Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-58185

error: can't create transaction lock on /var/lib/containers/storage/overlay/$containerid/merged/var/lib/rpm/.rpm.lock (Permission denied)

Linking RHIVOS CVEs to...Migration: Automation ...RHELPRIO AssignedTeam ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Yes
    • Impediment
    • Important
    • rhel-security-selinux
    • ssg_security
    • None
    • True
    • False
    • Hide

      It's blocking integration test konflux onboarding - https://issues.redhat.com/browse/RHELMISC-7122

      Show
      It's blocking integration test konflux onboarding - https://issues.redhat.com/browse/RHELMISC-7122
    • No
    • None
    • None
    • None
    • Release Note Not Required
    • None

      What were you trying to do that didn't work?

      Mounting the container filesystem and then trying to rebuild the rpm database on a RHEL9 host resulted in this issue, which was not seen while doing the same steps on a RHEL8.10 host. After "setenforce 0", it can be successfully rebuilt.

      Please provide the package NVR for which the bug is seen:

      [root@sweetpig-8 ~]# rpm -q rpm selinux-policy container-selinux
rpm-4.16.1.3-29.el9.x86_64
selinux-policy-38.1.35-2.el9_4.2.noarch
container-selinux-2.229.0-1.el9.noarch

      How reproducible is this bug?:

      always

      Steps to reproduce

      [root@sweetpig-8 ~]# podman run --name container-test registry-proxy.engineering.redhat.com/rh-osbs/ubi9-ubi-micro:9.4-15
[root@sweetpig-8 ~]# podman mount container-test
/var/lib/containers/storage/overlay/98efda09ecca009ac8dff8af0ba3df71e02e526de095c56778653a06199497e8/merged
[root@sweetpig-8 ~]# rpmdb --rebuilddb --root=/var/lib/containers/storage/overlay/98efda09ecca009ac8dff8af0ba3df71e02e526de095c56778653a06199497e8/merged
error: can't create transaction lock on /var/lib/containers/storage/overlay/98efda09ecca009ac8dff8af0ba3df71e02e526de095c56778653a06199497e8/merged/var/lib/rpm/.rpm.lock (Permission denied)

      Additional info

      [root@sweetpig-8 ~]# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent
<no matches>
[root@sweetpig-8 ~]# journalctl -t setroubleshoot
-- No entries --

              rhn-support-zpytela Zdenek Pytela
              weshen Edward Shen
              Lokesh Mandvekar
              Zdenek Pytela Zdenek Pytela
              SSG Security QE SSG Security QE
              Votes:
              1 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: