Podman containers broken in Silverblue 35.20220222.0 / container-selinux 2.177.0-1.fc35?

Hi all!

This morning, I upgraded Silverblue from 35.20220217.0 (2022-02-17T02:42:26Z) to 35.20220222.0 (2022-02-22T03:30:21Z) and it seems that podman and toolbx are now broken on my system.

I did a diff of the packages that are installed with:

rpm-ostree db diff 032a54c9c6d3d0aa348ae5a43e2f69465a63a96db84e6aaa4984ab55c06c15e7 83726b81a2e5d5a2464dbdcf2b34d74bf6ca022dab281ca361adbcdfa6d2efec

And it returns:

ostree diff commit from: 032a54c9c6d3d0aa348ae5a43e2f69465a63a96db84e6aaa4984ab55c06c15e7
ostree diff commit to:   83726b81a2e5d5a2464dbdcf2b34d74bf6ca022dab281ca361adbcdfa6d2efec
Upgraded:
  audit 3.0.7-1.fc35 -> 3.0.7-2.fc35
  audit-libs 3.0.7-1.fc35 -> 3.0.7-2.fc35
  btrfs-progs 5.16.1-1.fc35 -> 5.16.2-1.fc35
  container-selinux 2:2.173.1-1.fc35 -> 2:2.177.0-1.fc35
  containers-common 4:1-41.fc35 -> 4:1-45.fc35
  flatpak 1.12.4-1.fc35 -> 1.12.5-1.fc35
  flatpak-libs 1.12.4-1.fc35 -> 1.12.5-1.fc35
  flatpak-selinux 1.12.4-1.fc35 -> 1.12.5-1.fc35
  flatpak-session-helper 1.12.4-1.fc35 -> 1.12.5-1.fc35
  gnome-initial-setup 41.2-1.fc35 -> 41.4-1.fc35
  gnome-user-docs 41.1-1.fc35 -> 41.2-1.fc35
  gtk4 4.4.1-1.fc35 -> 4.4.2-1.fc35
  initscripts-service 10.14-1.fc35 -> 10.15-1.fc35
  libgee 0.20.4-2.fc35 -> 0.20.5-1.fc35
  libibverbs 38.1-2.fc35 -> 39.0-1.fc35
  librsvg2 2.52.5-1.fc35 -> 2.52.6-1.fc35
  osinfo-db 20211216-1.fc35 -> 20220214-1.fc35
  pcsc-lite-ccid 1.4.36-2.fc35 -> 1.5.0-1.fc35
  pipewire 0.3.45-2.fc35 -> 0.3.47-1.fc35
  pipewire-alsa 0.3.45-2.fc35 -> 0.3.47-1.fc35
  pipewire-gstreamer 0.3.45-2.fc35 -> 0.3.47-1.fc35
  pipewire-jack-audio-connection-kit 0.3.45-2.fc35 -> 0.3.47-1.fc35
  pipewire-libs 0.3.45-2.fc35 -> 0.3.47-1.fc35
  pipewire-pulseaudio 0.3.45-2.fc35 -> 0.3.47-1.fc35
  pipewire-utils 0.3.45-2.fc35 -> 0.3.47-1.fc35
  polkit 0.120-1.fc35.1 -> 0.120-1.fc35.2
  polkit-libs 0.120-1.fc35.1 -> 0.120-1.fc35.2
  python3-audit 3.0.7-1.fc35 -> 3.0.7-2.fc35
  qt5-qtwayland 5.15.2-18.fc35 -> 5.15.2-21.fc35
  spice-vdagent 0.21.0-5.fc35 -> 0.22.1-1.fc35
  thermald 2.4.8-1.fc35 -> 2.4.8-3.fc35
  uresourced 0.4.0-2.fc35 -> 0.4.1-1.fc35
  webkit2gtk3 2.34.5-1.fc35 -> 2.34.6-1.fc35
  webkit2gtk3-jsc 2.34.5-1.fc35 -> 2.34.6-1.fc35

I tried running a simple test:

$ podman run -it fedora sh
Error: fork/exec /usr/bin/conmon: permission denied

As it’s a permission issue, and container-selinux was upgraded, I tried sudo setenforce 0 to check if it’s SELinux-related. Podman worked (and also toolbx, which requires podman to work).

(Workarounds are to either roll back to a previous deployment or sudo setenforce 0 — neither of which are great.)

Can anyone else confirm that this is a problem on their system as well?

As of right now, it looks like container support is broken in Fedora 35 due to this update. :frowning_face:

There’s a bug @ Error: fork/exec /usr/bin/conmon: permission denied · Issue #170 · containers/container-selinux · GitHub that looks related.

I commented on it, even though it’s closed (as it’s the same bug and I would rather have an issue reopened than a duplicate): Error: fork/exec /usr/bin/conmon: permission denied · Issue #170 · containers/container-selinux · GitHub

Hello @garrett ,
Long time since we have commented on the same topic. I am running Fedora Linux Rawhide (Silverblue) and can start my F35 container with my current toolbox and podman by entering toolbox enter fedora-toolbox-35 which is the default container naming. I can do the same with F36 toolbox container and another one I created for some embedded dev work that was built on top of a running F35 toolbox container that I took an image of. The only issues I encounter are more related to my choice of using Fish for the shell on my system.
My booted deployment is …

State: idle
BootedDeployment:
● fedora:fedora/rawhide/x86_64/silverblue
                   Version: Rawhide.20220220.n.0 (2022-02-20T05:57:15Z)
                BaseCommit: 435b6fa3985d5661f28c60bb34ee73619809a282e5bb0fada1a8b1c02fa01f8c
              GPGSignature: Valid signature by ACB5EE4E831C74BB7C168D27F55AD3FB5323552A
       RemovedBasePackages: power-profiles-daemon 0.10.1-3.fc36
           LayeredPackages: bat dutree exa fd-find fish fzf gstreamer1-plugin-openh264 guake
                            java-latest-openjdk-devel java-latest-openjdk-jmods maven sd
                            tldr tokei tuned vim vim-enhanced wireguard-tools

Hi again @jakfrost! Thanks for your reply here!

What mode is SELinux on your system?

You can check with getenforce (which should work on your user account and not need sudo). For reference, mine’s Enforcing on 35.20220217.0 (2022-02-17T02:42:26Z), but I had to run sudo setenforce 0 to get containers working on F35 from 2022-02-22.

Also, which version of container-selinux do you have? I see you’re on rawhide from a few days ago. Perhaps the package is an older one still? Please share what rpm -q container-selinux shows.

Thanks!

Hello @garrett ,
getenforce shows Enforcing
and …
container-selinux-2.178.0-1.fc37.noarch

Yeah running rawhide for awhile, I like the near bleeding edge, but really it’s pretty stable with minor inconveniences. I think of bleeding edge as rolling my own kernel, thankfully I haven’t had to do this (in recent years) since I became a Fedora user so long ago.
Anything else you need me to check for you, just let me know.

1 Like