SELinux issues with podman build --platform linux/arm64

[jdoss]

Issue Description

I am tasked with building some packages for arm64 and while I can do the following just fine:

sudo dnf install qemu-user-static.x86_64 qemu-user-static-aarch64.x86_64
sudo podman run --rm --privileged multiarch/qemu-user-static --reset -p yes
$ cat /proc/sys/fs/binfmt_misc/qemu-aarch64
enabled
interpreter /usr/bin/qemu-aarch64-static
flags: F
offset 0
magic 7f454c460201010000000000000000000200b700
mask ffffffffffffff00fffffffffffffffffeffffff
$ podman run --rm --arch arm64 --privileged ubi9/ubi uname -m
aarch64

I cannot use podman build without getting the following SELinux denials.

podman build  --platform linux/arm64  -t container-deb-builder:24.04 -f Dockerfile-ubuntu-24.04 .

Feb 13 16:03:03 hadron audit[2842690]: AVC avc:  denied  { read } for  pid=2842690 comm="apt-get" name="qemu-aarch64-static" dev="overlay" ino=9104774 scontext=system_u:system_r:container_t:s0:c268,c932 tcontext=system_u:object_r:container_file_t:s0:c1022,c1023 tclass=file permissive=1
Feb 13 16:03:03 hadron audit[2842690]: AVC avc:  denied  { execute } for  pid=2842690 comm="dpkg" path="/usr/bin/qemu-aarch64-static" dev="overlay" ino=9104774 scontext=system_u:system_r:container_t:s0:c268,c932 tcontext=system_u:object_r:container_file_t:s0:c1022,c1023 tclass=file permissive=1

Disabling SELinux allows for the container to be built.

Steps to reproduce the issue

See above.

Describe the results you received

Describe the results you received

Describe the results you expected

A built arm64 container.

podman info output

host:
  arch: amd64
  buildahVersion: 1.38.1
  cgroupControllers:
  - cpu
  - io
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.12-3.fc41.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.12, commit: '
  cpuUtilization:
    idlePercent: 95.99
    systemPercent: 0.85
    userPercent: 3.16
  cpus: 64
  databaseBackend: sqlite
  distribution:
    distribution: fedora
    variant: workstation
    version: "41"
  eventLogger: journald
  freeLocks: 1965
  hostname: hadron
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 524288
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 524288
      size: 65536
  kernel: 6.12.11-200.fc41.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 49489223680
  memTotal: 270033772544
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.13.1-1.fc41.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.13.1
    package: netavark-1.13.1-1.fc41.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.13.1
  ociRuntime:
    name: crun
    package: crun-1.19.1-1.fc41.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.19.1
      commit: 3e32a70c93f5aa5fea69b50256cca7fd4aa23c80
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20250121.g4f2c8e7-2.fc41.x86_64
    version: |
      pasta 0^20250121.g4f2c8e7-2.fc41.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 8589930496
  swapTotal: 8589930496
  uptime: 74h 38m 34.00s (Approximately 3.08 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
store:
  configFile: /home/jdoss/.config/containers/storage.conf
  containerStore:
    number: 54
    paused: 0
    running: 37
    stopped: 17
  graphDriverName: btrfs
  graphOptions: {}
  graphRoot: /home/jdoss/.local/share/containers/storage
  graphRootAllocated: 4000762036224
  graphRootUsed: 1651358040064
  graphStatus:
    Build Version: Btrfs v6.12
    Library Version: "104"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 1790
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/jdoss/.local/share/containers/storage/volumes
version:
  APIVersion: 5.3.2
  Built: 1737504000
  BuiltTime: Tue Jan 21 18:00:00 2025
  GitCommit: ""
  GoVersion: go1.23.4
  Os: linux
  OsArch: linux/amd64
  Version: 5.3.2

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

$ rpm -qa |grep podman
podman-bootc-v0.1.1~123~g96bfc8f-1.20241210141826117469.main.123.96bfc8f.fc41.x86_64
podman-5.3.2-1.fc41.x86_64
podman-machine-5.3.2-1.fc41.x86_64
podman-docker-5.3.2-1.fc41.noarch
$ rpm -qa |grep container-selinux
container-selinux-2.234.2-1.fc41.noarch

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

[baude]

how about providing the contents of Dockerfile-ubuntu-24.04 ?

[jdoss]

It's a pretty simple one @baude. Here yah go.

FROM ubuntu:24.04

ARG DEBIAN_FRONTEND=noninteractive
ENV DEB_BUILD_OPTIONS=nocheck

RUN sed -i -- 's/# deb-src/deb-src/g' /etc/apt/sources.list
RUN echo 'man-db man-db/auto-update boolean false' | debconf-set-selections
RUN set -ex \
    && apt-get update \
    && apt-get upgrade -y --no-install-recommends \
    && apt-get install -y --no-install-recommends \
               build-essential \
               cdbs \
               devscripts \
               equivs \
               fakeroot \
               uidmap \
    && apt-mark minimize-manual -y \
    && apt-get autopurge -y \
    && apt-get clean
RUN rm /etc/apt/apt.conf.d/docker-clean
RUN rm -rf /tmp/* /var/tmp/
RUN ln -s /tmp /var/tmp

[baude]

Using the provided Containerfile and podman from main, i was not able to reproduce this:

  BuiltTime: Wed Feb 12 13:37:01 2025
  GitCommit: 5d358a475ee9ab555067d715567ef562958f0003
  GoVersion: go1.23.6
  Os: linux
  OsArch: linux/amd64
  Version: 5.5.0-dev

NAME="Fedora Linux"
VERSION="41 (Workstation Edition)"
RELEASE_TYPE=stable
ID=fedora
VERSION_ID=41

Here is the build log.

log.gz

[jdoss]

That is very weird. This only happens when I try to build a container. Running a contianer with a different arch works fine.

jdoss@hadron:~$ podman run --rm --arch arm64 --privileged ubi9/ubi uname -m
aarch64
jdoss@hadron:~$ getenforce
Enforcing