:"", CPUSetMems:"", HTTPProxy:true, Memory:0, DNSSearch:[]string{}, DNSServers:[]string{}, DNSOptions:[]string{}, MemorySwap:0, LabelOpts:[]string(nil), SeccompProfilePath:"/usr/share/containers/seccomp.json", ApparmorProfile:"", ShmSize:"65536k", Ulimit:[]string{}, Volumes:[]string{}} DEBU stdio is a terminal, defaulting to using a terminal DEBU ensuring working directory "/home/rpmbuild/.local/share/containers/storage/overlay/ed50816356d5529ce65922e593d577e37fd2c190121ec0800f707fd5bc21caa9/merged" exists DEBU bind mounted "/home/rpmbuild/.local/share/containers/storage/overlay/ed50816356d5529ce65922e593d577e37fd2c190121ec0800f707fd5bc21caa9/merged" to "/home/rpmbuild/nimbus8/flannel-build/tmp/buildah283664328/mnt/rootfs" DEBU bind mounted "/home/rpmbuild/.local/share/containers/storage/overlay-containers/a0733fdb61f03315138e7b7a5d5388cbbb8b3c3b56a2f4dd485c959890bf4d2b/userdata/run/secrets" to "/home/rpmbuild/nimbus8/flannel-build/tmp/buildah283664328/mnt/buildah-bind-target-6" DEBU config = {"ociVersion":"1.0.1-dev","process":{"terminal":true,"user":{"uid":0,"gid":0},"args":["/bin/sh","-c","apk add --no-cache iproute2 net-tools ca-certificates iptables strongswan \u0026\u0026 update-ca-certificates"],"env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","FLANNEL_ARCH=amd64","HOSTNAME="],"cwd":"/","capabilities":{"bounding":["CAP_DAC_OVERRIDE","CAP_FSETID","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_CHOWN","CAP_FOWNER","CAP_KILL","CAP_SETUID","CAP_AUDIT_WRITE","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_MKNOD","CAP_SYS_CHROOT"],"effective":["CAP_DAC_OVERRIDE","CAP_FSETID","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_CHOWN","CAP_FOWNER","CAP_KILL","CAP_SETUID","CAP_AUDIT_WRITE","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_MKNOD","CAP_SYS_CHROOT"],"inheritable":["CAP_DAC_OVERRIDE","CAP_FSETID","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_CHOWN","CAP_FOWNER","CAP_KILL","CAP_SETUID","CAP_AUDIT_WRITE","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_MKNOD","CAP_SYS_CHROOT"],"permitted":["CAP_DAC_OVERRIDE","CAP_FSETID","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_CHOWN","CAP_FOWNER","CAP_KILL","CAP_SETUID","CAP_AUDIT_WRITE","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_MKNOD","CAP_SYS_CHROOT"],"ambient":["CAP_DAC_OVERRIDE","CAP_FSETID","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_CHOWN","CAP_FOWNER","CAP_KILL","CAP_SETUID","CAP_AUDIT_WRITE","CAP_SETFCAP","CAP_SETGID","CAP_SETPCAP","CAP_MKNOD","CAP_SYS_CHROOT"]},"rlimits":[{"type":"RLIMIT_NOFILE","hard":1024,"soft":1024}],"selinuxLabel":"system_u:system_r:container_t:s0:c64,c472"},"root":{"path":"/home/rpmbuild/nimbus8/flannel-build/tmp/buildah283664328/mnt/rootfs"},"mounts":[{"destination":"/dev","type":"tmpfs","source":"/dev","options":["private","strictatime","noexec","nosuid","mode=755","size=65536k"]},{"destination":"/dev/mqueue","type":"mqueue","source":"mqueue","options":["private","nodev","noexec","nosuid"]},{"destination":"/dev/pts","type":"devpts","source":"pts","options":["private","noexec","nosuid","newinstance","ptmxmode=0666","mode=0620"]},{"destination":"/dev/shm","type":"tmpfs","source":"shm","options":["private","nodev","noexec","nosuid","mode=1777","size=65536k"]},{"destination":"/proc","type":"proc","source":"/proc","options":["private","nodev","noexec","nosuid"]},{"destination":"/sys","type":"bind","source":"/sys","options":["rbind","private","nodev","noexec","nosuid","ro"]},{"destination":"/run/secrets","type":"bind","source":"/home/rpmbuild/nimbus8/flannel-build/tmp/buildah283664328/mnt/buildah-bind-target-6","options":["bind","rprivate"]},{"destination":"/etc/hosts","type":"bind","source":"/home/rpmbuild/nimbus8/flannel-build/tmp/buildah283664328/hosts","options":["rbind"]},{"destination":"/etc/resolv.conf","type":"bind","source":"/home/rpmbuild/nimbus8/flannel-build/tmp/buildah283664328/resolv.conf","options":["rbind"]},{"destination":"/run/.containerenv","type":"bind","source":"/home/rpmbuild/nimbus8/flannel-build/tmp/buildah283664328/run/.containerenv","options":["rbind"]}],"linux":{"uidMappings":[{"containerID":0,"hostID":0,"size":1}],"gidMappings":[{"containerID":0,"hostID":0,"size":1},{"containerID":1,"hostID":1,"size":65536}],"namespaces":[{"type":"pid"},{"type":"ipc"},{"type":"mount"},{"type":"user"}],"seccomp":{"defaultAction":"SCMP_ACT_ERRNO","architectures":["SCMP_ARCH_X86_64","SCMP_ARCH_X86","SCMP_ARCH_X32"],"syscalls":[{"names":["accept"],"action":"SCMP_ACT_ALLOW"},{"names":["accept4"],"action":"SCMP_ACT_ALLOW"},{"names":["access"],"action":"SCMP_ACT_ALLOW"},{"names":["adjtimex"],"action":"SCMP_ACT_ALLOW"},{"names":["alarm"],"action":"SCMP_ACT_ALLOW"},{"names":["bind"],"action":"SCMP_ACT_ALLOW"},{"names":["brk"],"action":"SCMP_ACT_ALLOW"},{"names":["capget"],"action":"SCMP_ACT_ALLOW"},{"names":["capset"],"action":"SCMP_ACT_ALLOW"},{"names":["chdir"],"action":"SCMP_ACT_ALLOW"},{"names":["chmod"],"action":"SCMP_ACT_ALLOW"},{"names":["chown"],"action":"SCMP_ACT_ALLOW"},{"names":["chown32"],"action":"SCMP_ACT_ALLOW"},{"names":["clock_getres"],"action":"SCMP_ACT_ALLOW"},{"names":["clock_gettime"],"action":"SCMP_ACT_ALLOW"},{"names":["clock_nanosleep"],"action":"SCMP_ACT_ALLOW"},{"names":["close"],"action":"SCMP_ACT_ALLOW"},{"names":["connect"],"action":"SCMP_ACT_ALLOW"},{"names":["copy_file_range"],"action":"SCMP_ACT_ALLOW"},{"names":["creat"],"action":"SCMP_ACT_ALLOW"},{"names":["dup"],"action":"SCMP_ACT_ALLOW"},{"names":["dup2"],"action":"SCMP_ACT_ALLOW"},{"names":["dup3"],"action":"SCMP_ACT_ALLOW"},{"names":["epoll_create"],"action":"SCMP_ACT_ALLOW"},{"names":["epoll_create1"],"action":"SCMP_ACT_ALLOW"},{"names":["epoll_ctl"],"action":"SCMP_ACT_ALLOW"},{"names":["epoll_ctl_old"],"action":"SCMP_ACT_ALLOW"},{"names":["epoll_pwait"],"action":"SCMP_ACT_ALLOW"},{"names":["epoll_wait"],"action":"SCMP_ACT_ALLOW"},{"names":["epoll_wait_old"],"action":"SCMP_ACT_ALLOW"},{"names":["eventfd"],"action":"SCMP_ACT_ALLOW"},{"names":["eventfd2"],"action":"SCMP_ACT_ALLOW"},{"names":["execve"],"action":"SCMP_ACT_ALLOW"},{"names":["execveat"],"action":"SCMP_ACT_ALLOW"},{"names":["exit"],"action":"SCMP_ACT_ALLOW"},{"names":["exit_group"],"action":"SCMP_ACT_ALLOW"},{"names":["faccessat"],"action":"SCMP_ACT_ALLOW"},{"names":["fadvise64"],"action":"SCMP_ACT_ALLOW"},{"names":["fadvise64_64"],"action":"SCMP_ACT_ALLOW"},{"names":["fallocate"],"action":"SCMP_ACT_ALLOW"},{"names":["fanotify_mark"],"action":"SCMP_ACT_ALLOW"},{"names":["fchdir"],"action":"SCMP_ACT_ALLOW"},{"names":["fchmod"],"action":"SCMP_ACT_ALLOW"},{"names":["fchmodat"],"action":"SCMP_ACT_ALLOW"},{"names":["fchown"],"action":"SCMP_ACT_ALLOW"},{"names":["fchown32"],"action":"SCMP_ACT_ALLOW"},{"names":["fchownat"],"action":"SCMP_ACT_ALLOW"},{"names":["fcntl"],"action":"SCMP_ACT_ALLOW"},{"names":["fcntl64"],"action":"SCMP_ACT_ALLOW"},{"names":["fdatasync"],"action":"SCMP_ACT_ALLOW"},{"names":["fgetxattr"],"action":"SCMP_ACT_ALLOW"},{"names":["flistxattr"],"action":"SCMP_ACT_ALLOW"},{"names":["flock"],"action":"SCMP_ACT_ALLOW"},{"names":["fork"],"action":"SCMP_ACT_ALLOW"},{"names":["fremovexattr"],"action":"SCMP_ACT_ALLOW"},{"names":["fsetxattr"],"action":"SCMP_ACT_ALLOW"},{"names":["fstat"],"action":"SCMP_ACT_ALLOW"},{"names":["fstat64"],"action":"SCMP_ACT_ALLOW"},{"names":["fstatat64"],"action":"SCMP_ACT_ALLOW"},{"names":["fstatfs"],"action":"SCMP_ACT_ALLOW"},{"names":["fstatfs64"],"action":"SCMP_ACT_ALLOW"},{"names":["fsync"],"action":"SCMP_ACT_ALLOW"},{"names":["ftruncate"],"action":"SCMP_ACT_ALLOW"},{"names":["ftruncate64"],"action":"SCMP_ACT_ALLOW"},{"names":["futex"],"action":"SCMP_ACT_ALLOW"},{"names":["futimesat"],"action":"SCMP_ACT_ALLOW"},{"names":["getcpu"],"action":"SCMP_ACT_ALLOW"},{"names":["getcwd"],"action":"SCMP_ACT_ALLOW"},{"names":["getdents"],"action":"SCMP_ACT_ALLOW"},{"names":["getdents64"],"action":"SCMP_ACT_ALLOW"},{"names":["getegid"],"action":"SCMP_ACT_ALLOW"},{"names":["getegid32"],"action":"SCMP_ACT_ALLOW"},{"names":["geteuid"],"action":"SCMP_ACT_ALLOW"},{"names":["geteuid32"],"action":"SCMP_ACT_ALLOW"},{"names":["getgid"],"action":"SCMP_ACT_ALLOW"},{"names":["getgid32"],"action":"SCMP_ACT_ALLOW"},{"names":["getgroups"],"action":"SCMP_ACT_ALLOW"},{"names":["getgroups32"],"action":"SCMP_ACT_ALLOW"},{"names":["getitimer"],"action":"SCMP_ACT_ALLOW"},{"names":["getpeername"],"action":"SCMP_ACT_ALLOW"},{"names":["getpgid"],"action":"SCMP_ACT_ALLOW"},{"names":["getpgrp"],"action":"SCMP_ACT_ALLOW"},{"names":["getpid"],"action":"SCMP_ACT_ALLOW"},{"names":["getppid"],"action":"SCMP_ACT_ALLOW"},{"names":["getpriority"],"action":"SCMP_ACT_ALLOW"},{"names":["getrandom"],"action":"SCMP_ACT_ALLOW"},{"names":["getresgid"],"action":"SCMP_ACT_ALLOW"},{"names":["getresgid32"],"action":"SCMP_ACT_ALLOW"},{"names":["getresuid"],"action":"SCMP_ACT_ALLOW"},{"names":["getresuid32"],"action":"SCMP_ACT_ALLOW"},{"names":["getrlimit"],"action":"SCMP_ACT_ALLOW"},{"names":["get_robust_list"],"action":"SCMP_ACT_ALLOW"},{"names":["getrusage"],"action":"SCMP_ACT_ALLOW"},{"names":["getsid"],"action":"SCMP_ACT_ALLOW"},{"names":["getsockname"],"action":"SCMP_ACT_ALLOW"},{"names":["getsockopt"],"action":"SCMP_ACT_ALLOW"},{"names":["get_thread_area"],"action":"SCMP_ACT_ALLOW"},{"names":["gettid"],"action":"SCMP_ACT_ALLOW"},{"names":["gettimeofday"],"action":"SCMP_ACT_ALLOW"},{"names":["getuid"],"action":"SCMP_ACT_ALLOW"},{"names":["getuid32"],"action":"SCMP_ACT_ALLOW"},{"names":["getxattr"],"action":"SCMP_ACT_ALLOW"},{"names":["inotify_add_watch"],"action":"SCMP_ACT_ALLOW"},{"names":["inotify_init"],"action":"SCMP_ACT_ALLOW"},{"names":["inotify_init1"],"action":"SCMP_ACT_ALLOW"},{"names":["inotify_rm_watch"],"action":"SCMP_ACT_ALLOW"},{"names":["io_cancel"],"action":"SCMP_ACT_ALLOW"},{"names":["ioctl"],"action":"SCMP_ACT_ALLOW"},{"names":["io_destroy"],"action":"SCMP_ACT_ALLOW"},{"names":["io_getevents"],"action":"SCMP_ACT_ALLOW"},{"names":["ioprio_get"],"action":"SCMP_ACT_ALLOW"},{"names":["ioprio_set"],"action":"SCMP_ACT_ALLOW"},{"names":["io_setup"],"action":"SCMP_ACT_ALLOW"},{"names":["io_submit"],"action":"SCMP_ACT_ALLOW"},{"names":["ipc"],"action":"SCMP_ACT_ALLOW"},{"names":["kill"],"action":"SCMP_ACT_ALLOW"},{"names":["lchown"],"action":"SCMP_ACT_ALLOW"},{"names":["lchown32"],"action":"SCMP_ACT_ALLOW"},{"names":["lgetxattr"],"action":"SCMP_ACT_ALLOW"},{"names":["link"],"action":"SCMP_ACT_ALLOW"},{"names":["linkat"],"action":"SCMP_ACT_ALLOW"},{"names":["listen"],"action":"SCMP_ACT_ALLOW"},{"names":["listxattr"],"action":"SCMP_ACT_ALLOW"},{"names":["llistxattr"],"action":"SCMP_ACT_ALLOW"},{"names":["_llseek"],"action":"SCMP_ACT_ALLOW"},{"names":["lremovexattr"],"action":"SCMP_ACT_ALLOW"},{"names":["lseek"],"action":"SCMP_ACT_ALLOW"},{"names":["lsetxattr"],"action":"SCMP_ACT_ALLOW"},{"names":["lstat"],"action":"SCMP_ACT_ALLOW"},{"names":["lstat64"],"action":"SCMP_ACT_ALLOW"},{"names":["madvise"],"action":"SCMP_ACT_ALLOW"},{"names":["memfd_create"],"action":"SCMP_ACT_ALLOW"},{"names":["mincore"],"action":"SCMP_ACT_ALLOW"},{"names":["mkdir"],"action":"SCMP_ACT_ALLOW"},{"names":["mkdirat"],"action":"SCMP_ACT_ALLOW"},{"names":["mknod"],"action":"SCMP_ACT_ALLOW"},{"names":["mknodat"],"action":"SCMP_ACT_ALLOW"},{"names":["mlock"],"action":"SCMP_ACT_ALLOW"},{"names":["mlock2"],"action":"SCMP_ACT_ALLOW"},{"names":["mlockall"],"action":"SCMP_ACT_ALLOW"},{"names":["mmap"],"action":"SCMP_ACT_ALLOW"},{"names":["mmap2"],"action":"SCMP_ACT_ALLOW"},{"names":["mprotect"],"action":"SCMP_ACT_ALLOW"},{"names":["mq_getsetattr"],"action":"SCMP_ACT_ALLOW"},{"names":["mq_notify"],"action":"SCMP_ACT_ALLOW"},{"names":["mq_open"],"action":"SCMP_ACT_ALLOW"},{"names":["mq_timedreceive"],"action":"SCMP_ACT_ALLOW"},{"names":["mq_timedsend"],"action":"SCMP_ACT_ALLOW"},{"names":["mq_unlink"],"action":"SCMP_ACT_ALLOW"},{"names":["mremap"],"action":"SCMP_ACT_ALLOW"},{"names":["msgctl"],"action":"SCMP_ACT_ALLOW"},{"names":["msgget"],"action":"SCMP_ACT_ALLOW"},{"names":["msgrcv"],"action":"SCMP_ACT_ALLOW"},{"names":["msgsnd"],"action":"SCMP_ACT_ALLOW"},{"names":["msync"],"action":"SCMP_ACT_ALLOW"},{"names":["munlock"],"action":"SCMP_ACT_ALLOW"},{"names":["munlockall"],"action":"SCMP_ACT_ALLOW"},{"names":["munmap"],"action":"SCMP_ACT_ALLOW"},{"names":["nanosleep"],"action":"SCMP_ACT_ALLOW"},{"names":["newfstatat"],"action":"SCMP_ACT_ALLOW"},{"names":["_newselect"],"action":"SCMP_ACT_ALLOW"},{"names":["open"],"action":"SCMP_ACT_ALLOW"},{"names":["openat"],"action":"SCMP_ACT_ALLOW"},{"names":["pause"],"action":"SCMP_ACT_ALLOW"},{"names":["pipe"],"action":"SCMP_ACT_ALLOW"},{"names":["pipe2"],"action":"SCMP_ACT_ALLOW"},{"names":["poll"],"action":"SCMP_ACT_ALLOW"},{"names":["ppoll"],"action":"SCMP_ACT_ALLOW"},{"names":["prctl"],"action":"SCMP_ACT_ALLOW"},{"names":["pread64"],"action":"SCMP_ACT_ALLOW"},{"names":["preadv"],"action":"SCMP_ACT_ALLOW"},{"names":["preadv2"],"action":"SCMP_ACT_ALLOW"},{"names":["prlimit64"],"action":"SCMP_ACT_ALLOW"},{"names":["pselect6"],"action":"SCMP_ACT_ALLOW"},{"names":["pwrite64"],"action":"SCMP_ACT_ALLOW"},{"names":["pwritev"],"action":"SCMP_ACT_ALLOW"},{"names":["pwritev2"],"action":"SCMP_ACT_ALLOW"},{"names":["read"],"action":"SCMP_ACT_ALLOW"},{"names":["readahead"],"action":"SCMP_ACT_ALLOW"},{"names":["readlink"],"action":"SCMP_ACT_ALLOW"},{"names":["readlinkat"],"action":"SCMP_ACT_ALLOW"},{"names":["readv"],"action":"SCMP_ACT_ALLOW"},{"names":["recv"],"action":"SCMP_ACT_ALLOW"},{"names":["recvfrom"],"action":"SCMP_ACT_ALLOW"},{"names":["recvmmsg"],"action":"SCMP_ACT_ALLOW"},{"names":["recvmsg"],"action":"SCMP_ACT_ALLOW"},{"names":["remap_file_pages"],"action":"SCMP_ACT_ALLOW"},{"names":["removexattr"],"action":"SCMP_ACT_ALLOW"},{"names":["rename"],"action":"SCMP_ACT_ALLOW"},{"names":["renameat"],"action":"SCMP_ACT_ALLOW"},{"names":["renameat2"],"action":"SCMP_ACT_ALLOW"},{"names":["restart_syscall"],"action":"SCMP_ACT_ALLOW"},{"names":["rmdir"],"action":"SCMP_ACT_ALLOW"},{"names":["rt_sigaction"],"action":"SCMP_ACT_ALLOW"},{"names":["rt_sigpending"],"action":"SCMP_ACT_ALLOW"},{"names":["rt_sigprocmask"],"action":"SCMP_ACT_ALLOW"},{"names":["rt_sigqueueinfo"],"action":"SCMP_ACT_ALLOW"},{"names":["rt_sigreturn"],"action":"SCMP_ACT_ALLOW"},{"names":["rt_sigsuspend"],"action":"SCMP_ACT_ALLOW"},{"names":["rt_sigtimedwait"],"action":"SCMP_ACT_ALLOW"},{"names":["rt_tgsigqueueinfo"],"action":"SCMP_ACT_ALLOW"},{"names":["sched_getaffinity"],"action":"SCMP_ACT_ALLOW"},{"names":["sched_getattr"],"action":"SCMP_ACT_ALLOW"},{"names":["sched_getparam"],"action":"SCMP_ACT_ALLOW"},{"names":["sched_get_priority_max"],"action":"SCMP_ACT_ALLOW"},{"names":["sched_get_priority_min"],"action":"SCMP_ACT_ALLOW"},{"names":["sched_getscheduler"],"action":"SCMP_ACT_ALLOW"},{"names":["sched_rr_get_interval"],"action":"SCMP_ACT_ALLOW"},{"names":["sched_setaffinity"],"action":"SCMP_ACT_ALLOW"},{"names":["sched_setattr"],"action":"SCMP_ACT_ALLOW"},{"names":["sched_setparam"],"action":"SCMP_ACT_ALLOW"},{"names":["sched_setscheduler"],"action":"SCMP_ACT_ALLOW"},{"names":["sched_yield"],"action":"SCMP_ACT_ALLOW"},{"names":["seccomp"],"action":"SCMP_ACT_ALLOW"},{"names":["select"],"action":"SCMP_ACT_ALLOW"},{"names":["semctl"],"action":"SCMP_ACT_ALLOW"},{"names":["semget"],"action":"SCMP_ACT_ALLOW"},{"names":["semop"],"action":"SCMP_ACT_ALLOW"},{"names":["semtimedop"],"action":"SCMP_ACT_ALLOW"},{"names":["send"],"action":"SCMP_ACT_ALLOW"},{"names":["sendfile"],"action":"SCMP_ACT_ALLOW"},{"names":["sendfile64"],"action":"SCMP_ACT_ALLOW"},{"names":["sendmmsg"],"action":"SCMP_ACT_ALLOW"},{"names":["sendmsg"],"action":"SCMP_ACT_ALLOW"},{"names":["sendto"],"action":"SCMP_ACT_ALLOW"},{"names":["setfsgid"],"action":"SCMP_ACT_ALLOW"},{"names":["setfsgid32"],"action":"SCMP_ACT_ALLOW"},{"names":["setfsuid"],"action":"SCMP_ACT_ALLOW"},{"names":["setfsuid32"],"action":"SCMP_ACT_ALLOW"},{"names":["setgid"],"action":"SCMP_ACT_ALLOW"},{"names":["setgid32"],"action":"SCMP_ACT_ALLOW"},{"names":["setgroups"],"action":"SCMP_ACT_ALLOW"},{"names":["setgroups32"],"action":"SCMP_ACT_ALLOW"},{"names":["setitimer"],"action":"SCMP_ACT_ALLOW"},{"names":["setpgid"],"action":"SCMP_ACT_ALLOW"},{"names":["setpriority"],"action":"SCMP_ACT_ALLOW"},{"names":["setregid"],"action":"SCMP_ACT_ALLOW"},{"names":["setregid32"],"action":"SCMP_ACT_ALLOW"},{"names":["setresgid"],"action":"SCMP_ACT_ALLOW"},{"names":["setresgid32"],"action":"SCMP_ACT_ALLOW"},{"names":["setresuid"],"action":"SCMP_ACT_ALLOW"},{"names":["setresuid32"],"action":"SCMP_ACT_ALLOW"},{"names":["setreuid"],"action":"SCMP_ACT_ALLOW"},{"names":["setreuid32"],"action":"SCMP_ACT_ALLOW"},{"names":["setrlimit"],"action":"SCMP_ACT_ALLOW"},{"names":["set_robust_list"],"action":"SCMP_ACT_ALLOW"},{"names":["setsid"],"action":"SCMP_ACT_ALLOW"},{"names":["setsockopt"],"action":"SCMP_ACT_ALLOW"},{"names":["set_thread_area"],"action":"SCMP_ACT_ALLOW"},{"names":["set_tid_address"],"action":"SCMP_ACT_ALLOW"},{"names":["setuid"],"action":"SCMP_ACT_ALLOW"},{"names":["setuid32"],"action":"SCMP_ACT_ALLOW"},{"names":["setxattr"],"action":"SCMP_ACT_ALLOW"},{"names":["shmat"],"action":"SCMP_ACT_ALLOW"},{"names":["shmctl"],"action":"SCMP_ACT_ALLOW"},{"names":["shmdt"],"action":"SCMP_ACT_ALLOW"},{"names":["shmget"],"action":"SCMP_ACT_ALLOW"},{"names":["shutdown"],"action":"SCMP_ACT_ALLOW"},{"names":["sigaltstack"],"action":"SCMP_ACT_ALLOW"},{"names":["signalfd"],"action":"SCMP_ACT_ALLOW"},{"names":["signalfd4"],"action":"SCMP_ACT_ALLOW"},{"names":["sigreturn"],"action":"SCMP_ACT_ALLOW"},{"names":["socket"],"action":"SCMP_ACT_ALLOW"},{"names":["socketcall"],"action":"SCMP_ACT_ALLOW"},{"names":["socketpair"],"action":"SCMP_ACT_ALLOW"},{"names":["splice"],"action":"SCMP_ACT_ALLOW"},{"names":["stat"],"action":"SCMP_ACT_ALLOW"},{"names":["stat64"],"action":"SCMP_ACT_ALLOW"},{"names":["statfs"],"action":"SCMP_ACT_ALLOW"},{"names":["statfs64"],"action":"SCMP_ACT_ALLOW"},{"names":["statx"],"action":"SCMP_ACT_ALLOW"},{"names":["symlink"],"action":"SCMP_ACT_ALLOW"},{"names":["symlinkat"],"action":"SCMP_ACT_ALLOW"},{"names":["sync"],"action":"SCMP_ACT_ALLOW"},{"names":["sync_file_range"],"action":"SCMP_ACT_ALLOW"},{"names":["syncfs"],"action":"SCMP_ACT_ALLOW"},{"names":["sysinfo"],"action":"SCMP_ACT_ALLOW"},{"names":["syslog"],"action":"SCMP_ACT_ALLOW"},{"names":["tee"],"action":"SCMP_ACT_ALLOW"},{"names":["tgkill"],"action":"SCMP_ACT_ALLOW"},{"names":["time"],"action":"SCMP_ACT_ALLOW"},{"names":["timer_create"],"action":"SCMP_ACT_ALLOW"},{"names":["timer_delete"],"action":"SCMP_ACT_ALLOW"},{"names":["timerfd_create"],"action":"SCMP_ACT_ALLOW"},{"names":["timerfd_gettime"],"action":"SCMP_ACT_ALLOW"},{"names":["timerfd_settime"],"action":"SCMP_ACT_ALLOW"},{"names":["timer_getoverrun"],"action":"SCMP_ACT_ALLOW"},{"names":["timer_gettime"],"action":"SCMP_ACT_ALLOW"},{"names":["timer_settime"],"action":"SCMP_ACT_ALLOW"},{"names":["times"],"action":"SCMP_ACT_ALLOW"},{"names":["tkill"],"action":"SCMP_ACT_ALLOW"},{"names":["truncate"],"action":"SCMP_ACT_ALLOW"},{"names":["truncate64"],"action":"SCMP_ACT_ALLOW"},{"names":["ugetrlimit"],"action":"SCMP_ACT_ALLOW"},{"names":["umask"],"action":"SCMP_ACT_ALLOW"},{"names":["uname"],"action":"SCMP_ACT_ALLOW"},{"names":["unlink"],"action":"SCMP_ACT_ALLOW"},{"names":["unlinkat"],"action":"SCMP_ACT_ALLOW"},{"names":["utime"],"action":"SCMP_ACT_ALLOW"},{"names":["utimensat"],"action":"SCMP_ACT_ALLOW"},{"names":["utimes"],"action":"SCMP_ACT_ALLOW"},{"names":["vfork"],"action":"SCMP_ACT_ALLOW"},{"names":["vmsplice"],"action":"SCMP_ACT_ALLOW"},{"names":["wait4"],"action":"SCMP_ACT_ALLOW"},{"names":["waitid"],"action":"SCMP_ACT_ALLOW"},{"names":["waitpid"],"action":"SCMP_ACT_ALLOW"},{"names":["write"],"action":"SCMP_ACT_ALLOW"},{"names":["writev"],"action":"SCMP_ACT_ALLOW"},{"names":["mount"],"action":"SCMP_ACT_ALLOW"},{"names":["umount2"],"action":"SCMP_ACT_ALLOW"},{"names":["reboot"],"action":"SCMP_ACT_ALLOW"},{"names":["name_to_handle_at"],"action":"SCMP_ACT_ALLOW"},{"names":["unshare"],"action":"SCMP_ACT_ALLOW"},{"names":["personality"],"action":"SCMP_ACT_ALLOW","args":[{"index":0,"value":0,"op":"SCMP_CMP_EQ"}]},{"names":["personality"],"action":"SCMP_ACT_ALLOW","args":[{"index":0,"value":8,"op":"SCMP_CMP_EQ"}]},{"names":["personality"],"action":"SCMP_ACT_ALLOW","args":[{"index":0,"value":131072,"op":"SCMP_CMP_EQ"}]},{"names":["personality"],"action":"SCMP_ACT_ALLOW","args":[{"index":0,"value":131080,"op":"SCMP_CMP_EQ"}]},{"names":["personality"],"action":"SCMP_ACT_ALLOW","args":[{"index":0,"value":4294967295,"op":"SCMP_CMP_EQ"}]},{"names":["arch_prctl"],"action":"SCMP_ACT_ALLOW"},{"names":["modify_ldt"],"action":"SCMP_ACT_ALLOW"},{"names":["clone"],"action":"SCMP_ACT_ALLOW","args":[{"index":0,"value":2080505856,"op":"SCMP_CMP_MASKED_EQ"}]},{"names":["chroot"],"action":"SCMP_ACT_ALLOW"}]},"maskedPaths":["/proc/acpi","/proc/kcore","/proc/keys","/proc/latency_stats","/proc/timer_list","/proc/timer_stats","/proc/sched_debug","/proc/scsi","/sys/firmware","/sys/fs/cgroup","/sys/fs/selinux"],"readonlyPaths":["/proc/asound","/proc/bus","/proc/fs","/proc/irq","/proc/sys","/proc/sysrq-trigger"],"mountLabel":"system_u:object_r:container_file_t:s0:c64,c472"}} DEBU Running ["runc" "create" "--bundle" "/home/rpmbuild/nimbus8/flannel-build/tmp/buildah283664328" "--pid-file" "/home/rpmbuild/nimbus8/flannel-build/tmp/buildah283664328/pid" "--no-new-keyring" "--console-socket" "/home/rpmbuild/nimbus8/flannel-build/tmp/buildah283664328/console.sock" "buildah-buildah283664328"] DEBU Running ["runc" "start" "buildah-buildah283664328"] DEBU socket descriptor is for "/dev/ptmx"
DEBU control messages: [{{20 1 1} [17 0 0 0]}]
DEBU fds: [17]
standard_init_linux.go:211: exec user process caused "permission denied" DEBU error building at step {Env:[FLANNEL_ARCH=amd64 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin FLANNEL_ARCH=amd64] Command:run Args:[apk add --no-cache iproute2 net-tools ca-certificates iptables strongswan && update-ca-certificates] Flags:[] Attrs:map[] Message:RUN apk add --no-cache iproute2 net-tools ca-certificates iptables strongswan && update-ca-certificates Original:RUN apk add --no-cache iproute2 net-tools ca-certificates iptables strongswan && update-ca-certificates}: error while running runtime: exit status 1 error building at STEP "RUN apk add --no-cache iproute2 net-tools ca-certificates iptables strongswan && update-ca-certificates": error while running runtime: exit status 1 ERRO exit status 1
After converting to a buildah script - seeing the same issues:
$ buildah unshare ./flannel-amd64.sh
error running container: failed to read from slirp4netns sync pipe: EOF error running container: failed to read from slirp4netns sync pipe: EOF af3f31bd234d8816a1d57ea4145c968dcab2852bbe1a7ef5d4a9758caf4ee61f 914221d232f6e85366c93e1431f59a909b399900a7610f9489a2531b8878ea3a Getting image source signatures Copying blob beee9f30bc1f skipped: already exists
Copying blob ce7c2b534bf0 done
Copying config 97701edc27 done
Writing manifest to image destination Storing signatures 97701edc27f4b095b7314cc994e2ad889b2705a4f93add6b2877d96187e8657c
When run as root or setenforce 0 is set - it builds the image just fine.
Version: 1.14.8 Go Version: go1.14.1 Image Spec: 1.0.1-dev Runtime Spec: 1.0.1-dev CNI Spec: 0.4.0 libcni Version:
image Version: 5.4.3 Git Commit:
Built: Sat Apr 18 00:14:37 2020 OS/Arch: linux/amd64
system storage.conf
[storage]
Default Storage Driver driver = "overlay"
Temporary storage location runroot = "/var/run/containers/storage"
Primary Read/Write location of container storage graphroot = "/var/lib/containers/storage"
[storage.options] Storage options to be passed to underlying storage drivers
AdditionalImageStores is used to pass paths to additional Read/Only image stores Must be comma separated list. additionalimagestores = [ ]
Size is used to set a maximum size of the container image. Only supported by certain container storage drivers. size = ""
Path to an helper program to use for mounting the file system instead of mounting it directly. mount_program = "/usr/bin/fuse-overlayfs"
OverrideKernelCheck tells the driver to ignore kernel checks based on kernel version override_kernel_check = "true"
mountopt specifies comma separated list of extra mount options mountopt = "nodev,metacopy=on"
Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of a container, to UIDs/GIDs as they should appear outside of the container, and the length of the range of UIDs/GIDs. Additional mapped sets can be listed and will be heeded by libraries, but there are limits to the number of mappings which the kernel will allow when you later attempt to run a container.
remap-uids = 0:1668442479:65536 remap-gids = 0:1668442479:65536 Remap-User/Group is a name which can be used to look up one or more UID/GID ranges in the /etc/subuid or /etc/subgid file. Mappings are set up starting with an in-container ID of 0 and the a host-level ID taken from the lowest range that matches the specified name, and using the length of that range. Additional ranges are then assigned, using the ranges which specify the lowest host-level IDs first, to the lowest not-yet-mapped container-level ID, until all of the entries have been used for maps.
remap-user = "storage" remap-group = "storage"
[storage.options.thinpool] Storage Options for thinpool
autoextend_percent determines the amount by which pool needs to be grown. This is specified in terms of % of pool size. So a value of 20 means that when threshold is hit, pool will be grown by 20% of existing pool size. autoextend_percent = "20"
autoextend_threshold determines the pool extension threshold in terms of percentage of pool size. For example, if threshold is 60, that means when pool is 60% full, threshold has been hit. autoextend_threshold = "80"
basesize specifies the size to use when creating the base device, which limits the size of images and containers. basesize = "10G"
blocksize specifies a custom blocksize to use for the thin pool. blocksize="64k"
directlvm_device specifies a custom block storage device to use for the thin pool. Required if you setup devicemapper. directlvm_device = ""
directlvm_device_force wipes device even if device already has a filesystem. directlvm_device_force = "True"
fs specifies the filesystem type to use for the base device. fs="xfs"
log_level sets the log level of devicemapper. 0: LogLevelSuppress 0 (Default) 2: LogLevelFatal 3: LogLevelErr 4: LogLevelWarn 5: LogLevelNotice 6: LogLevelInfo 7: LogLevelDebug log_level = "7"
min_free_space specifies the min free space percent in a thin pool require for new device creation to succeed. Valid values are from 0% - 99%. Value 0% disables min_free_space = "10%"
mkfsarg specifies extra mkfs arguments to be used when creating the base. device. mkfsarg = ""
use_deferred_removal marks devicemapper block device for deferred removal. If the thinpool is in use when the driver attempts to remove it, the driver tells the kernel to remove it as soon as possible. Note this does not free up the disk space, use deferred deletion to fully remove the thinpool. use_deferred_removal = "True"
use_deferred_deletion marks thinpool device for deferred deletion. If the device is busy when the driver attempts to delete it, the driver will attempt to delete device every 30 seconds until successful. If the program using the driver exits, the driver will continue attempting to cleanup the next time the driver is used. Deferred deletion permanently deletes the device and all data stored in device will be lost. use_deferred_deletion = "True"
xfs_nospace_max_retries specifies the maximum number of retries XFS should attempt to complete IO when ENOSPC (no space) error is returned by underlying storage device. xfs_nospace_max_retries = "0"
If specified, use OSTree to deduplicate files with the overlay backend ostree_repo = ""
Set to skip a PRIVATE bind mount on the storage home directory. Only supported by certain container storage drivers skip_mount_home = "false"
rpmbuild storage.conf:
[storage] driver = "overlay" runroot = "/run/user/2100/containers" graphroot = "/home/rpmbuild/.local/share/containers/storage" [storage.options] size = "" remap-uids = "" remap-gids = "" ignore_chown_errors = "" remap-user = "" remap-group = "" skip_mount_home = "" mount_program = "/usr/bin/fuse-overlayfs" mountopt = "" [storage.options.aufs] mountopt = "" [storage.options.btrfs] min_space = "" size = "" [storage.options.thinpool] autoextend_percent = "" autoextend_threshold = "" basesize = "" blocksize = "" directlvm_device = "" directlvm_device_force = "" fs = "" log_level = "" min_free_space = "" mkfsarg = "" mountopt = "" size = "" use_deferred_deletion = "" use_deferred_removal = "" xfs_nospace_max_retries = "" [storage.options.overlay] ignore_chown_errors = "" mountopt = "" mount_program = "" size = "" skip_mount_home = "" [storage.options.vfs] ignore_chown_errors = "" [storage.options.zfs] mountopt = "" fsname = "" size = ""
Started to build a SELinux policy to address this - but AVCs stop showing up even with semodule -DB. That's quite frustrating when nothing is indicating what policies are missing. This allowed me to get the alpine image to show up in buildah. The process transition keeps showing up after I run the buildah commands, so I think that is a bit more complex. What I have so far:
policy_module(buildah, 1.0.0)
######################################## #
Declarations
type container_file_t; type container_runtime_t; type container_t; type staff_t;
######################################## #
buildah local policy
#
============= container_runtime_t ==============
allow container_runtime_t container_t:process transition;
============= staff_t ==============
allow staff_t container_file_t:chr_file { ioctl read write }; allow staff_t container_file_t:dir relabelto; allow staff_t container_file_t:file relabelto; allow staff_t container_runtime_t:process signull; allow staff_t self:cap_userns { chown dac_override dac_read_search fsetid setgid setuid };
files_create_boot_dirs(staff_t) files_mounton_rootfs(staff_t)
fs_mount_fusefs(staff_t) fs_unmount_fusefs(staff_t) fs_unmount_xattr_fs(staff_t)
FYI - this also affects podman as well. It will not run at all as the staff SEUSER with SELinux enabled...it just hangs. Have a sneaky suspicion the newuid/newgid mapping are also related. Works as root and as regular user with SElinux disabled.