Can't run simple-playbook in Vagrant with SELinux enabled

[00willo]

Further details on SELinux issue mentioned in #121

Running the following command in the Vagrant machine. sudo ansible-bender build simple-playbook.yaml

resulted in There was an error during execution: Command '['podman', 'run', '--rm', 'python:3-alpine', 'true']' returned non-zero exit status 139.

[vagrant@ansible-bender-dev ~]$ buildah info
{
    "host": {
        "Distribution": {
            "distribution": "fedora",
            "version": "29"
        },
        "MemTotal": 503762944,
        "MenFree": 155328512,
        "SwapFree": 0,
        "SwapTotal": 0,
        "arch": "amd64",
        "cpus": 1,
        "hostname": "ansible-bender-dev.example.com",
        "kernel": "4.18.16-300.fc29.x86_64",
        "os": "linux",
        "rootless": true,
        "uptime": "2h 50m 47.79s (Approximately 0.08 days)"
    },
    "store": {
        "ContainerStore": {
            "number": 1
        },
        "GraphDriverName": "overlay",
        "GraphOptions": [
            "overlay.mount_program=/usr/bin/fuse-overlayfs"
        ],
        "GraphRoot": "/home/vagrant/.local/share/containers/storage",
        "GraphStatus": {
            "Backing Filesystem": "extfs",
            "Native Overlay Diff": "false",
            "Supports d_type": "true",
            "Using metacopy": "false"
        },
        "ImageStore": {
            "number": 1
        },
        "RunRoot": "/run/user/1000"
    }
}

[vagrant@ansible-bender-dev ~]$ podman info
host:
  BuildahVersion: 1.7.2
  Conmon:
    package: podman-1.2.0-2.git3bd528e.fc29.x86_64
    path: /usr/libexec/podman/conmon
    version: 'conmon version 1.12.0-dev, commit: d88bb0e63cb70f9787a8e410716924f380af361f'
  Distribution:
    distribution: fedora
    version: "29"
  MemFree: 149860352
  MemTotal: 503762944
  OCIRuntime:
    package: runc-1.0.0-85.dev.gitdd22a84.fc29.x86_64
    path: /usr/bin/runc
    version: |-
      runc version 1.0.0-rc6+dev
      commit: 1d3f73d4086533a858613bc4b6af2b5e882f4730
      spec: 1.0.1-dev
  SwapFree: 0
  SwapTotal: 0
  arch: amd64
  cpus: 1
  hostname: ansible-bender-dev.example.com
  kernel: 4.18.16-300.fc29.x86_64
  os: linux
  rootless: true
  uptime: 2h 51m 5.66s (Approximately 0.08 days)
insecure registries:
  registries: []
registries:
  registries:
  - docker.io
  - registry.fedoraproject.org
  - quay.io
  - registry.access.redhat.com
  - registry.centos.org
store:
  ConfigFile: /home/vagrant/.config/containers/storage.conf
  ContainerStore:
    number: 1
  GraphDriverName: overlay
  GraphOptions:
  - overlay.mount_program=/usr/bin/fuse-overlayfs
  GraphRoot: /home/vagrant/.local/share/containers/storage
  GraphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  ImageStore:
    number: 1
  RunRoot: /run/user/1000
  VolumePath: /home/vagrant/.local/share/containers/storage/volumes

[vagrant@ansible-bender-dev ~]$ rpm -qa |grep container-selinux
container-selinux-2.95-1.gite3ebc68.fc29.noarch

[vagrant@ansible-bender-dev ~]$ sudo ausearch -m avc -ts recent                      
----
time->Thu Apr 25 10:18:25 2019
type=AVC msg=audit(1556187505.638:1647): avc:  denied  { read write } for  pid=9569 comm="true" path="/dev/null" dev="tmpfs" ino=54732 scontext=system_u:system_r:container_t:s0:c562,c671 tcontext=system_u:object_r:container_file_t:s0:c562,c671 tclass=chr_file permissive=0
----
time->Thu Apr 25 10:18:25 2019
type=AVC msg=audit(1556187505.638:1648): avc:  denied  { map } for  pid=9569 comm="true" path="/bin/busybox" dev="sda1" ino=398009 scontext=system_u:system_r:container_t:s0:c562,c671 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0

