-
Bug
-
Resolution: Unresolved
-
Blocker
-
None
-
rhel-9.6
-
None
-
No
-
Low
-
1
-
rhel-security-selinux
-
3
-
False
-
False
-
-
None
-
SELINUX 251029: 14
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
None
Architecture used :
RHEL 9.6 VM.
Below are the Steps Which I performed to isolate this issue :
1. Versions being used by me in the test :
$ rpm -q fapolicyd fapolicyd-1.3.3-100.el9.x86_64 [ec2-user@ip-10-0-30-199 ~]$ podman --version podman version 5.4.0
2. Enable and start fapolicyd :
[ec2-user@ip-10-0-30-199 ~]$ sudo systemctl enable fapolicyd sudo systemctl start fapolicyd Created symlink /etc/systemd/system/multi-user.target.wants/fapolicyd.service → /usr/lib/systemd/system/fapolicyd.service.
3. Tried running podman container with tmpfs (got failure/hang)
[ec2-user@ip-10-0-30-199 ~]$ sudo podman run --rm --runtime=runc --tmpfs /my-tmpfs alpine /bin/sleep infinity Error: OCI runtime error: runc: runc create failed: unable to start container process: can't copy bootstrap data to pipe: write init-p: broken pipe
4. Rebooted VM to confirm persistence of issue
[root@ip-10-0-30-199 ~]# sudo reboot Connection to 13.56.78.123 closed by remote host. Connection to 13.56.78.123 closed.
5. Confirmed fapolicyd is running after reboot
[root@ip-10-0-30-199 ~]# systemctl status fapolicyd ● fapolicyd.service - File Access Policy Daemon Loaded: loaded (/usr/lib/systemd/system/fapolicyd.service; enabled; preset: disabled) Active: active (running) since Wed 2025-09-10 08:18:43 UTC; 11s ago Docs: man:fapolicyd(8) Process: 2645 ExecStartPre=/usr/sbin/fagenrules (code=exited, status=0/SUCCESS) Process: 2670 ExecStart=/usr/sbin/fapolicyd (code=exited, status=0/SUCCESS) Main PID: 2671 (fapolicyd) Tasks: 4 (limit: 4014) Memory: 21.0M CPU: 557ms
6. Tried same podman command again (fails/hangs)
$ sudo podman run --rm --runtime=runc --tmpfs /my-tmpfs alpine /bin/sleep 10 Error: OCI runtime error: runc: runc create failed: unable to start container process: can't copy bootstrap data to pipe: write init-p: broken pipe
Confirmed issue remains after even reboot.
7. Stopped and disable fapolicyd to isolate the cause
$ sudo systemctl stop fapolicyd $ sudo systemctl disable fapolicyd
8. Running podman command again resulted in succeed this time
$ sudo podman run --rm --tmpfs /my-tmpfs alpine /bin/sleep 10
9. Edit fapolicyd config to remove tmpfs from watch_fs
$ sudo vi /etc/fapolicyd/fapolicyd.conf
$ sudo sed -i 's/watch_fs = .*tmpfs[^,]*/watch_fs = ext4,xfs/' /etc/fapolicyd/fapolicyd.conf
10. Reload and restarted fapolicyd
$ sudo systemctl daemon-reload $ sudo systemctl enable --now fapolicyd
11. Run podman with tmpfs again (It worked )
$ sudo podman run --rm --tmpfs /my-tmpfs alpine /bin/sleep 10
Podman container started successfully with fapolicyd enabled.
Some Important Inputs & Findings :
- The problem occurs only when fapolicyd watches tmpfs filesystem, causing permission issues.
- Disabling fapolicyd allows Podman tmpfs containers to run normally.
- Editing fapolicyd config to exclude `tmpfs` from monitoring resolves the problem permanently.
- The issue persists after reboot, confirming it is fapolicyd related, not a Podman bug.
Conclusion :
- The issue was caused by fapolicyd monitoring tmpfs mounts and blocking or interfering with container processes.
- Once tmpfs is excluded from fapolicyd’s watched filesystems, it no longer blocks Podman containers using --tmpfs.
