Closed
Description
Issue Description
I am tasked with building some packages for arm64 and while I can do the following just fine:
sudo dnf install qemu-user-static.x86_64 qemu-user-static-aarch64.x86_64
sudo podman run --rm --privileged multiarch/qemu-user-static --reset -p yes
$ cat /proc/sys/fs/binfmt_misc/qemu-aarch64
enabled
interpreter /usr/bin/qemu-aarch64-static
flags: F
offset 0
magic 7f454c460201010000000000000000000200b700
mask ffffffffffffff00fffffffffffffffffeffffff
$ podman run --rm --arch arm64 --privileged ubi9/ubi uname -m
aarch64I cannot use podman build without getting the following SELinux denials.
podman build --platform linux/arm64 -t container-deb-builder:24.04 -f Dockerfile-ubuntu-24.04 .Feb 13 16:03:03 hadron audit[2842690]: AVC avc: denied { read } for pid=2842690 comm="apt-get" name="qemu-aarch64-static" dev="overlay" ino=9104774 scontext=system_u:system_r:container_t:s0:c268,c932 tcontext=system_u:object_r:container_file_t:s0:c1022,c1023 tclass=file permissive=1
Feb 13 16:03:03 hadron audit[2842690]: AVC avc: denied { execute } for pid=2842690 comm="dpkg" path="/usr/bin/qemu-aarch64-static" dev="overlay" ino=9104774 scontext=system_u:system_r:container_t:s0:c268,c932 tcontext=system_u:object_r:container_file_t:s0:c1022,c1023 tclass=file permissive=1Disabling SELinux allows for the container to be built.
Steps to reproduce the issue
See above.
Describe the results you received
Describe the results you received
Describe the results you expected
A built arm64 container.
podman info output
host:
arch: amd64
buildahVersion: 1.38.1
cgroupControllers:
- cpu
- io
- memory
- pids
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-2.1.12-3.fc41.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.1.12, commit: '
cpuUtilization:
idlePercent: 95.99
systemPercent: 0.85
userPercent: 3.16
cpus: 64
databaseBackend: sqlite
distribution:
distribution: fedora
variant: workstation
version: "41"
eventLogger: journald
freeLocks: 1965
hostname: hadron
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 524288
size: 65536
uidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 524288
size: 65536
kernel: 6.12.11-200.fc41.x86_64
linkmode: dynamic
logDriver: journald
memFree: 49489223680
memTotal: 270033772544
networkBackend: netavark
networkBackendInfo:
backend: netavark
dns:
package: aardvark-dns-1.13.1-1.fc41.x86_64
path: /usr/libexec/podman/aardvark-dns
version: aardvark-dns 1.13.1
package: netavark-1.13.1-1.fc41.x86_64
path: /usr/libexec/podman/netavark
version: netavark 1.13.1
ociRuntime:
name: crun
package: crun-1.19.1-1.fc41.x86_64
path: /usr/bin/crun
version: |-
crun version 1.19.1
commit: 3e32a70c93f5aa5fea69b50256cca7fd4aa23c80
rundir: /run/user/1000/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
os: linux
pasta:
executable: /usr/bin/pasta
package: passt-0^20250121.g4f2c8e7-2.fc41.x86_64
version: |
pasta 0^20250121.g4f2c8e7-2.fc41.x86_64
Copyright Red Hat
GNU General Public License, version 2 or later
<https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
remoteSocket:
exists: true
path: /run/user/1000/podman/podman.sock
rootlessNetworkCmd: pasta
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: true
serviceIsRemote: false
slirp4netns:
executable: ""
package: ""
version: ""
swapFree: 8589930496
swapTotal: 8589930496
uptime: 74h 38m 34.00s (Approximately 3.08 days)
variant: ""
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries:
search:
- registry.fedoraproject.org
- registry.access.redhat.com
- docker.io
store:
configFile: /home/jdoss/.config/containers/storage.conf
containerStore:
number: 54
paused: 0
running: 37
stopped: 17
graphDriverName: btrfs
graphOptions: {}
graphRoot: /home/jdoss/.local/share/containers/storage
graphRootAllocated: 4000762036224
graphRootUsed: 1651358040064
graphStatus:
Build Version: Btrfs v6.12
Library Version: "104"
imageCopyTmpDir: /var/tmp
imageStore:
number: 1790
runRoot: /run/user/1000/containers
transientStore: false
volumePath: /home/jdoss/.local/share/containers/storage/volumes
version:
APIVersion: 5.3.2
Built: 1737504000
BuiltTime: Tue Jan 21 18:00:00 2025
GitCommit: ""
GoVersion: go1.23.4
Os: linux
OsArch: linux/amd64
Version: 5.3.2Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
Yes
Additional environment details
$ rpm -qa |grep podman
podman-bootc-v0.1.1~123~g96bfc8f-1.20241210141826117469.main.123.96bfc8f.fc41.x86_64
podman-5.3.2-1.fc41.x86_64
podman-machine-5.3.2-1.fc41.x86_64
podman-docker-5.3.2-1.fc41.noarch
$ rpm -qa |grep container-selinux
container-selinux-2.234.2-1.fc41.noarchAdditional information
Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting