Unable to create a container OCI permission denied - error mounting "/home/username/.local/share/containers/storage/volumes/somelongID/_data" to rootfs at "/sys/fs/selinux"

[ks1855]

Issue Description

Hello,

I created an image on a Fedora 40 workstation using distrobox (with podman). I saved the image to a .tar file using the podman save command.

Now, I am trying to load the image and run the container on EndeavourOS, but I'm getting an OCI permission denied error.

Steps to reproduce the issue

PLEASE NOTE: This issue might not be easily reproduced but these are steps I followed.

Steps:

1. Create image using distrobox (with podman) on Fedora 40
2. Save image to disk using podman save image > image.tar
3. Load image on EndeavourOS using podman load -i <image_name>

Describe the results you received

Error: unable to start container "1ff3f94bbcec42995cebda25cadb927430ba85c6aba5f2607b1c523cd7d3b6cf": runc: runc create failed: unable to start container process: error during container init: error mounting "/home/myuser/.local/share/containers/storage/volumes/b56ec40f76ee4754401372affd9064a194056f6e3b64fca5306caf090145d729/_data" to rootfs at "/sys/fs/selinux": create mountpoint for /sys/fs/selinux mount: mkdirat /home/myuser/.local/share/containers/storage/overlay/491486ce3d53e44cf9e0843aaaa261b4fc4c2e8a8be76c63eb9e66f1691e2a89/merged/sys/fs/selinux: permission denied: OCI permission denied

Describe the results you expected

I should be able to run the container when I run the command podman run <image_name> OR distrobox enter <image_name>.

podman info output

host:
arch: amd64
buildahVersion: 1.37.5
cgroupControllers:

• memory
• pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
  package: conmon-1:2.1.12-1
  path: /usr/bin/conmon
  version: 'conmon version 2.1.12, commit: e8896631295ccb0bfdda4284f1751be19b483264'
  cpuUtilization:
  idlePercent: 91.98
  systemPercent: 3.54
  userPercent: 4.49
  cpus: 8
  databaseBackend: sqlite
  distribution:
  distribution: endeavouros
  version: unknown
  eventLogger: journald
  freeLocks: 2011
  hostname: alienware
  idMappings:
  gidmap:
  • container_id: 0
    host_id: 1000
    size: 1
  • container_id: 1
    host_id: 100000
    size: 65536
    uidmap:
  • container_id: 0
    host_id: 1000
    size: 1
  • container_id: 1
    host_id: 100000
    size: 65536
    kernel: 6.6.59-1-lts
    linkmode: dynamic
    logDriver: journald
    memFree: 857059328
    memTotal: 33524842496
    networkBackend: netavark
    networkBackendInfo:
    backend: netavark
    dns:
    package: aardvark-dns-1.13.0-1
    path: /usr/lib/podman/aardvark-dns
    version: aardvark-dns 1.13.0
    package: netavark-1.13.0-1
    path: /usr/lib/podman/netavark
    version: netavark 1.13.0
    ociRuntime:
    name: runc
    package: runc-1.2.1-1
    path: /usr/bin/runc
    version: |-
    runc version 1.2.1
    spec: 1.2.0
    go: go1.23.2
    libseccomp: 2.5.5
    os: linux
    pasta:
    executable: /usr/bin/pasta
    package: passt-2024_10_30.ee7d0b6-1
    version: |
    pasta 2024_10_30.ee7d0b6
    Copyright Red Hat
    GNU General Public License, version 2 or later
    https://www.gnu.org/licenses/old-licenses/gpl-2.0.html
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    remoteSocket:
    exists: false
    path: /run/user/1000/podman/podman.sock
    rootlessNetworkCmd: pasta
    security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /etc/containers/seccomp.json
    selinuxEnabled: false
    serviceIsRemote: false
    slirp4netns:
    executable: ""
    package: ""
    version: ""
    swapFree: 0
    swapTotal: 0
    uptime: 1h 3m 9.00s (Approximately 0.04 days)
    variant: ""
    plugins:
    authorization: null
    log:
• k8s-file
• none
• passthrough
• journald
  network:
• bridge
• macvlan
• ipvlan
  volume:
• local
  registries: {}
  store:
  configFile: /home/myuser/.config/containers/storage.conf
  containerStore:
  number: 1
  paused: 0
  running: 0
  stopped: 1
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/myuser/.local/share/containers/storage
  graphRootAllocated: 732929458176
  graphRootUsed: 33608515584
  graphStatus:
  Backing Filesystem: btrfs
  Native Overlay Diff: "true"
  Supports d_type: "true"
  Supports shifting: "false"
  Supports volatile: "true"
  Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
  number: 1
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/myuser/.local/share/containers/storage/volumes
  version:
  APIVersion: 5.2.5
  Built: 1729537320
  BuiltTime: Tue Oct 22 00:32:00 2024
  GitCommit: 10c5aa7
  GoVersion: go1.23.2
  Os: linux
  OsArch: linux/amd64
  Version: 5.2.5

PLEASE NOTE: I also used crun container runtime and I am still unable to get the container to run.

Podman in a container

No

Privileged Or Rootless

None

Upstream Latest Release

Yes

Additional environment details

No response

Additional information

I do not have physical access to the machine I created the image on in order to get the podman version/info details from that machine. I created the image on a desktop PC running Fedora 40. I am trying to load and use that image on a laptop running EndeavourOS Neo.

[rhatdan]

Do you see any AVC messages in /var/log/audit/audit.log?