bash: error while loading shared libraries: libc.so.6: cannot change memory protections

[cevich]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

After updating Fedora 33 to podman 3.1.2 I started getting this error whenever trying to run a container

Steps to reproduce the issue:

1. On a Fedora 33 system, update to podman 3.1.2

2. As a regular user, run podman system reset to ensure a clean state

3. As the same user, run podman run -it --rm fedora:33 (or alpine or basically any container that uses bash)

Describe the results you received:

bash: error while loading shared libraries: libc.so.6: cannot change memory protections

In /var/log/audit/audit.log:

type=AVC msg=audit(1624991277.062:935): avc:  denied  { read } for  pid=15030 comm="bash" path="/usr/lib64/libc-2.32.so" dev="dm-10" ino=16779410 scontext=system_u:system_r:container_t:s0:c918,c946 tcontext=unconfined_u:object_r:data_home_t:s0 tclass=file permissive=0

Describe the results you expected:

A bash prompt

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

Version:      3.1.2
API Version:  3.1.2
Go Version:   go1.15.11
Built:        Tue May 11 09:53:47 2021
OS/Arch:      linux/amd64

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.20.1
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.0.27-2.fc33.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.27, commit: '
  cpus: 12
  distribution:
    distribution: fedora
    version: "33"
  eventLogger: journald
  hostname: localhost.localdomain
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 4179
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 4179
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.12.12-200.fc33.x86_64
  linkmode: dynamic
  memFree: 26389209088
  memTotal: 33388281856
  ociRuntime:
    name: crun
    package: crun-0.19.1-3.fc33.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 0.19.1
      commit: 1535fedf0b83fb898d449f9680000f729ba719f5
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    path: /run/user/4179/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    selinuxEnabled: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.9-1.fc33.x86_64
    version: |-
      slirp4netns version 1.1.9
      commit: 4e37ea557562e0d7a64dc636eff156f64927335e
      libslirp: 4.3.1
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.0
  swapFree: 8585732096
  swapTotal: 8585732096
  uptime: 34m 19.24s
registries:
  docker.io:
    Blocked: false
    Insecure: false
    Location: docker.io
    MirrorByDigestOnly: false
    Mirrors:
    - Insecure: false
      Location: mirror.gcr.io
    Prefix: docker.io
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - registry.centos.org
  - docker.io
store:
  configFile: /home/cevich/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/cevich/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 2
  runRoot: /run/user/4179/containers
  volumePath: /home/cevich/.local/share/containers/storage/volumes
version:
  APIVersion: 3.1.2
  Built: 1620741227
  BuiltTime: Tue May 11 09:53:47 2021
  GitCommit: ""
  GoVersion: go1.15.11
  OsArch: linux/amd64
  Version: 3.1.2

Package info (e.g. output of rpm -q podman or apt list podman):

podman-3.1.2-2.fc33.x86_64

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)

No

Additional environment details (AWS, VirtualBox, physical, etc.):

Attempting to run the alpine container gives a different error message, but similar SELinux errors.

Error relocating /lib/ld-musl-x86_64.so.1: RELRO protection failed: Permission denied
Error relocating /bin/sh: RELRO protection failed: Permission denied

[cevich]

It was suggested that this is a known issue due to a necessary SELinux policy update. with a documented workaround:

Temporarily run in permissive mode (sudo setenforce 0)

[cevich]

I'm told there is a package update in the works that will resolve this issue. We can close this once it goes GA.

[cevich]

I might be wrong, but I wonder if this is affecting #10829 (comment) and #10829 (comment)

I'm on PTO next week, so I'll check back in on this when I return.

[rhatdan]

Almost always memory protection errors are caused by SELinux.

[cevich]

I'm back now, started fresh build of VM images for CI, will also update my laptop's F33 and try to reproduce...

[cevich]

sigh...this appears to still be a problem in F33 😿

[rhatdan]

Chris what errors are you seeing? /dev/heap? Or issues with containers not able to use libc.s0.6? If the later, I think the issue is the labeling of the underlying content for rootless containers?

[cevich]

Yes the later. I swore I remember from an IRC convo. a few weeks ago that a package update was coming in a week or so. I'm fully updated and just rebooted this morning:

~ $ sudo getenforce
Enforcing
~ $ podman system reset

WARNING! This will remove:
        - all containers
        - all pods
        - all images
        - all build cache
Are you sure you want to continue? [y/N] y
~ $ podman run -it --rm registry.fedoraproject.org/fedora:latest
Trying to pull registry.fedoraproject.org/fedora:latest...
Getting image source signatures
Copying blob ca594071dfff done
Copying config abec9a7a7d done
Writing manifest to image destination
Storing signatures
/bin/bash: error while loading shared libraries: libc.so.6: cannot change memory protections

Everything under .local/share/containers/storage is type data_home_t. I even tried it under a brand-new user account, same same.

