[BUG] Unable to install the operator on CentOS Stream 8 with SELinux enforcing #115

wainersm · 2022-10-10T15:53:47Z

Describe the bug

When I create kubectl create -f config/samples/ccruntime.yaml in CentOS Stream 8 with SELinux on enforcing mode, the runtime is not fully installed because it fails to restart containerd.

That bug might be not exclusive to CentOS Stream 8.

To Reproduce
Steps to reproduce the behavior:

Create a CentOS Stream 8 VM with kcli (kcli create vm -p centos8stream -P memory=$((4096*2)) -P numcpus=4 my-vm -P disks=['{"size": 20, "interface": "sata"}'])
Login the VM
Run sudo dnf update -y && sudo dnf install git ansible-core -y
Run git clone https://github.com/confidential-containers/operator && cd operator/tests/e2e
Run ansible-galaxy collection install community.docker
Run ansible-playbook -i localhost, -c local --tags untagged ansible/main.yml
Run sudo -E PATH="$PATH" bash -c './cluster/up.sh' && export KUBECONFIG=/etc/kubernetes/admin.conf
Run sudo -E PATH=$PATH:/usr/local/bin bash -c 'kubectl label node "$(hostname)" "node-role.kubernetes.io/worker="'
Run sudo -E PATH=$PATH:/usr/local/bin bash -c 'kubectl apply -f https://raw.githubusercontent.com/confidential-containers/operator/v0.1.0/deploy/deploy.yaml'
Run sudo -E PATH=$PATH:/usr/local/bin bash -c 'kubectl apply -f https://raw.githubusercontent.com/confidential-containers/operator/v0.1.0/config/samples/ccruntime.yaml'

Describe the results you expected

Have the operator installed.

Describe the results you received:

The pre-install pod gets running:

[centos@cc-vm e2e]$ sudo -E PATH=$PATH:/usr/local/bin bash -c 'kubectl get pods -A'
NAMESPACE                        NAME                                             READY   STATUS    RESTARTS        AGE
confidential-containers-system   cc-operator-controller-manager-dc4846d94-z2m6z   2/2     Running   0               3m59s
confidential-containers-system   cc-operator-pre-install-daemon-pbfrt             1/1     Running   0               2m15s
kube-flannel                     kube-flannel-ds-vwm5r                            1/1     Running   0               9m20s
kube-system                      coredns-6d4b75cb6d-pfhcd                         1/1     Running   0               9m20s
kube-system                      coredns-6d4b75cb6d-xjn48                         1/1     Running   0               9m20s
kube-system                      etcd-cc-vm                                       1/1     Running   0               9m27s
kube-system                      kube-apiserver-cc-vm                             1/1     Running   0               9m27s
kube-system                      kube-controller-manager-cc-vm                    1/1     Running   0               9m27s
kube-system                      kube-proxy-tb4zv                                 1/1     Running   0               9m20s
kube-system                      kube-scheduler-cc-vm                             1/1     Running   1 (9m31s ago)   9m27s

Although the pre-install pod is running, it got only the containerd binary installed:

[centos@cc-vm e2e]$ find /opt/confidential-containers/bin/
/opt/confidential-containers/bin/
/opt/confidential-containers/bin/containerd

The journal -xe give us more details:

Oct 10 15:47:43 cc-vm systemd[76009]: containerd.service: Failed to execute command: Permission denied
Oct 10 15:47:43 cc-vm systemd[76009]: containerd.service: Failed at step EXEC spawning /opt/confidential-containers/bin/containerd: Per>
-- Subject: Process /opt/confidential-containers/bin/containerd could not be executed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
-- 
-- The process /opt/confidential-containers/bin/containerd could not be executed and failed.
-- 
-- The error number returned by this process is 13.
Oct 10 15:47:43 cc-vm systemd[1]: containerd.service: Main process exited, code=exited, status=203/EXEC
Oct 10 15:47:43 cc-vm systemd[1]: containerd.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
-- 
-- The unit containerd.service has entered the 'failed' state with result 'exit-code'.
Oct 10 15:47:43 cc-vm systemd[1]: Failed to start containerd container runtime.
-- Subject: Unit containerd.service has failed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
-- 
-- Unit containerd.service has failed.
-- 
-- The result is failed.
Oct 10 15:47:43 cc-vm setroubleshoot[74730]: AnalyzeThread.run(): Cancel pending alarm
Oct 10 15:47:43 cc-vm setroubleshoot[74730]: SELinux is preventing /usr/lib/systemd/systemd from execute access on the file containerd.>
Oct 10 15:47:43 cc-vm setroubleshoot[74730]: SELinux is preventing /usr/lib/systemd/systemd from execute access on the file containerd.
                                             
                                             *****  Plugin catchall (100. confidence) suggests   **************************
                                             
                                             If you believe that systemd should be allowed execute access on the containerd file by def>
                                             Then you should report this as a bug.
                                             You can generate a local policy module to allow this access.
                                             Do
                                             allow this access for now by executing:
                                             # ausearch -c '(ntainerd)' --raw | audit2allow -M my-ntainerd
                                             # semodule -X 300 -i my-ntainerd.pp
                                             
Oct 10 15:47:43 cc-vm setroubleshoot[74730]: AnalyzeThread.run(): Set alarm timeout to 10

I cannot get the logs from the pre-install pod:

[centos@cc-vm e2e]$ sudo -E PATH=$PATH:/usr/local/bin bash -c 'kubectl logs -n confidential-containers-system cc-operator-pre-install-daemon-pbfrt'
unable to retrieve container logs for containerd://5548159a17a64adca55b741383899127d28ef298df5e9fafe6fab123fc90e8c2

The text was updated successfully, but these errors were encountered:

hbrueckner · 2022-10-10T15:58:38Z

@wainersm Could you provide the AVC related messages from the audit.log (typically in /var/log/audit/) to get some specifics on the SELinux failures?

wainersm · 2022-10-10T17:16:04Z

Does it help @hbrueckner ?

[centos@cc-vm e2e]$ sudo cat /var/log/audit/audit.log | grep type=.*AVC.*
type=AVC msg=audit(1665420973.105:11631): avc:  denied  { execute } for  pid=87017 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665420978.356:11641): avc:  denied  { execute } for  pid=87031 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665420983.606:11653): avc:  denied  { execute } for  pid=87046 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665420988.855:11663): avc:  denied  { execute } for  pid=87060 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665420994.105:11673): avc:  denied  { execute } for  pid=87073 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665420999.355:11685): avc:  denied  { execute } for  pid=87088 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421004.605:11695): avc:  denied  { execute } for  pid=87101 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421009.855:11705): avc:  denied  { execute } for  pid=87114 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421015.105:11715): avc:  denied  { execute } for  pid=87127 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421020.355:11725): avc:  denied  { execute } for  pid=87141 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421025.605:11737): avc:  denied  { execute } for  pid=87156 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421030.855:11747): avc:  denied  { execute } for  pid=87169 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421036.106:11757): avc:  denied  { execute } for  pid=87182 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421041.355:11769): avc:  denied  { execute } for  pid=87197 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421046.605:11781): avc:  denied  { execute } for  pid=87212 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421051.855:11791): avc:  denied  { execute } for  pid=87225 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421057.105:11803): avc:  denied  { execute } for  pid=87240 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421062.355:11813): avc:  denied  { execute } for  pid=87253 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421067.606:11823): avc:  denied  { execute } for  pid=87266 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421072.855:11833): avc:  denied  { execute } for  pid=87279 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421078.105:11847): avc:  denied  { execute } for  pid=87296 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421083.355:11857): avc:  denied  { execute } for  pid=87309 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421088.605:11869): avc:  denied  { execute } for  pid=87324 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421093.855:11879): avc:  denied  { execute } for  pid=87337 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421099.105:11889): avc:  denied  { execute } for  pid=87350 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421104.355:11901): avc:  denied  { execute } for  pid=87365 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421109.606:11911): avc:  denied  { execute } for  pid=87378 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421114.855:11921): avc:  denied  { execute } for  pid=87391 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421120.105:11933): avc:  denied  { execute } for  pid=87406 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421125.355:11943): avc:  denied  { execute } for  pid=87419 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421130.606:11953): avc:  denied  { execute } for  pid=87432 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421135.855:11963): avc:  denied  { execute } for  pid=87445 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421141.106:11973): avc:  denied  { execute } for  pid=87458 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421146.356:11985): avc:  denied  { execute } for  pid=87473 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421151.605:11997): avc:  denied  { execute } for  pid=87489 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421156.856:12007): avc:  denied  { execute } for  pid=87502 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421162.105:12019): avc:  denied  { execute } for  pid=87517 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421167.355:12029): avc:  denied  { execute } for  pid=87530 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421172.605:12039): avc:  denied  { execute } for  pid=87543 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421177.855:12051): avc:  denied  { execute } for  pid=87558 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421183.105:12065): avc:  denied  { execute } for  pid=87575 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421188.355:12075): avc:  denied  { execute } for  pid=87588 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421193.605:12085): avc:  denied  { execute } for  pid=87601 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421198.855:12095): avc:  denied  { execute } for  pid=87614 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421204.105:12105): avc:  denied  { execute } for  pid=87627 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421209.355:12117): avc:  denied  { execute } for  pid=87642 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421214.605:12127): avc:  denied  { execute } for  pid=87655 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421219.855:12137): avc:  denied  { execute } for  pid=87668 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421225.105:12149): avc:  denied  { execute } for  pid=87683 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421230.355:12159): avc:  denied  { execute } for  pid=87696 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421235.605:12171): avc:  denied  { execute } for  pid=87711 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421240.856:12181): avc:  denied  { execute } for  pid=87724 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421246.106:12191): avc:  denied  { execute } for  pid=87737 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421251.356:12201): avc:  denied  { execute } for  pid=87750 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421256.605:12213): avc:  denied  { execute } for  pid=87765 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421261.860:12223): avc:  denied  { execute } for  pid=87789 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421267.107:12235): avc:  denied  { execute } for  pid=87804 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421272.355:12245): avc:  denied  { execute } for  pid=87817 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421277.605:12255): avc:  denied  { execute } for  pid=87830 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421282.855:12267): avc:  denied  { execute } for  pid=87845 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421288.107:12277): avc:  denied  { execute } for  pid=87858 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421293.355:12291): avc:  denied  { execute } for  pid=87875 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421298.605:12303): avc:  denied  { execute } for  pid=87890 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421303.855:12313): avc:  denied  { execute } for  pid=87903 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421309.106:12323): avc:  denied  { execute } for  pid=87916 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421314.355:12333): avc:  denied  { execute } for  pid=87929 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421319.605:12343): avc:  denied  { execute } for  pid=87943 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421324.855:12353): avc:  denied  { execute } for  pid=87956 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421330.105:12365): avc:  denied  { execute } for  pid=87971 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421335.355:12375): avc:  denied  { execute } for  pid=87984 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421340.605:12385): avc:  denied  { execute } for  pid=87997 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421345.855:12397): avc:  denied  { execute } for  pid=88013 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421351.106:12407): avc:  denied  { execute } for  pid=88026 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421356.355:12419): avc:  denied  { execute } for  pid=88041 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421361.605:12431): avc:  denied  { execute } for  pid=88057 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421366.859:12441): avc:  denied  { execute } for  pid=88070 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421372.105:12451): avc:  denied  { execute } for  pid=88083 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421377.355:12461): avc:  denied  { execute } for  pid=88096 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421382.605:12471): avc:  denied  { execute } for  pid=88109 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421387.855:12483): avc:  denied  { execute } for  pid=88124 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421393.105:12493): avc:  denied  { execute } for  pid=88137 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421398.355:12507): avc:  denied  { execute } for  pid=88154 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421403.605:12519): avc:  denied  { execute } for  pid=88169 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421408.855:12529): avc:  denied  { execute } for  pid=88182 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421414.106:12539): avc:  denied  { execute } for  pid=88195 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421419.355:12551): avc:  denied  { execute } for  pid=88210 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421424.605:12561): avc:  denied  { execute } for  pid=88223 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421429.855:12571): avc:  denied  { execute } for  pid=88236 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421435.105:12581): avc:  denied  { execute } for  pid=88249 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421440.355:12591): avc:  denied  { execute } for  pid=88262 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421445.605:12603): avc:  denied  { execute } for  pid=88277 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421450.855:12613): avc:  denied  { execute } for  pid=88290 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421456.105:12623): avc:  denied  { execute } for  pid=88303 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421461.355:12633): avc:  denied  { execute } for  pid=88316 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421466.605:12647): avc:  denied  { execute } for  pid=88333 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421471.855:12657): avc:  denied  { execute } for  pid=88346 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421477.105:12669): avc:  denied  { execute } for  pid=88361 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421482.355:12679): avc:  denied  { execute } for  pid=88374 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421487.605:12689): avc:  denied  { execute } for  pid=88387 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421492.855:12699): avc:  denied  { execute } for  pid=88400 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421498.105:12709): avc:  denied  { execute } for  pid=88413 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421503.355:12719): avc:  denied  { execute } for  pid=88426 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421508.605:12735): avc:  denied  { execute } for  pid=88446 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421513.856:12745): avc:  denied  { execute } for  pid=88459 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421519.105:12755): avc:  denied  { execute } for  pid=88472 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421524.355:12767): avc:  denied  { execute } for  pid=88487 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421529.605:12777): avc:  denied  { execute } for  pid=88500 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421534.856:12787): avc:  denied  { execute } for  pid=88513 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421540.106:12799): avc:  denied  { execute } for  pid=88528 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421545.355:12809): avc:  denied  { execute } for  pid=88541 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421550.605:12819): avc:  denied  { execute } for  pid=88554 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421555.856:12829): avc:  denied  { execute } for  pid=88567 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421561.105:12839): avc:  denied  { execute } for  pid=88580 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421566.355:12851): avc:  denied  { execute } for  pid=88595 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421571.605:12861): avc:  denied  { execute } for  pid=88608 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421576.856:12873): avc:  denied  { execute } for  pid=88623 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421582.107:12885): avc:  denied  { execute } for  pid=88638 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421587.355:12895): avc:  denied  { execute } for  pid=88651 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421592.605:12905): avc:  denied  { execute } for  pid=88664 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421597.855:12917): avc:  denied  { execute } for  pid=88679 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421603.105:12927): avc:  denied  { execute } for  pid=88692 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421608.355:12937): avc:  denied  { execute } for  pid=88705 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421613.605:12951): avc:  denied  { execute } for  pid=88722 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421618.855:12961): avc:  denied  { execute } for  pid=88735 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421624.105:12971): avc:  denied  { execute } for  pid=88748 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421629.355:12983): avc:  denied  { execute } for  pid=88763 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421634.605:12993): avc:  denied  { execute } for  pid=88776 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421639.857:13005): avc:  denied  { execute } for  pid=88792 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421645.105:13017): avc:  denied  { execute } for  pid=88807 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421650.355:13027): avc:  denied  { execute } for  pid=88820 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421655.605:13039): avc:  denied  { execute } for  pid=88835 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421660.855:13049): avc:  denied  { execute } for  pid=88848 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421666.105:13059): avc:  denied  { execute } for  pid=88862 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421671.356:13069): avc:  denied  { execute } for  pid=88875 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421676.605:13079): avc:  denied  { execute } for  pid=88888 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421681.855:13091): avc:  denied  { execute } for  pid=88903 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421687.105:13103): avc:  denied  { execute } for  pid=88918 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421692.355:13113): avc:  denied  { execute } for  pid=88931 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421697.605:13123): avc:  denied  { execute } for  pid=88944 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421702.855:13135): avc:  denied  { execute } for  pid=88959 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421708.106:13145): avc:  denied  { execute } for  pid=88973 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421713.356:13155): avc:  denied  { execute } for  pid=88986 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421718.605:13167): avc:  denied  { execute } for  pid=89001 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421723.855:13181): avc:  denied  { execute } for  pid=89018 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421729.107:13191): avc:  denied  { execute } for  pid=89031 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421734.356:13201): avc:  denied  { execute } for  pid=89044 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421739.606:13211): avc:  denied  { execute } for  pid=89057 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421744.855:13221): avc:  denied  { execute } for  pid=89070 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421750.105:13233): avc:  denied  { execute } for  pid=89085 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421755.355:13243): avc:  denied  { execute } for  pid=89099 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421760.606:13259): avc:  denied  { execute } for  pid=89116 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421765.857:13271): avc:  denied  { execute } for  pid=89131 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421771.105:13281): avc:  denied  { execute } for  pid=89144 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421776.355:13293): avc:  denied  { execute } for  pid=89159 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421781.605:13303): avc:  denied  { execute } for  pid=89172 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421786.856:13315): avc:  denied  { execute } for  pid=89189 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421792.105:13325): avc:  denied  { execute } for  pid=89202 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421797.355:13335): avc:  denied  { execute } for  pid=89215 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421802.605:13345): avc:  denied  { execute } for  pid=89228 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421807.855:13357): avc:  denied  { execute } for  pid=89243 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421813.105:13367): avc:  denied  { execute } for  pid=89256 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421818.355:13377): avc:  denied  { execute } for  pid=89269 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421823.606:13389): avc:  denied  { execute } for  pid=89284 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421828.855:13403): avc:  denied  { execute } for  pid=89301 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421834.105:13413): avc:  denied  { execute } for  pid=89315 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421839.355:13425): avc:  denied  { execute } for  pid=89330 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421844.605:13435): avc:  denied  { execute } for  pid=89343 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421849.855:13445): avc:  denied  { execute } for  pid=89356 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421855.105:13455): avc:  denied  { execute } for  pid=89369 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421860.355:13465): avc:  denied  { execute } for  pid=89382 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421865.605:13477): avc:  denied  { execute } for  pid=89397 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421870.855:13487): avc:  denied  { execute } for  pid=89410 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421876.105:13497): avc:  denied  { execute } for  pid=89423 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421881.355:13507): avc:  denied  { execute } for  pid=89436 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421886.606:13520): avc:  denied  { execute } for  pid=89466 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421891.855:13538): avc:  denied  { execute } for  pid=89485 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421897.107:13551): avc:  denied  { execute } for  pid=89502 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421902.356:13561): avc:  denied  { execute } for  pid=89515 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421907.605:13571): avc:  denied  { execute } for  pid=89528 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421912.855:13581): avc:  denied  { execute } for  pid=89541 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421918.105:13591): avc:  denied  { execute } for  pid=89554 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421923.355:13601): avc:  denied  { execute } for  pid=89567 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421928.605:13613): avc:  denied  { execute } for  pid=89583 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421933.855:13629): avc:  denied  { execute } for  pid=89600 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421939.105:13643): avc:  denied  { execute } for  pid=89617 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421944.355:13655): avc:  denied  { execute } for  pid=89632 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421949.605:13665): avc:  denied  { execute } for  pid=89645 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421954.855:13681): avc:  denied  { execute } for  pid=89662 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421960.105:13699): avc:  denied  { execute } for  pid=89681 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421965.355:13709): avc:  denied  { execute } for  pid=89694 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421970.605:13719): avc:  denied  { execute } for  pid=89708 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421975.855:13729): avc:  denied  { execute } for  pid=89722 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421981.106:13739): avc:  denied  { execute } for  pid=89735 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421986.355:13751): avc:  denied  { execute } for  pid=89750 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421991.607:13761): avc:  denied  { execute } for  pid=89763 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665421996.857:13771): avc:  denied  { execute } for  pid=89776 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665422002.106:13785): avc:  denied  { execute } for  pid=89793 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665422007.355:13795): avc:  denied  { execute } for  pid=89806 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665422012.605:13805): avc:  denied  { execute } for  pid=89819 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665422017.855:13817): avc:  denied  { execute } for  pid=89834 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665422023.105:13827): avc:  denied  { execute } for  pid=89847 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665422028.355:13843): avc:  denied  { execute } for  pid=89863 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665422033.605:13853): avc:  denied  { execute } for  pid=89876 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665422038.855:13863): avc:  denied  { execute } for  pid=89889 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665422044.106:13877): avc:  denied  { execute } for  pid=89906 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665422049.355:13889): avc:  denied  { execute } for  pid=89921 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665422054.605:13899): avc:  denied  { execute } for  pid=89934 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665422059.855:13909): avc:  denied  { execute } for  pid=89947 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665422065.105:13921): avc:  denied  { execute } for  pid=89962 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665422070.355:13931): avc:  denied  { execute } for  pid=89975 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665422075.606:13943): avc:  denied  { execute } for  pid=89990 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665422080.855:13953): avc:  denied  { execute } for  pid=90003 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665422086.105:13963): avc:  denied  { execute } for  pid=90016 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1665422091.355:13973): avc:  denied  { execute } for  pid=90029 comm="(ntainerd)" name="containerd" dev="sda1" ino=29872533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0

fidencio · 2022-10-10T18:00:17Z

Unfortunately I'd say that's "expected" as it's never been tested.

We'll need to probably work on two fronts here:

Try to ensure the payloads are satisfying currently SELinux policies
Expand container-selinux policies for whatever ends up being needed.

The first step is, IMHO, figuring out which are all the failures we may be hitting, and for doing so I'd recommend to do the following:

Set SELinux to Permissive instead of Enforcing (this will allow us to get all the failures, and not only stop on the first one)
Upload the logs with all the failures
Open an issue for each one of the failures, in the appropriate repos (as I assume Kata Containers will also be doing some things there which may upset SELinux).

@wainersm, would you be able to get the full logs of failures so we can start properly tracking all the issues?

hbrueckner · 2022-10-11T13:22:31Z

Hi @wainersm, @fidencio ,

agree on switching to permissive mode and sorting out the failures. Based on the logs above, my first impression is that containerd binaries are not correctly labeled (e.g. compared to what they should be in https://github.com/containers/container-selinux/blob/main/container.fc), e.g. container_ro_file_t vs container_runtime_exec_t .

wainersm · 2022-10-11T18:14:09Z

Interesting behavior... if I set to permissive mode (sudo setenforce 0) just before installing the operator then I still got an error as the daemon-install pod gets stuck in ContainerCreating status:

[centos@cc-vm e2e]$ sudo -E PATH=$PATH:/usr/local/bin bash -c 'kubectl get pods -A'
NAMESPACE                        NAME                                             READY   STATUS              RESTARTS   AGE
confidential-containers-system   cc-operator-controller-manager-dc4846d94-qrbhc   2/2     Running             0          14m
confidential-containers-system   cc-operator-daemon-install-l5k2z                 0/1     ContainerCreating   0          3m
confidential-containers-system   cc-operator-pre-install-daemon-dfn8x             1/1     Running             0          8m28s
kube-flannel                     kube-flannel-ds-5f879                            1/1     Running             0          150m
kube-system                      coredns-6d4b75cb6d-r2prj                         1/1     Running             0          150m
kube-system                      coredns-6d4b75cb6d-s6krb                         1/1     Running             0          150m
kube-system                      etcd-cc-vm                                       1/1     Running             0          151m
kube-system                      kube-apiserver-cc-vm                             1/1     Running             0          151m
kube-system                      kube-controller-manager-cc-vm                    1/1     Running             0          150m
kube-system                      kube-proxy-kms6s                                 1/1     Running             0          150m
kube-system                      kube-scheduler-cc-vm                             1/1     Running             0          151m

When I look at the events of the same daemon-install pod I see the reason is related with still containerd reboot:

Events:
  Type     Reason                  Age    From               Message
  ----     ------                  ----   ----               -------
  Normal   Scheduled               3m40s  default-scheduler  Successfully assigned confidential-containers-system/cc-operator-daemon-install-l5k2z to cc-vm
  Warning  FailedCreatePodSandBox  3m40s  kubelet            Failed to create pod sandbox: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing dial unix /run/containerd/containerd.sock: connect: no such file or directory"
  Normal   Pulling                 3m26s  kubelet            Pulling image "quay.io/confidential-containers/runtime-payload:

I could swear I had the operator installed correctly without selinux on permissive mode. Next: I will boot the VM and set to permissive right away, even before installa and start k8s.

wainersm · 2022-10-11T22:49:58Z

Ok, set selinux to permissive mode even before to start the cluster and everything. Where are the audit messages that got logged after the operator was installed:

[root@cc-vm e2e]# cat /var/log/audit/audit.log* | grep type=.*AVC.*
type=AVC msg=audit(1665522945.448:12165): avc:  denied  { execute } for  pid=84871 comm="(ntainerd)" name="containerd" dev="sda1" ino=21885437 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=1
type=AVC msg=audit(1665522945.448:12165): avc:  denied  { execute_no_trans } for  pid=84871 comm="(ntainerd)" path="/opt/confidential-containers/bin/containerd" dev="sda1" ino=21885437 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=1
type=AVC msg=audit(1665522945.448:12165): avc:  denied  { map } for  pid=84871 comm="containerd" path="/opt/confidential-containers/bin/containerd" dev="sda1" ino=21885437 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=1
type=AVC msg=audit(1665522945.515:12166): avc:  denied  { map } for  pid=84871 comm="containerd" path="/var/lib/containerd/io.containerd.metadata.v1.bolt/meta.db" dev="sda1" ino=12698226 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1665522945.515:12167): avc:  denied  { connectto } for  pid=84871 comm="containerd" path="/run/containerd/s/d84b32dacd54af5afe31abcf8f05d42ea7dee91fb4b151ac324bdef4ec5f18ae" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1665522945.516:12168): avc:  denied  { read write } for  pid=84871 comm="containerd" name="log" dev="tmpfs" ino=172485 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_var_run_t:s0 tclass=fifo_file permissive=1
type=AVC msg=audit(1665522945.617:12170): avc:  denied  { append } for  pid=84871 comm="containerd" name="0.log" dev="sda1" ino=987238 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(1665522945.617:12170): avc:  denied  { open } for  pid=84871 comm="containerd" path="/var/log/pods/kube-flannel_kube-flannel-ds-2w2x9_971ae6bc-c233-4761-a2c3-1b2ebb7250c7/kube-flannel/0.log" dev="sda1" ino=987238 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(1665522945.617:12171): avc:  denied  { read } for  pid=84871 comm="containerd" name="438cf9e4d33acf8293217c3e7999728a2099e89fc352f87f1bdff5e705c0af52-stdout" dev="tmpfs" ino=177763 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_var_run_t:s0 tclass=fifo_file permissive=1
type=AVC msg=audit(1665522960.419:12286): avc:  denied  { create } for  pid=84871 comm="containerd" name="cni-3fe54228-d958-2823-e573-c61cd4a9bd86" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ifconfig_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1665522960.419:12286): avc:  denied  { write } for  pid=84871 comm="containerd" path="/run/netns/cni-3fe54228-d958-2823-e573-c61cd4a9bd86" dev="tmpfs" ino=387819 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ifconfig_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1665522960.494:12288): avc:  denied  { create } for  pid=84871 comm="containerd" name="work" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_var_run_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1665522960.495:12289): avc:  denied  { create } for  pid=84871 comm="containerd" name="config.json" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1665522960.495:12289): avc:  denied  { write } for  pid=84871 comm="containerd" path="/run/containerd/io.containerd.runtime.v2.task/k8s.io/c8852373eac72d7a671f30f379af1ee348383b19e76864d18e1f06b8802075dd/config.json" dev="tmpfs" ino=387942 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1665522960.495:12290): avc:  denied  { read write } for  pid=84871 comm="containerd" name="log" dev="tmpfs" ino=387943 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_var_run_t:s0 tclass=fifo_file permissive=1
type=AVC msg=audit(1665522960.495:12291): avc:  denied  { setpgid } for  pid=85173 comm="containerd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1
type=AVC msg=audit(1665522961.117:12295): avc:  denied  { name_connect } for  pid=84871 comm="containerd" dest=443 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1665523067.648:12433): avc:  denied  { name_connect } for  pid=84871 comm="containerd" dest=443 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1665523357.205:12812): avc:  denied  { read } for  pid=84871 comm="containerd" name="53a02b8d4ce77e0be8415937a33e3268ad00ad830b67d7da6b6c31e9228bb23a-stdout" dev="tmpfs" ino=405748 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_var_run_t:s0 tclass=fifo_file permissive=1
type=AVC msg=audit(1665523357.239:12813): avc:  denied  { unlink } for  pid=84871 comm="containerd" name="#b4" dev="sda1" ino=25501069 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1665523357.285:12814): avc:  denied  { add_name } for  pid=84871 comm="containerd" name="0.log" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_log_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1665523357.285:12814): avc:  denied  { create } for  pid=84871 comm="containerd" name="0.log" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(1665523357.285:12814): avc:  denied  { append open } for  pid=84871 comm="containerd" path="/var/log/pods/confidential-containers-system_cc-operator-daemon-install-jnrz9_714ce54c-3fc7-49b0-ab4c-311234f9fe81/cc-runtime-install-pod/0.log" dev="sda1" ino=1552425 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(1665523357.287:12815): avc:  denied  { create } for  pid=84871 comm="containerd" name="work" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_var_run_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1665523357.287:12816): avc:  denied  { create } for  pid=84871 comm="containerd" name="config.json" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1665523357.287:12816): avc:  denied  { write } for  pid=84871 comm="containerd" path="/run/containerd/io.containerd.runtime.v2.task/k8s.io/53a02b8d4ce77e0be8415937a33e3268ad00ad830b67d7da6b6c31e9228bb23a/config.json" dev="tmpfs" ino=408102 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1665523357.287:12817): avc:  denied  { write } for  pid=84871 comm="containerd" name="log" dev="tmpfs" ino=408103 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_var_run_t:s0 tclass=fifo_file permissive=1
type=AVC msg=audit(1665523357.287:12818): avc:  denied  { setpgid } for  pid=85816 comm="containerd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1
type=AVC msg=audit(1665523357.291:12819): avc:  denied  { connectto } for  pid=84871 comm="containerd" path="/run/containerd/s/46ef0cc9d73a69d17b72dc3bd2863b388e191bc0fa2081ec22346fef12ad1e43" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1665523359.172:12831): avc:  denied  { execute } for  pid=85955 comm="(ntainerd)" name="containerd" dev="sda1" ino=21885437 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=1
type=AVC msg=audit(1665523359.172:12831): avc:  denied  { execute_no_trans } for  pid=85955 comm="(ntainerd)" path="/opt/confidential-containers/bin/containerd" dev="sda1" ino=21885437 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=1
type=AVC msg=audit(1665523359.172:12831): avc:  denied  { map } for  pid=85955 comm="containerd" path="/opt/confidential-containers/bin/containerd" dev="sda1" ino=21885437 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=1
type=AVC msg=audit(1665523359.226:12832): avc:  denied  { map } for  pid=85955 comm="containerd" path="/var/lib/containerd/io.containerd.metadata.v1.bolt/meta.db" dev="sda1" ino=12698226 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1665523359.227:12833): avc:  denied  { connectto } for  pid=85955 comm="containerd" path="/run/containerd/s/d84b32dacd54af5afe31abcf8f05d42ea7dee91fb4b151ac324bdef4ec5f18ae" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1665523359.227:12834): avc:  denied  { read write } for  pid=85955 comm="containerd" name="log" dev="tmpfs" ino=172485 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_var_run_t:s0 tclass=fifo_file permissive=1
type=AVC msg=audit(1665523359.383:12836): avc:  denied  { append } for  pid=85955 comm="containerd" name="0.log" dev="sda1" ino=987238 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(1665523359.383:12836): avc:  denied  { open } for  pid=85955 comm="containerd" path="/var/log/pods/kube-flannel_kube-flannel-ds-2w2x9_971ae6bc-c233-4761-a2c3-1b2ebb7250c7/kube-flannel/0.log" dev="sda1" ino=987238 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(1665523359.897:12859): avc:  denied  { map } for  pid=85955 comm="containerd" path="/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/metadata.db" dev="sda1" ino=4201134 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
type=USER_AVC msg=audit(1665512070.866:102): pid=802 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
type=AVC msg=audit(1665513437.562:115): avc:  denied  { getattr } for  pid=4959 comm="groupadd" name="/" dev="proc" ino=1 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1
type=USER_AVC msg=audit(1665513476.371:122): pid=802 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=2)  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
type=USER_AVC msg=audit(1665513562.605:141): pid=802 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=3)  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
type=USER_AVC msg=audit(1665514142.727:674): pid=802 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=4)  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
type=USER_AVC msg=audit(1665514160.139:675): pid=802 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=5)  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"

