Upgrade from 1.23.1 to 1.24 requires extended SELinux permissions

[saschagrunert]

When upgrading crun to 1.24 within the SPO CI, then I get the following error on the Fedora 39 machine:

Sep 12 08:17:09 fedora crio[5196]: time="2025-09-12T08:17:09.854346878Z" level=error msg="Container creation error: systemd failed to install eBPF device filter on cgroup `/sys/fs/cgroup/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod13ca77474fb81b3c3d015919985171dc.slice/crio-ce72d38c8945299ae27c3e05a09da750684989fc22df53d0ce3e731dbd0bef95.scope`\n" id=e4c76c70-76c6-40c4-91f5-561a39db3d03 name=/runtime.v1.RuntimeService/CreateContainer

Caused by:

crun/src/libcrun/cgroup-systemd.c

Lines 1687 to 1688 in 6f0a3c5

	if (n_progs == 0)
	return crun_make_error (err, 0, "systemd failed to install eBPF device filter on cgroup `%s`", full_path);

Audit logging exposes the following issue:

type=AVC msg=audit(1757664843.839:14803): avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=bpf permissive=0
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

Means we would require an additional SELinux rule for that, like:

module my-mod 1.0;

require {
        type init_t;
        type container_runtime_t;
        class bpf prog_run;
}

#============= init_t ==============
allow init_t container_runtime_t:bpf prog_run;

Is this intentional?

Ref: #1865

cc @sohankunkerkar @ngopalak-redhat

[bitoku]

The eBPF device thingy is probably affecting cri-o CI too.
https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/cri-o_cri-o/9405/pull-ci-cri-o-cri-o-main-ci-fedora-integration/1966518976225742848

[ericcurtin]

Effecting me too, Fedora 42:

$ sudo podman build -t bootc -f Containerfile-bootc-podman-machine
STEP 1/13: FROM quay.io/podman/machine-os:5.6
STEP 2/13: COPY dnf-install.sh dnf-install.sh
--> Using cache dc3ede48bb3dc211e15437a3624ecedf5cfd5c4d7a62158d59ed5c1caf6e182d
--> dc3ede48bb3d
STEP 3/13: RUN ./dnf-install.sh
error running container: from /usr/bin/crun creating container for [/bin/sh -c ./dnf-install.sh]: systemd failed to install eBPF device filter on cgroup `/sys/fs/cgroup/system.slice/crun-buildah-buildah2747092117.scope`
: exit status 1
ERRO[0000] did not get container create message from subprocess: EOF
Error: building at STEP "RUN ./dnf-install.sh": while running runtime: exit status 1

[sohankunkerkar]

This is a known regression. As you mentioned and also covered in containers/container-selinux#390 to address this issue. In short, updating to the latest container-selinux package should help.

[ericcurtin]

Updating just container-selinux or updating everything in Fedora 42 doesn't fix this for me:

sudo podman build -t bootc -f Containerfile-bootc-podman-machine
STEP 1/13: FROM quay.io/podman/machine-os:5.6
STEP 2/13: COPY dnf-install.sh dnf-install.sh
--> a4e848e668e0
STEP 3/13: RUN ./dnf-install.sh
error running container: setting file label on "/proc/self/fd/10": setxattr(label=system_u:object_r:container_file_t:s0:c596,c996) /proc/self/fd/10: permission denied
ERRO[0005] did not get container create message from subprocess: EOF
Error: building at STEP "RUN ./dnf-install.sh": while running runtime: exit status 1

[sohankunkerkar]

I think they’ll need to cut a minor release to include containers/container-selinux#405

[ericcurtin]

My 2 cents if this does fix it, they should cut a release fast, surprised it's not reported more, it completely breaks podman for me at least.