[rhatdan]

The dma_heap stuff was fixed.

I think the problem we are having is the newer kernel supports rootless overlay. Before we were relying on fuse_overlay to set the labels correctly on the underlying directories. Now the labels are coming through and SELinux does not like them.

Rootless SELinux expects the labels to match /var/lib/containers/storage.

system_u:object_r:container_var_lib_t:s0

[cevich]

Oooooooohhh, that makes sense, I bet you're right. Trying now...

[cevich]

No love 😭

~ $ sudo setenforce 1
~ $ chcon -R -t container_var_lib_t .local/share/containers/storage/overlay*
~ $ podman run -it --rm registry.fedoraproject.org/fedora:latest true
true: error while loading shared libraries: libc.so.6: cannot change memory protections
~ [127] $ chcon -R -t container_var_lib_t .local/share/containers/storage
~ $ podman run -it --rm registry.fedoraproject.org/fedora:latest true
true: error while loading shared libraries: libc.so.6: cannot change memory protections
~ [127] $ ll -Z .local/share/containers/
total 0
drwx------. 10 cevich cevich unconfined_u:object_r:container_var_lib_t:s0 182 Jul 14 16:37 storage

I think you're onto something though (and it explains why we don't catch this in CI):

~ $ sudo rm -rf .local/share/containers/*
~ $ podman --storage-driver=vfs system reset

WARNING! This will remove:
        - all containers
        - all pods
        - all images
        - all build cache
Are you sure you want to continue? [y/N] y
~ $ podman --storage-driver=vfs run -it --rm registry.fedoraproject.org/fedora:latest
true
Trying to pull registry.fedoraproject.org/fedora:latest...
Getting image source signatures
Copying blob ca594071dfff done
Copying config abec9a7a7d done
Writing manifest to image destination
Storing signatures
~ $

Works fine.

[cevich]

The dma_heap stuff was fixed.

Was there an issue open on that? I'm seeing it reproduce on F33 in CI with fresh images.

[cevich]

Answer to my own question: the dma_heap problem is fixed by selinux-policy-3.14.6-39.fc33.

Still, I think the problem originally reported in this issue still stands. I'll confirm after updating and rebooting...

[cevich]

Tried again after fully updating, including kernel-5.12.15-200, selinux-policy-3.14.6-39, container-selinux-2.163.0-2.fc33, podman-3.1.2-2, and crun-0.19.1-3. Using a brand-new fresh local user account:

~ $ ssh testuser@localhost
Last login: Mon Jul 19 10:04:00 2021
[testuser@localhost ~]$ podman run -it --rm registry.fedoraproject.org/fedora:latest
Trying to pull registry.fedoraproject.org/fedora:latest...
Getting image source signatures
Copying blob ca594071dfff done
Copying config abec9a7a7d done
Writing manifest to image destination
Storing signatures
[root@8398ad761658 /]#
exit
[testuser@localhost ~]$

[metlos]

Seeing this exact issue with:

$ dnf info container-selinux      
Last metadata expiration check: 0:49:42 ago on Fri 05 Nov 2021 04:04:07 PM CET.
Installed Packages
Name         : container-selinux
Epoch        : 2
Version      : 2.170.0
Release      : 2.fc34
Architecture : noarch
Size         : 54 k
Source       : container-selinux-2.170.0-2.fc34.src.rpm
Repository   : @System
From repo    : updates
Summary      : SELinux policies for container runtimes
URL          : https://github.com/containers/container-selinux
License      : GPLv2
Description  : SELinux policy modules for use with container runtimes.

$ dnf info podman           
Last metadata expiration check: 0:49:48 ago on Fri 05 Nov 2021 04:04:07 PM CET.
Installed Packages
Name         : podman
Epoch        : 3
Version      : 3.4.1
Release      : 1.fc34
Architecture : x86_64
Size         : 48 M
Source       : podman-3.4.1-1.fc34.src.rpm
Repository   : @System
From repo    : updates
Summary      : Manage Pods, Containers and Container Images
URL          : https://podman.io/
License      : ASL 2.0
Description  : podman (Pod Manager) is a fully featured container engine that is a simple
             : daemonless tool.  podman provides a Docker-CLI comparable command line that
             : eases the transition from other container engines and allows the management of
             : pods, containers and images.  Simply put: alias docker=podman.
             : Most podman commands can be run as a regular user, without requiring
             : additional privileges.
             : 
             : podman uses Buildah(1) internally to create container images.
             : Both tools share image (not container) storage, hence each can use or
             : manipulate images (but not containers) created by the other.
             : 
             : Manage Pods, Containers and Container Images
             : podman Simple management tool for pods, containers and images

$ podman system reset          
WARNING! This will remove:
        - all containers
        - all pods
        - all images
        - all build cache
Are you sure you want to continue? [y/N] y 

$ podman info        
host:
  arch: amd64
  buildahVersion: 1.23.1
  cgroupControllers:
  - cpu
  - io
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.0.30-2.fc34.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.30, commit: '
  cpus: 12
  distribution:
    distribution: fedora
    variant: kde
    version: "34"
  eventLogger: journald
  hostname: lkrejci
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 14094
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 14094
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.14.15-200.fc34.x86_64
  linkmode: dynamic
  logDriver: k8s-file
  memFree: 20657979392
  memTotal: 33398673408
  ociRuntime:
    name: crun
    package: crun-1.2-1.fc34.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.2
      commit: 4f6c8e0583c679bfee6a899c05ac6b916022561b
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/user/14094/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.12-2.fc34.x86_64
    version: |-
      slirp4netns version 1.1.12
      commit: 7a104a101aa3278a2152351a082a6df71f57c9a3
      libslirp: 4.4.0
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.0
  swapFree: 8589930496
  swapTotal: 8589930496
  uptime: 24m 39.73s
plugins:
  log:
  - k8s-file
  - none
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /home/brq/lkrejci/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/brq/lkrejci/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 0
  runRoot: /run/user/14094/containers
  volumePath: /home/brq/lkrejci/.local/share/containers/storage/volumes
version:
  APIVersion: 3.4.1
  Built: 1634740528
  BuiltTime: Wed Oct 20 16:35:28 2021
  GitCommit: ""
  GoVersion: go1.16.8
  OsArch: linux/amd64
  Version: 3.4.1

$ podman run -it --rm fedora:34
Resolved "fedora" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull registry.fedoraproject.org/fedora:34...
Getting image source signatures
Copying blob 628687cef581 done  
Copying config b6d7c551dc done  
Writing manifest to image destination
Storing signatures
/bin/bash: error while loading shared libraries: libc.so.6: cannot change memory protections

[rhatdan]

Have you checked SELinux?

[cevich]

Update: This problem has been observed recently in F35 as well. Though the ultimate cause is unknown at this time, the trouble comes from the same mechanism: Wrong SELinux type labels set on $HOME/.local/share/containers/storage/overlay* (or $HOME/.local/share/containers in general). Generally speaking, the overlay* sub-directories should be labeled with the container_ro_file_t type, with most/everything else being data_home_t.

You can use ls -Z to inspect the labels. If the labels are wrong they can be force reset using the (somewhat sledge-hammer) command: fixfiles restore $HOME/.local/share/containers. Or you can fuss with the labels in a more surgical fashion using restorecon or chcon (see man pages for details).

As for the root-cause, certainly things like tarball or backup restores from earlier Fedora versions, could easily be blamed.
Normally individual file/directory level label changes aren't logged anywhere, as it would place an extraordinary burden on the logging/audit subsystem. So unless you have an incredible level of oversight, it can be difficult to determine the exact cause for the incorrect labels.

[rhatdan]

This seems to be happening when containers-selinux package is updating, something is failing. Container-selinux is supposed to fix the labels in the homedir.

[cevich]

IIRC from a BZ, the update scriptlet ignores errors. There are also cases not covered (like a post-upgrade tar/backup resotre) or non-standard home directory locations. In other words, the scriptlet probably helps, but the underlying environment is still not fully defined (or definable), so it's still possible to encounter this 😢

[voor]

The fixfiles restore $HOME/.local/share/containers approach does not seem to fix this for me (Fedora 35), but temporarily turning off selinux does (which is not preferred).

[rhatdan]

What AVCs are you seeing?

[voor]

Oh, good recommendation on checking, it's not in my home directory.

type=AVC msg=audit(1639506739.708:694): avc:  denied  { read } for  pid=347671 comm="sh" path="/lib/x86_64-linux-gnu/libc-2.27.so" dev="dm-2" ino=26215900 scontext=system_u:system_r:container_t:s0:c323,c965 tcontext=unconfined_u:object_r:container_file_t:s0:c70,c455 tclass=file permissive=0
type=AVC msg=audit(1639512933.058:730): avc:  denied  { read } for  pid=362060 comm="sh" path="/lib/x86_64-linux-gnu/libc-2.27.so" dev="dm-2" ino=26215900 scontext=system_u:system_r:container_t:s0:c246,c292 tcontext=unconfined_u:object_r:container_file_t:s0:c70,c455 tclass=file permissive=0
type=AVC msg=audit(1639512971.696:737): avc:  denied  { read } for  pid=362402 comm="sh" path="/lib/x86_64-linux-gnu/libc-2.27.so" dev="dm-2" ino=26215900 scontext=system_u:system_r:container_t:s0:c0,c638 tcontext=unconfined_u:object_r:container_file_t:s0:c70,c455 tclass=file permissive=0
type=AVC msg=audit(1639513588.974:747): avc:  denied  { read } for  pid=365077 comm="sh" path="/lib/x86_64-linux-gnu/libc-2.27.so" dev="dm-2" ino=26215900 scontext=system_u:system_r:container_t:s0:c314,c895 tcontext=unconfined_u:object_r:container_file_t:s0:c70,c455 tclass=file permissive=0
type=AVC msg=audit(1639513776.462:759): avc:  denied  { read } for  pid=366100 comm="sh" path="/lib/x86_64-linux-gnu/libc-2.27.so" dev="dm-2" ino=26215902 scontext=system_u:system_r:container_t:s0:c289,c515 tcontext=unconfined_u:object_r:container_file_t:s0:c70,c455 tclass=file permissive=0
type=AVC msg=audit(1639516809.924:778): avc:  denied  { read } for  pid=374735 comm="sh" path="/lib/x86_64-linux-gnu/libc-2.27.so" dev="dm-2" ino=26215902 scontext=system_u:system_r:container_t:s0:c124,c208 tcontext=unconfined_u:object_r:container_file_t:s0:c70,c455 tclass=file permissive=0
type=AVC msg=audit(1639516827.902:794): avc:  denied  { read } for  pid=374953 comm="sh" path="/lib/x86_64-linux-gnu/libc-2.27.so" dev="dm-2" ino=26215902 scontext=system_u:system_r:container_t:s0:c93,c282 tcontext=unconfined_u:object_r:container_file_t:s0:c70,c455 tclass=file permissive=1
type=AVC msg=audit(1639516828.603:795): avc:  denied  { read } for  pid=375097 comm="apt-config" path="/usr/lib/x86_64-linux-gnu/libapt-private.so.0.0.0" dev="dm-2" ino=26216668 scontext=system_u:system_r:container_t:s0:c93,c282 tcontext=unconfined_u:object_r:container_file_t:s0:c70,c455 tclass=file permissive=1
type=AVC msg=audit(1639569685.137:883): avc:  denied  { read } for  pid=459845 comm="sh" path="/lib/x86_64-linux-gnu/libc-2.27.so" dev="dm-2" ino=26215902 scontext=system_u:system_r:container_t:s0:c444,c738 tcontext=unconfined_u:object_r:container_file_t:s0:c70,c455 tclass=file permissive=0

Here is the sample containerfile:

FROM ubuntu:latest

RUN apt-get update -y >/dev/null && \
  apt-get install --no-install-recommends -y \
  reprepro && \
  rm -rf /var/lib/apt/lists/* /var/cache/debconf/*-old /etc/apt/sources.list.d/* /etc/apt/auth.conf.d/* /tmp/*

And just running:

podman build -t reprepro -f containerfile .

[cevich]

Dan will have a for-sure answer for you, but tcontext=unconfined_u:object_r:container_file_t looks almost right. My F34 ~/.local/share/containers/storage/overlay* directories are all container_ro_file_t but maybe that's expected.

[rhatdan]

Try restorecon -R -F $HOME/.local/share/containers

It looks like you relabeled the homedir ( $HOME/.local/share/containers) content while in a container.

[voor]

restorecon -R -F $HOME/.local/share/containers fixed it, thank you!

[ssbarnea]

I still get this error with Fedora 36, restorecon failed due to permissions errors but I used root to remove the entire containers folder and pull the image again. Still, even after this, it still fails.

Running the same command as root on the machine does work. Not sure what is broken but is broken even with 4.2.1.

[hubertlepicki]

@ssbarnea what I did was:

• update the system (no joy)
• reinstall podman (no joy)
• restorecon -R -F $HOME/.local/share/containers (no joy)
• rm -rf $HOME/.local/share/containers YAY THAT WORKED

[jwillikers]

I got a similar error when attempting to run a container from a brand new system user account on Fedora IoT 37. restorecon -R -F $HOME/.local/share/containers fixed this. Thanks!

[lsm5]

Guess this can be closed.

[lsm5]

err, maybe I closed too soon. @ssbarnea do you still see this with the latest podman v4.5.0 on fedora 37/38 ?

[mkeedlinger]

I'm on Fedora 38, Podman 4.5.0 and I no longer see this issue 🥳

[sndnr]

I'm on Fedora 38, podman 4.5.0:
I could see: "stderr_lines": ["/bin/sh: error while loading shared libraries: libc.so.6: cannot change memory protections"

But restorecon -RFv $HOME/.local/share/containers, solves.

[rhatdan]

Weird did container-selinux blow up during an install?