fidencio · 2022-10-12T13:35:41Z

@dcmiddle, @fitzthum, could we add this bug as a limitation as part of the release notes? Just something saying that "Support for running on clusters that are using SELinux on Enforcing mode is node supported."

Then we'll need to break this down and evaluate what will make into the coming releases, although I don't see this as having the highest priority.

hbrueckner · 2022-10-13T07:24:36Z

Hi @wainersm, @fidencio

Ok, set selinux to permissive mode even before to start the cluster and everything. Where are the audit messages that got logged after the operator was installed:

From above AVC messages, containerd is installed in "/opt/confidential-containers/bin/containerd" and this results in wrong SELinux file contexts, e.g., the container-selinux policy expects containerd to be in:

/usr/s?bin/containerd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/s?bin/containerd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)

Is there any specific reason to install containerd in /opt?

dcmiddle · 2022-10-13T13:32:36Z

Is there any specific reason to install containerd in /opt?

It's an attempt to do a non-destructive install since we overwrite "normal" containerd with our patched version.
In this case we put it in /opt and change where the system looks for containerd so we don't literally overwrite what is installed in /usr

hbrueckner · 2022-10-13T13:49:09Z

Hi @dcmiddle

Is there any specific reason to install containerd in /opt?

It's an attempt to do a non-destructive install since we overwrite "normal" containerd with our patched version. In this case we put it in /opt and change where the system looks for containerd so we don't literally overwrite what is installed in /usr

Understood... and in that case, the SELinux context for containerd needs to be added (likely providing a respective .if file or temporarily use chcon to change the context.

The operator does not work(**) with SELinux enabled and enforced. Added a note about it on the prequisites section. (**) confidential-containers/operator#115 Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>

wainersm · 2023-12-11T19:06:02Z

This bug has been open for a while now and things changed a little bit. E.g., the operator is now installing kata under /opt/kata and containerd is not installed by default. However, I still believe that turning SELinux on will fail and I hope the fix to kata-deploy in kata-containers/kata-containers#8417 can at least partially solve the problem on CoCo side as well.

wainersm added the bug Something isn't working label Oct 10, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[BUG] Unable to install the operator on CentOS Stream 8 with SELinux enforcing #115

[BUG] Unable to install the operator on CentOS Stream 8 with SELinux enforcing #115

wainersm commented Oct 10, 2022

hbrueckner commented Oct 10, 2022 •

edited

Loading

wainersm commented Oct 10, 2022

fidencio commented Oct 10, 2022

hbrueckner commented Oct 11, 2022

wainersm commented Oct 11, 2022

wainersm commented Oct 11, 2022

fidencio commented Oct 12, 2022

hbrueckner commented Oct 13, 2022 •

edited

Loading

dcmiddle commented Oct 13, 2022

hbrueckner commented Oct 13, 2022

wainersm commented Dec 11, 2023

[BUG] Unable to install the operator on CentOS Stream 8 with SELinux enforcing #115

[BUG] Unable to install the operator on CentOS Stream 8 with SELinux enforcing #115

Comments

wainersm commented Oct 10, 2022

hbrueckner commented Oct 10, 2022 • edited Loading

wainersm commented Oct 10, 2022

fidencio commented Oct 10, 2022

hbrueckner commented Oct 11, 2022

wainersm commented Oct 11, 2022

wainersm commented Oct 11, 2022

fidencio commented Oct 12, 2022

hbrueckner commented Oct 13, 2022 • edited Loading

dcmiddle commented Oct 13, 2022

hbrueckner commented Oct 13, 2022

wainersm commented Dec 11, 2023

hbrueckner commented Oct 10, 2022 •

edited

Loading

hbrueckner commented Oct 13, 2022 •

edited

Loading