Launchpad to track https://bugzilla.redhat.com/show_bug.cgi?id=1866479
When running the minor update in Train/OSP16.0 we don't get the right module set for container-tools. As a resut we get a wrong packages version for podman and containers-selinux which makes the update fail in Selinux.
Here are some denials found in audit.log:
~~~
type=AVC msg=audit(1596552157.909:578): avc: denied { entrypoint } for pid=8860 comm="libvirtd" path="/usr/libexec/qemu-kvm" dev="overlay" ino=137413 scontext=system_u:syst
em_r:svirt_t:s0:c141,c914 tcontext=system_u:object_r:container_file_t:s0:c143,c388 tclass=file permissive=0
type=AVC msg=audit(1596555374.210:1689): avc: denied { entrypoint } for pid=18428 comm="libvirtd" path="/usr/libexec/qemu-kvm" dev="overlay" ino=137413 scontext=system_u:sy
stem_r:svirt_t:s0:c316,c469 tcontext=system_u:object_r:container_file_t:s0:c143,c388 tclass=file permissive=1
type=AVC msg=audit(1596555374.210:1689): avc: denied { read write } for pid=18428 comm="qemu-kvm" path="/dev/mapper/control" dev="devtmpfs" ino=11765 scontext=system_u:syst
em_r:svirt_t:s0:c316,c469 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1596555374.210:1689): avc: denied { read execute } for pid=18428 comm="qemu-kvm" path="/usr/libexec/qemu-kvm" dev="overlay" ino=137413 scontext=system_u:
system_r:svirt_t:s0:c316,c469 tcontext=system_u:object_r:container_file_t:s0:c143,c388 tclass=file permissive=1
type=AVC msg=audit(1596555374.225:1690): avc: denied { open } for pid=18428 comm="qemu-kvm" path="/etc/ld.so.cache" dev="overlay" ino=117069 scontext=system_u:system_r:svir
t_t:s0:c316,c469 tcontext=system_u:object_r:container_file_t:s0:c143,c388 tclass=file permissive=1
type=AVC msg=audit(1596555374.225:1691): avc: denied { read } for pid=18428 comm="qemu-kvm" name="lib64" dev="overlay" ino=117065 scontext=system_u:system_r:svirt_t:s0:c316
,c469 tcontext=system_u:object_r:container_file_t:s0:c143,c388 tclass=lnk_file permissive=1
type=AVC msg=audit(1596555374.525:1692): avc: denied { read } for pid=18428 comm="qemu-kvm" name="/" dev="overlay" ino=116647 scontext=system_u:system_r:svirt_t:s0:c316,c46
9 tcontext=system_u:object_r:container_file_t:s0:c143,c388 tclass=dir permissive=1
type=AVC msg=audit(1596562587.232:1911): avc: denied { entrypoint } for pid=20925 comm="libvirtd" path="/usr/libexec/qemu-kvm" dev="overlay" ino=144355 scontext=system_u:sy
stem_r:svirt_t:s0:c970,c979 tcontext=system_u:object_r:container_file_t:s0:c143,c388 tclass=file permissive=0
type=AVC msg=audit(1596563775.829:2316): avc: denied { entrypoint } for pid=24507 comm="libvirtd" path="/usr/libexec/qemu-kvm" dev="overlay" ino=144355 scontext=system_u:sy
stem_r:svirt_t:s0:c337,c866 tcontext=system_u:object_r:container_file_t:s0:c143,c388 tclass=file permissive=0
~~~
The traceback from nova looks like this:
~~~
Instance failed to spawn: libvirt.libvirtError: internal error: process exited while conne
cting to monitor: libvirt: error : cannot execute binary /usr/libexec/qemu-kvm: Permission denied
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/nova/compute/manager.py", line 2663, in _build_resources
yield resources
File "/usr/lib/python3.6/site-packages/nova/compute/manager.py", line 2437, in _build_and_run_instance
block_device_info=block_device_info)
File "/usr/lib/python3.6/site-packages/nova/virt/libvirt/driver.py", line 3647, in spawn
cleanup_instance_disks=created_disks)
File "/usr/lib/python3.6/site-packages/nova/virt/libvirt/driver.py", line 6473, in _create_domain_and_network
cleanup_instance_disks=cleanup_instance_disks)
File "/usr/lib/python3.6/site-packages/oslo_utils/excutils.py", line 220, in __exit__
self.force_reraise()
File "/usr/lib/python3.6/site-packages/oslo_utils/excutils.py", line 196, in force_reraise
six.reraise(self.type_, self.value, self.tb)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/nova/virt/libvirt/driver.py", line 6439, in _create_domain_and_network
post_xml_callback=post_xml_callback)
File "/usr/lib/python3.6/site-packages/nova/virt/libvirt/driver.py", line 6368, in _create_domain
guest.launch(pause=pause)
File "/usr/lib/python3.6/site-packages/nova/virt/libvirt/guest.py", line 143, in launch
self._encoded_xml, errors='ignore')
File "/usr/lib/python3.6/site-packages/oslo_utils/excutils.py", line 220, in __exit__
self.force_reraise()
File "/usr/lib/python3.6/site-packages/oslo_utils/excutils.py", line 196, in force_reraise
six.reraise(self.type_, self.value, self.tb)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/nova/virt/libvirt/guest.py", line 138, in launch
return self._domain.createWithFlags(flags)
File "/usr/lib/python3.6/site-packages/eventlet/tpool.py", line 190, in doit
result = proxy_call(self._autowrap, f, *args, **kwargs)
File "/usr/lib/python3.6/site-packages/eventlet/tpool.py", line 148, in proxy_call
rv = execute(f, *args, **kwargs)
File "/usr/lib/python3.6/site-packages/eventlet/tpool.py", line 129, in execute
six.reraise(c, e, tb)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/eventlet/tpool.py", line 83, in tworker
rv = meth(*args, **kwargs)
File "/usr/lib64/python3.6/site-packages/libvirt.py", line 1265, in createWithFlags
if ret == -1: raise libvirtError ('virDomainCreateWithFlags() failed', dom=self)
ibvirt.libvirtError: internal error: process exited while connecting to monitor: libvirt: error : cannot execute binary /usr/libexec/qemu-kvm: Permission denied
~~~
Related fix proposed to branch: master /review. opendev. org/745177
Review: https:/