Trying to run or build an image with Podman gives error: error while loading shared libraries: /lib/x86_64-linux-gnu/libc.so.6: cannot apply additional memory protection after relocation: Permission denied

Hi. I was previously able to run Podman images, and a couple days ago, I started getting the following error trying to run or build any podman image: `error while loading shared libraries: /lib/x86_64-linux-gnu/libc.so.6: cannot apply additional memory protection after relocation: Permission denied`

I have been using the Deno image as documented on Deno’s documentation. I did deno run await.js, and then I did deno run awa and I pressed tab to autocomplete, and the terminal gave some errors:

$ deno run awaibash: /tini:: No such file or directory
bash: /tini:: No such file or directory
bash: /tini:: No such file or directory
bash: /tini:: No such file or directory
t.js <CR>
/tini: error while loading shared libraries: /lib/x86_64-linux-gnu/libc.so.6: cannot apply additional memory protection after relocation: Permission denied

I don’t know what changed.

Here is my system info:

Operating System: Fedora Linux 42
KDE Plasma Version: 6.5.1
KDE Frameworks Version: 6.19.0
Qt Version: 6.9.3
Kernel Version: 6.17.6-200.fc42.x86_64 (64-bit)
Graphics Platform: Wayland
Processors: 8 × Intel® Core™ i5-8350U CPU @ 1.70GHz
Memory: 16 GiB of RAM (15.5 GiB usable)
Graphics Processor: Intel® UHD Graphics 620
Manufacturer: LENOVO
Product Name: 20L6S07G00
System Version: ThinkPad T480

 rpm-ostree status
State: idle
Deployments:
● fedora:fedora/42/x86_64/kinoite
                  Version: 42.20251104.0 (2025-11-04T04:30:32Z)
               BaseCommit: 7eaf25070738ec94f92d4221eebb58fb16a056e09347cf3007d2a1f2c5d205dc
             GPGSignature: Valid signature by B0F4950458F69E1150C6C5EDC8AC4916105EF944
          LayeredPackages: mullvad-vpn
            LocalPackages: megasync-5.7.0-4.1.x86_64

Podman version:

$ podman version 
Client:        Podman Engine
Version:       5.6.2
API Version:   5.6.2
Go Version:    go1.24.7
Git Commit:    9dd5e1ed33830612bc200d7a13db00af6ab865a4
Built:         Mon Sep 29 20:00:00 2025
Build Origin:  Fedora Project
OS/Arch:       linux/amd64

Podman info:

$ podman info
host:
  arch: amd64
  buildahVersion: 1.41.5
  cgroupControllers:
  - cpu
  - io
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.13-1.fc42.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.13, commit: '
  cpuUtilization:
    idlePercent: 98.86
    systemPercent: 0.38
    userPercent: 0.76
  cpus: 8
  databaseBackend: sqlite
  distribution:
    distribution: fedora
    variant: kinoite
    version: "42"
  emulatedArchitectures:
  - linux/arm64
  - linux/arm64be
  eventLogger: journald
  freeLocks: 2047
  hostname: EarthMkII
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 524288
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 524288
      size: 65536
  kernel: 6.17.6-200.fc42.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 629284864
  memTotal: 16628572160
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.16.0-1.fc42.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.16.0
    package: netavark-1.16.1-1.fc42.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.16.1
  ociRuntime:
    name: crun
    package: crun-1.24-1.fc42.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.24
      commit: 54693209039e5e04cbe3c8b1cd5fe2301219f0a1
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20250919.g623dbf6-1.fc42.x86_64
    version: |
      pasta 0^20250919.g623dbf6-1.fc42.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.3.1-2.fc42.x86_64
    version: |-
      slirp4netns version 1.3.1
      commit: e5e368c4f5db6ae75c2fce786e31eef9da6bf236
      libslirp: 4.8.0
      SLIRP_CONFIG_VERSION_MAX: 5
      libseccomp: 2.5.5
  swapFree: 8589901824
  swapTotal: 8589930496
  uptime: 74h 38m 18.00s (Approximately 3.08 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
store:
  configFile: /var/home/eric/.config/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 1
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/home/eric/.local/share/containers/storage
  graphRootAllocated: 510389125120
  graphRootUsed: 182607110144
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 7
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /var/home/eric/.local/share/containers/storage/volumes
version:
  APIVersion: 5.6.2
  BuildOrigin: Fedora Project
  Built: 1759190400
  BuiltTime: Mon Sep 29 20:00:00 2025
  GitCommit: 9dd5e1ed33830612bc200d7a13db00af6ab865a4
  GoVersion: go1.24.7
  Os: linux
  OsArch: linux/amd64
  Version: 5.6.2

I found this podman issue, but it’s a few years old. It suggested doing a podman system reset, but that has not helped.

What other info can I provide for this? Thank you!

Have you tried the SELinux diagnostics / fixes suggested there? (SELinux doesn’t seem to be the cause in all cases, but worth a try.)

For example does journalctl -b 0 | grep AVC (change the -b value if you want to see issues from a previous boot) show anything relevant?

I haven’t tried any of the SELinux diagnostics yet. I’ll go look at that again.

Meanwhile, I do get this from the journalctl:

Nov 07 09:45:52 EarthMkII audit[44687]: AVC avc:  denied  { read } for  pid=44687 comm="tini" path="/usr/lib/x86_64-linux-gnu/libc.so.6" dev="dm-0" ino=7663984 scontext=system_u:system_r:container_t:s0:c2,c541 tcontext=unconfined_u:object_r:container_file_t:s0:c392,c577 tclass=file permissive=0

Another thing is that the system can’t seem to find libc.so.6, though that doesn’t seem to be what podman is complaining about.

$ ls -lZ /usr/lib/x86_64-linux-gnu/libc.so.6
ls: cannot access '/usr/lib/x86_64-linux-gnu/libc.so.6': No such file or directory

To my knowledge, I haven’t moved anything…

Also, after setenforce 0, the deno run … does work normally.

$ find /usr -name libc.so*
/usr/lib/libc.so.6
/usr/lib64/libc.so.6
/usr/lib64/libc.so

You appear to be looking in the wrong location for the libc.so.6 library.
That app may be at fault.

So SELinux seems very likely the root of this.

I’d be inclined to try the restorecon suggested in the Github issue:

Could you run restorecon -R -v $HOME/.local/share/containers
This might be a problem in silverblue or any rpmostree based OS. Since rpm post install scripts do not run.
Basically container-selinux had to fix labels in users homedirs because of a change in the linux kernel.

Particularly, that tcontext=unconfined_u:object_r:container_file_t:s0:c392,c577 in the AVC denial is a weird context. It’s like another container relabelled files for its exclusive use.

You’re right:

$ find /usr -name libc.so.*
/usr/lib64/libc.so.6

That also means that Podman is looking in the wrong place, yes? Since the error is error while loading shared libraries: /lib/x86_64-linux-gnu/libc.so.6: ...

Is that from a shell on the host? If so, what do you get when you do it inside the container?

That was in the host. If I setenforce 0 and run the deno container, I find:

# find /usr -name libc.so.*
/usr/lib/x86_64-linux-gnu/libc.so.6

I tried restorecon -R -v $HOME/.local/share/containers and got a LOT of messages like:

`/var/home/eric/.local/share/containers/cache/blob-info-cache-v1.sqlite not reset as customized by admin to system_u:object_r:container_file_t:s0:c88,c793`

Do I need to run that with sudo?

I think sudo wouldn’t make a difference but the -F flag may be necessary:

Yes, that did it!

restorecon -R -F -v $HOME/.local/share/containers

I don’t know if the podman system reset was helpful or not.

So, now I can run Podman containers again!

Thank you, @pg-tips !

It makes me wonder what happened, whether something I did caused it, and how I could avoid it in the future. But for now, Podman is working again! Thanks everyone!

EDIT: I’m marking this post as the Solution, not because I came up with the solution myself, but because this post summarizes the solution. Thanks again to @pg-tips !

I don’t use an atomic Fedora variant myself, but the comment I quoted earlier was interesting, suggesting that on conventional Fedoras, the container-selinux package sometimes depends on an RPM post-install script - which doesn’t work the same way on atomics.

It might be that an atomic Fedora will need a relabelling of the container directories now and then, to deal with changes that a post-install script would normally take care of.

Perhaps so. However, I did not run rpm-ostree upgrade or any other update or change between the container working and the container not-working.

The only “funny” was the errors on doing a tab completion on a filename. I’ve seen that before without breaking Podman, though. And, I tried the tab complete again just now and it worked as expected: the tab just completed the filename.

So either that isn’t it, or the errors were a symptom of the SELinux problem, or it’s been fixed.