[00willo]

Looks like either a straight up SELinux issue. Though there's been no specific podman configuration.

podman run -dt -p 8080:8080/tcp -e HTTPD_VAR_RUN=/var/run/httpd -e HTTPD_MAIN_CONF_D_PATH=/etc/httpd/conf.d \
                  -e HTTPD_MAIN_CONF_PATH=/etc/httpd/conf \
                  -e HTTPD_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/httpd/ \
                  registry.fedoraproject.org/f27/httpd /usr/bin/run-httpd

[vagrant@ansible-bender-dev ~]$ sudo ausearch -m avc -ts recent
----
time->Thu Apr 25 10:29:09 2019
type=AVC msg=audit(1556188149.018:1679): avc:  denied  { read write } for  pid=9722 comm="container-entry" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c573,c587 tcontext=system_u:object_r:container_file_t:s0:c573,c587 tclass=chr_file permissive=0
----
time->Thu Apr 25 10:29:09 2019
type=AVC msg=audit(1556188149.018:1680): avc:  denied  { read write } for  pid=9722 comm="container-entry" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c573,c587 tcontext=system_u:object_r:container_file_t:s0:c573,c587 tclass=chr_file permissive=0
----
time->Thu Apr 25 10:29:09 2019
type=AVC msg=audit(1556188149.018:1681): avc:  denied  { read write } for  pid=9722 comm="container-entry" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c573,c587 tcontext=system_u:object_r:container_file_t:s0:c573,c587 tclass=chr_file permissive=0
----
time->Thu Apr 25 10:29:09 2019
type=AVC msg=audit(1556188149.018:1682): avc:  denied  { read write } for  pid=9722 comm="container-entry" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c573,c587 tcontext=system_u:object_r:container_file_t:s0:c573,c587 tclass=chr_file permissive=0
----
time->Thu Apr 25 10:29:09 2019
type=AVC msg=audit(1556188149.018:1683): avc:  denied  { map } for  pid=9722 comm="container-entry" path="/usr/bin/bash" dev="fuse" ino=272102 scontext=system_u:system_r:container_t:s0:c573,c587 tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=0

[00willo]

It seems like a usual thing to try is this:

dnf -y reinstall container-selinux
restorecon -R -v /var/lib/containers

as suggested in containers/libpod/issues/1304, containers/libpod/issues/1796 and containers/buildah#1152, but in this case, that doesn't seem to fix the issue and the 'fix' is failing which is pointing to an issue container-selinux

Running transaction
  Preparing        :                                                                                                                                                                                                                               1/1 
Installed: container-selinux-2:2.95-1.gite3ebc68.fc29.noarch
  Installing       : container-selinux-2:2.95-1.gite3ebc68.fc29.noarch                                                                                                                                                                             1/1 
  Running scriptlet: container-selinux-2:2.95-1.gite3ebc68.fc29.noarch                                                                                                                                                                             1/1 


libsemanage.semanage_exec_prog: Child process /sbin/setfiles did not exit cleanly.
libsemanage.semanage_validate_and_compile_fcontexts: setfiles returned error code -1.
/usr/sbin/semodule:  Failed!

Installed: container-selinux-2:2.95-1.gite3ebc68.fc29.noarch
  Verifying        : container-selinux-2:2.95-1.gite3ebc68.fc29.noarch                                                                                                                                                                             1/1 

Installed:
  container-selinux-2:2.95-1.gite3ebc68.fc29.noarch   

[TomasTomecek]

oh my...

feel free to open a new issue for podman

I saw there was an SELinux issue opened recently: https://github.com/containers/libpod/issues/2984 but seems unrelated to this one.

[00willo]

Done.