error while loading shared libraries: /lib/x86_64-linux-gnu/libc.so.6: cannot apply additional memory protection after relocation: Permission denied #27007
Description
Issue Description
I'm using kinoite, distrobox and podman. I wanted to run a quick ubuntu session with rootless podman, but got selinux error.
I've tried the solution in #11109 (comment) and https://github.com/containers/podman/blob/main/troubleshooting.md#11-changing-the-location-of-the-graphroot-leads-to-permission-denied, but they both didn't work.
Steps to reproduce the issue
- disable setenforce by
sudo setenforce 0 - run
podman run --name buntu -it --rm ubuntu:24.04 - podman succeeds
- enable setenforce by
sudo setenforce 1 - podman fails
- ran
semanageandrestoreconlike explained in https://github.com/containers/podman/blob/main/troubleshooting.md#11-changing-the-location-of-the-graphroot-leads-to-permission-denied
sudo semanage fcontext -a -e /var/lib/containers /var/home/scarf/.local/share/containers
sudo restorecon -R -v /var/home/scarf/.local/share/containers/storage
- still doesn't work
Describe the results you received
error while loading shared libraries: /lib/x86_64-linux-gnu/libc.so.6: cannot apply additional memory protection after relocation: Permission denied
$ sudo ausearch -m avc -ts recent
time->Sat Sep 6 14:39:07 2025
type=AVC msg=audit(1757137147.307:1285): avc: denied { read } for pid=63405 comm="bash" path="/usr/lib/x86_64-linux-gnu/libc.so.6" dev="nvme0n1p4" ino=35903413 scontext=system_u:system_r:container_t:s0:c3,c599 tcontext=unconfined_u:object_r:container_file_t:s0:c541,c727 tclass=file permissive=0
Describe the results you expected
podman works with selinux.
podman info output
host:
arch: amd64
buildahVersion: 1.41.3
cgroupControllers:
- cpu
- io
- memory
- pids
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-2.1.13-1.fc42.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.1.13, commit: '
cpuUtilization:
idlePercent: 91.1
systemPercent: 3.63
userPercent: 5.27
cpus: 12
databaseBackend: sqlite
distribution:
distribution: fedora
variant: kinoite
version: "42"
emulatedArchitectures:
- linux/arm64
- linux/arm64be
eventLogger: journald
freeLocks: 1974
hostname: fedora
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 524288
size: 65536
uidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 524288
size: 65536
kernel: 6.16.3-200.fc42.x86_64
linkmode: dynamic
logDriver: journald
memFree: 4194021376
memTotal: 32941666304
networkBackend: netavark
networkBackendInfo:
backend: netavark
dns:
package: aardvark-dns-1.16.0-1.fc42.x86_64
path: /usr/libexec/podman/aardvark-dns
version: aardvark-dns 1.16.0
package: netavark-1.16.1-1.fc42.x86_64
path: /usr/libexec/podman/netavark
version: netavark 1.16.1
ociRuntime:
name: crun
package: crun-1.23.1-1.fc42.x86_64
path: /usr/bin/crun
version: |-
crun version 1.23.1
commit: d20b23dba05e822b93b82f2f34fd5dada433e0c2
rundir: /run/user/1000/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
os: linux
pasta:
executable: /usr/bin/pasta
package: passt-0^20250805.g309eefd-2.fc42.x86_64
version: |
pasta 0^20250805.g309eefd-2.fc42.x86_64
Copyright Red Hat
GNU General Public License, version 2 or later
<https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
remoteSocket:
exists: true
path: /run/user/1000/podman/podman.sock
rootlessNetworkCmd: pasta
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: true
serviceIsRemote: false
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-1.3.1-2.fc42.x86_64
version: |-
slirp4netns version 1.3.1
commit: e5e368c4f5db6ae75c2fce786e31eef9da6bf236
libslirp: 4.8.0
SLIRP_CONFIG_VERSION_MAX: 5
libseccomp: 2.5.5
swapFree: 42920632320
swapTotal: 42949664768
uptime: 2h 15m 39.00s (Approximately 0.08 days)
variant: ""
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries:
search:
- registry.fedoraproject.org
- registry.access.redhat.com
- docker.io
store:
configFile: /home/scarf/.config/containers/storage.conf
containerStore:
number: 32
paused: 0
running: 0
stopped: 32
graphDriverName: overlay
graphOptions: {}
graphRoot: /home/scarf/.local/share/containers/storage
graphRootAllocated: 1099511627776
graphRootUsed: 369708998656
graphStatus:
Backing Filesystem: btrfs
Native Overlay Diff: "true"
Supports d_type: "true"
Supports shifting: "false"
Supports volatile: "true"
Using metacopy: "false"
imageCopyTmpDir: /var/tmp
imageStore:
number: 24
runRoot: /run/user/1000/containers
transientStore: false
volumePath: /var/home/scarf/.local/share/containers/storage/volumes
version:
APIVersion: 5.6.0
BuildOrigin: Fedora Project
Built: 1755216000
BuiltTime: Fri Aug 15 09:00:00 2025
GitCommit: da671ef6cfa3fc9ac6225c18f1dd0a70a951e43f
GoVersion: go1.24.6
Os: linux
OsArch: linux/amd64
Version: 5.6.0Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
No
Additional environment details
On fedora kinoite 42. distrobox works as intended.
Additional information
Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting