Unable to create a container OCI permission denied - error mounting "/home/username/.local/share/containers/storage/volumes/somelongID/_data" to rootfs at "/sys/fs/selinux"

[ks1855]

Issue Description

Hello,

I created an image on a Fedora 40 workstation using distrobox (with podman). I saved the image to a .tar file using the podman save command.

Now, I am trying to load the image and run the container on EndeavourOS, but I'm getting an OCI permission denied error.

Steps to reproduce the issue

PLEASE NOTE: This issue might not be easily reproduced but these are steps I followed.

Steps:

1. Create image using distrobox (with podman) on Fedora 40
2. Save image to disk using podman save image > image.tar
3. Load image on EndeavourOS using podman load -i <image_name>

Describe the results you received

Error: unable to start container "1ff3f94bbcec42995cebda25cadb927430ba85c6aba5f2607b1c523cd7d3b6cf": runc: runc create failed: unable to start container process: error during container init: error mounting "/home/myuser/.local/share/containers/storage/volumes/b56ec40f76ee4754401372affd9064a194056f6e3b64fca5306caf090145d729/_data" to rootfs at "/sys/fs/selinux": create mountpoint for /sys/fs/selinux mount: mkdirat /home/myuser/.local/share/containers/storage/overlay/491486ce3d53e44cf9e0843aaaa261b4fc4c2e8a8be76c63eb9e66f1691e2a89/merged/sys/fs/selinux: permission denied: OCI permission denied

Describe the results you expected

I should be able to run the container when I run the command podman run <image_name> OR distrobox enter <image_name>.

podman info output

host: arch: amd64 buildahVersion: 1.37.5 cgroupControllers:

• memory
• pids cgroupManager: systemd cgroupVersion: v2 conmon: package: conmon-1:2.1.12-1 path: /usr/bin/conmon version: 'conmon version 2.1.12, commit: e8896631295ccb0bfdda4284f1751be19b483264' cpuUtilization: idlePercent: 91.98 systemPercent: 3.54 userPercent: 4.49 cpus: 8 databaseBackend: sqlite distribution: distribution: endeavouros version: unknown eventLogger: journald freeLocks: 2011 hostname: alienware idMappings: gidmap:
  • container_id: 0 host_id: 1000 size: 1
  • container_id: 1 host_id: 100000 size: 65536 uidmap:
  • container_id: 0 host_id: 1000 size: 1
  • container_id: 1 host_id: 100000 size: 65536 kernel: 6.6.59-1-lts linkmode: dynamic logDriver: journald memFree: 857059328 memTotal: 33524842496 networkBackend: netavark networkBackendInfo: backend: netavark dns: package: aardvark-dns-1.13.0-1 path: /usr/lib/podman/aardvark-dns version: aardvark-dns 1.13.0 package: netavark-1.13.0-1 path: /usr/lib/podman/netavark version: netavark 1.13.0 ociRuntime: name: runc package: runc-1.2.1-1 path: /usr/bin/runc version: |- runc version 1.2.1 spec: 1.2.0 go: go1.23.2 libseccomp: 2.5.5 os: linux pasta: executable: /usr/bin/pasta package: passt-2024_10_30.ee7d0b6-1 version: | pasta 2024_10_30.ee7d0b6 Copyright Red Hat GNU General Public License, version 2 or later https://www.gnu.org/licenses/old-licenses/gpl-2.0.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. remoteSocket: exists: false path: /run/user/1000/podman/podman.sock rootlessNetworkCmd: pasta security: apparmorEnabled: false capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT rootless: true seccompEnabled: true seccompProfilePath: /etc/containers/seccomp.json selinuxEnabled: false serviceIsRemote: false slirp4netns: executable: "" package: "" version: "" swapFree: 0 swapTotal: 0 uptime: 1h 3m 9.00s (Approximately 0.04 days) variant: "" plugins: authorization: null log:
• k8s-file
• none
• passthrough
• journald network:
• bridge
• macvlan
• ipvlan volume:
• local registries: {} store: configFile: /home/myuser/.config/containers/storage.conf containerStore: number: 1 paused: 0 running: 0 stopped: 1 graphDriverName: overlay graphOptions: {} graphRoot: /home/myuser/.local/share/containers/storage graphRootAllocated: 732929458176 graphRootUsed: 33608515584 graphStatus: Backing Filesystem: btrfs Native Overlay Diff: "true" Supports d_type: "true" Supports shifting: "false" Supports volatile: "true" Using metacopy: "false" imageCopyTmpDir: /var/tmp imageStore: number: 1 runRoot: /run/user/1000/containers transientStore: false volumePath: /home/myuser/.local/share/containers/storage/volumes version: APIVersion: 5.2.5 Built: 1729537320 BuiltTime: Tue Oct 22 00:32:00 2024 GitCommit: 10c5aa720d59480bc7edad347c1f5d5b75d4424f GoVersion: go1.23.2 Os: linux OsArch: linux/amd64 Version: 5.2.5

PLEASE NOTE: I also used crun container runtime and I am still unable to get the container to run.

Podman in a container

No

Privileged Or Rootless

None

Upstream Latest Release

Yes

Additional environment details

No response

Additional information

I do not have physical access to the machine I created the image on in order to get the podman version/info details from that machine. I created the image on a desktop PC running Fedora 40. I am trying to load and use that image on a laptop running EndeavourOS Neo.

[rhatdan]

Do you see any AVC messages in /var/log/audit/audit.log?

[ks1855]

Hello @rhatdan, thanks for your response.

I don't seem to have the audit.log file under /var/log/audit. I get the following message when I try to run cat /var/log/audit/audit.log: /var/log/audit/audit.log: No such file or directory

[rhatdan]

Ok, Looks like SELinux is not enabled on the system, so that was a red herring.

Any chance you could try crun instead of runc?

[ks1855]

@rhatdan, yes I can try with crun. In fact it was the first thing I tried but ran into the same issue. I later switched to runc hoping that would resolve the issue. But I can try again if required.

[rhatdan]

This looks like the permissions in your homedir are not correct.

Check the file ownership under "/home/myuser/.local/share/containers/storage/volumes/

[ks1855]

@rhatdan here is the output of ls -lah /home/myuser/.local/share/containers/storage/volumes/:

total 0 drwx------ 1 myuser myuser 1.9K Nov 8 19:58 . drwx------ 1 myuser myuser 262 Nov 8 22:43 .. drwx------ 1 100000 100000 10 Nov 8 18:57 0727d3fc526e33bf750d1260d3b1871e976e129eaa2c7cc2ed22698d01d0a2d6 drwx------ 1 100000 100000 10 Nov 8 19:58 07a6a2ed242bfb6294a8042b13b3b84907a452f1e81b3d09a8be254f19eea452 drwx------ 1 100000 100000 10 Nov 7 23:24 0a3c6f439eca9e6ab471259fc0a4f0a7054f226d553908cb0d10f9e12abba6e6 drwx------ 1 100000 100000 10 Nov 7 23:11 2c6e5efd1e9b61d64f1c889e16f1834abf66fe7f800886f6330dca200c8b48d2 drwx------ 1 100000 100000 10 Nov 8 18:57 301b75a94988904360abb8fb7801ca47b67f0aea3df0da733266ad48c8cea7b9 drwx------ 1 100000 100000 10 Nov 8 18:12 36ef740423a05d8b248f7470f03b10475f3c49ebc0296d31f72da942ed15f9e9 drwx------ 1 100000 100000 10 Nov 7 23:24 3feb7a979e98c13b98de0e417f33fad82fbee85d4bb70a673747ffde44fab86c drwx------ 1 100000 100000 10 Nov 8 19:46 45f3f5a2730d8c9815a56c7c39459f8f505f374226524d9a9d450a2e1f535594 drwx------ 1 myuser myuser 10 Nov 8 18:07 815fecee8125e515245ee698148d52d9182ae2a4c0904f09478fee48cf22e152 drwx------ 1 myuser myuser 10 Nov 8 18:07 a898152d23b10380ce9fc2b658f9a52b8ba936efaaa76fc82fa29cfdcaaeac85 drwx------ 1 myuser myuser 10 Nov 8 18:07 b0916fe46913f235bf856e997e34b257c796eaa5daa3d610ff8676c89232e6e2 drwx------ 1 100000 100000 10 Nov 8 19:58 d46534760a49e3a6e763a0f2308b0aad5584184b6b5f417c2e13dd7b992a0547 drwx------ 1 100000 100000 10 Nov 8 18:12 dfb41ec38d5ff25c246a99636e4488121c182f695a052b9c81fdce3b9c3f2c56 drwx------ 1 100000 100000 10 Nov 7 23:11 ed65a47e205959c5f6a43f4fd29ed8ce9d5d506a4ec70e6f8027f58869b5d035 drwx------ 1 100000 100000 10 Nov 8 19:46 fc7f32094746a7985fc3dc1e5942a608ff0a8440ae8ea92c27dfca33ef47ab72

[ks1855]

@rhatdan Do I have to modify the permissions of the /home/myuser/.local/share/containers/storage/volumes/ directory?