Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-112359

AVC denials regarding running a podman container

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Undefined Undefined
    • None
    • rhel-10.1
    • selinux-policy
    • None
    • No
    • None
    • rhel-security-selinux
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      Running a regression test using bundled resource in HA cluster (containing a podman container) ends up with AVC denials

      Please provide the package NVR for which the bug is seen:

      selinux-policy-42.1.7-1.el10.noarch

      How reproducible is this bug?:

      always

      Steps to reproduce

      # ausearch -m AVC -ts today
<no matches>

# podman run registry.fedoraproject.org/fedora /bin/true
Trying to pull registry.fedoraproject.org/fedora:latest...
Getting image source signatures
Copying blob 905734bdf8d9 done   | 
Copying config 1e4700fa3d done   | 
Writing manifest to image destination

# ausearch -m AVC -ts today
----
time->Fri Aug 29 04:11:12 2025
type=AVC msg=audit(1756455072.814:3043): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=bpf permissive=0

              rhn-support-zpytela Zdenek Pytela
              rhn-support-nhostako Nina Hostakova
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: