Skip to content

[Installation]: Can't build arm container image with podman without a SELinux relabel of bind mounts #12734

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
1 task done
kush-gupt opened this issue Feb 4, 2025 · 7 comments
Open
1 task done

[Installation]: Can't build arm container image with podman without a SELinux relabel of bind mounts #12734

kush-gupt opened this issue Feb 4, 2025 · 7 comments
Labels
installation Installation problems

Comments

@kush-gupt
Copy link

Your current environment

INFO 02-04 09:52:35 __init__.py:186] Automatically detected platform cpu.
Collecting environment information...
PyTorch version: 2.5.1
Is debug build: False
CUDA used to build PyTorch: None
ROCM used to build PyTorch: N/A

OS: macOS 15.3 (arm64)
GCC version: Could not collect
Clang version: 16.0.0 (clang-1600.0.26.6)
CMake version: version 3.31.5
Libc version: N/A

Python version: 3.12.8 (main, Dec  3 2024, 18:42:41) [Clang 16.0.0 (clang-1600.0.26.4)] (64-bit runtime)
Python platform: macOS-15.3-arm64-arm-64bit
Is CUDA available: False
CUDA runtime version: No CUDA
CUDA_MODULE_LOADING set to: N/A
GPU models and configuration: No CUDA
Nvidia driver version: No CUDA
cuDNN version: No CUDA
HIP runtime version: N/A
MIOpen runtime version: N/A
Is XNNPACK available: True

CPU:
Apple M3 Pro

Versions of relevant libraries:
[pip3] numpy==1.26.4
[pip3] pyzmq==26.2.1
[pip3] torch==2.5.1
[pip3] torchaudio==2.5.1
[pip3] torchvision==0.20.1
[pip3] transformers==4.48.2
[conda] Could not collect
ROCM Version: Could not collect
Neuron SDK Version: N/A
vLLM Version: 0.1.dev4414+g73b35cc (git sha: 73b35cc
vLLM Build Flags:
CUDA Archs: Not Set; ROCm: Disabled; Neuron: Disabled
GPU Topology:
Could not collect

NCCL_CUMEM_ENABLE=0
TORCHINDUCTOR_COMPILE_THREADS=1

The error from building the arm Dockerfile using the Apple silicon CPU docs:

$ podman build -f Dockerfile.arm -t vllm-cpu-env --shm-size=4g .
[1/2] STEP 1/11: FROM ubuntu:22.04 AS cpu-test-arm
[1/2] STEP 2/11: ENV CCACHE_DIR=/root/.cache/ccache
--> Using cache 4d40deac2788649aed506d7e1fad511222469a4bb7556aa9f77a860a6e61e6b8
--> 4d40deac2788
[1/2] STEP 3/11: ENV CMAKE_CXX_COMPILER_LAUNCHER=ccache
--> Using cache 04eebc61ec556ca6b6bcf651bed6de74c971a3a7d5dac8ea6361cee25c1a9b26
--> 04eebc61ec55
[1/2] STEP 4/11: RUN --mount=type=cache,target=/var/cache/apt     apt-get update -y     && apt-get install -y curl ccache git wget vim numactl gcc-12 g++-12 python3 python3-pip libtcmalloc-minimal4 libnuma-dev     && apt-get install -y ffmpeg libsm6 libxext6 libgl1     && update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-12 10 --slave /usr/bin/g++ g++ /usr/bin/g++-12
--> Using cache 8601a22d3c4467d9c89ed9f1b411163b752460a774dbeeb714210a90127022d3
--> 8601a22d3c44
[1/2] STEP 5/11: RUN --mount=type=cache,target=/root/.cache/pip     pip install py-cpuinfo  # Use this to gather CPU info and optimize based on ARM Neoverse cores
--> Using cache 2b853d593af968a1702c270c0ce236e427d8587dc9789c1c8d33594f8e3d6926
--> 2b853d593af9
[1/2] STEP 6/11: ENV LD_PRELOAD="/usr/lib/aarch64-linux-gnu/libtcmalloc_minimal.so.4"
--> Using cache ee27522b84d57809541a432d0aaf48894a37ac4a7cfd6da1df053adbd6aa41b0
--> ee27522b84d5
[1/2] STEP 7/11: RUN echo 'ulimit -c 0' >> ~/.bashrc
--> Using cache 4e7b7a5b864c26754a789140a8241440d9ea1f5178a944253ec457da7f7b2e17
--> 4e7b7a5b864c
[1/2] STEP 8/11: WORKDIR /workspace
--> Using cache 16f5ac2b003320665a945ea7fb00a904360f48ae07b4ca4ec4cbde09c67a8600
--> 16f5ac2b0033
[1/2] STEP 9/11: ARG PIP_EXTRA_INDEX_URL="https://download.pytorch.org/whl/cpu"
--> Using cache 08b53544af9c8eba8d5b49bf0c1d8766081e2dbe5bc48c0ee72e86bf6ec87faa
--> 08b53544af9c
[1/2] STEP 10/11: ENV PIP_EXTRA_INDEX_URL=${PIP_EXTRA_INDEX_URL}
--> Using cache 3c7ecb501a071db327daf6de056effe864805758901a15d730edef805fc63660
--> 3c7ecb501a07
[1/2] STEP 11/11: RUN --mount=type=cache,target=/root/.cache/pip     --mount=type=bind,src=requirements-build.txt,target=requirements-build.txt     pip install --upgrade pip &&     pip install -r requirements-build.txt
Looking in indexes: https://pypi.org/simple, https://download.pytorch.org/whl/cpu
Requirement already satisfied: pip in /usr/lib/python3/dist-packages (22.0.2)
Collecting pip
  Using cached pip-25.0-py3-none-any.whl (1.8 MB)
Installing collected packages: pip
  Attempting uninstall: pip
    Found existing installation: pip 22.0.2
    Not uninstalling pip at /usr/lib/python3/dist-packages, outside environment /usr
    Can't uninstall 'pip'. No files were found to uninstall.
Successfully installed pip-25.0
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
ERROR: Could not open requirements file: [Errno 13] Permission denied: 'requirements-build.txt'
Error: building at STEP "RUN --mount=type=cache,target=/root/.cache/pip --mount=type=bind,src=requirements-build.txt,target=requirements-build.txt pip install --upgrade pip &&     pip install -r requirements-build.txt": while running runtime: exit status 1

Workaround is to use a Containerfile.arm that mirrors Dockerfile.arm except for adding a relabel=private to each bind mount to ensure compatability with SELinux:

Containerfile.arm

# This vLLM Containerfile is used to construct an image that can build and run vLLM on ARM CPU platform.

FROM ubuntu:22.04 AS cpu-test-arm

ENV CCACHE_DIR=/root/.cache/ccache

ENV CMAKE_CXX_COMPILER_LAUNCHER=ccache

RUN --mount=type=cache,target=/var/cache/apt \
    apt-get update -y \
    && apt-get install -y curl ccache git wget vim numactl gcc-12 g++-12 python3 python3-pip libtcmalloc-minimal4 libnuma-dev \
    && apt-get install -y ffmpeg libsm6 libxext6 libgl1 \
    && update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-12 10 --slave /usr/bin/g++ g++ /usr/bin/g++-12

# tcmalloc provides better memory allocation efficiency, e.g., holding memory in caches to speed up access of commonly-used objects.
RUN --mount=type=cache,target=/root/.cache/pip \
    pip install py-cpuinfo  # Use this to gather CPU info and optimize based on ARM Neoverse cores

# Set LD_PRELOAD for tcmalloc on ARM
ENV LD_PRELOAD="/usr/lib/aarch64-linux-gnu/libtcmalloc_minimal.so.4"

RUN echo 'ulimit -c 0' >> ~/.bashrc

WORKDIR /workspace

ARG PIP_EXTRA_INDEX_URL="https://download.pytorch.org/whl/cpu"
ENV PIP_EXTRA_INDEX_URL=${PIP_EXTRA_INDEX_URL}
RUN --mount=type=cache,target=/root/.cache/pip \
    --mount=type=bind,src=requirements-build.txt,target=requirements-build.txt,relabel=private \
    pip install --upgrade pip && \
    pip install -r requirements-build.txt

FROM cpu-test-arm AS build

WORKDIR /workspace/vllm

RUN --mount=type=cache,target=/root/.cache/pip \
    --mount=type=bind,src=requirements-common.txt,target=requirements-common.txt,relabel=private \
    --mount=type=bind,src=requirements-cpu.txt,target=requirements-cpu.txt,relabel=private \
    pip install -v -r requirements-cpu.txt

COPY . .
ARG GIT_REPO_CHECK=0
RUN --mount=type=bind,source=.git,target=.git,relabel=private \
    if [ "$GIT_REPO_CHECK" != 0 ]; then bash tools/check_repo.sh ; fi

# Disabling AVX512 specific optimizations for ARM
ARG VLLM_CPU_DISABLE_AVX512="true"
ENV VLLM_CPU_DISABLE_AVX512=${VLLM_CPU_DISABLE_AVX512}

RUN --mount=type=cache,target=/root/.cache/pip \
    --mount=type=cache,target=/root/.cache/ccache \
    --mount=type=bind,source=.git,target=.git,relabel=private \
    VLLM_TARGET_DEVICE=cpu python3 setup.py bdist_wheel && \
    pip install dist/*.whl && \
    rm -rf dist

WORKDIR /workspace/

RUN ln -s /workspace/vllm/tests && ln -s /workspace/vllm/examples && ln -s /workspace/vllm/benchmarks

ENTRYPOINT ["python3", "-m", "vllm.entrypoints.openai.api_server"]

And this builds:

$ podman build -f Containerfile.arm -t vllm-cpu-env --shm-size=4g .
[1/2] STEP 1/11: FROM ubuntu:22.04 AS cpu-test-arm
[1/2] STEP 2/11: ENV CCACHE_DIR=/root/.cache/ccache
--> Using cache 4d40deac2788649aed506d7e1fad511222469a4bb7556aa9f77a860a6e61e6b8
--> 4d40deac2788
[1/2] STEP 3/11: ENV CMAKE_CXX_COMPILER_LAUNCHER=ccache
--> Using cache 04eebc61ec556ca6b6bcf651bed6de74c971a3a7d5dac8ea6361cee25c1a9b26
--> 04eebc61ec55
[1/2] STEP 4/11: RUN --mount=type=cache,target=/var/cache/apt     apt-get update -y     && apt-get install -y curl ccache git wget vim numactl gcc-12 g++-12 python3 python3-pip libtcmalloc-minimal4 libnuma-dev     && apt-get install -y ffmpeg libsm6 libxext6 libgl1     && update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-12 10 --slave /usr/bin/g++ g++ /usr/bin/g++-12
--> Using cache 8601a22d3c4467d9c89ed9f1b411163b752460a774dbeeb714210a90127022d3
--> 8601a22d3c44
[1/2] STEP 5/11: RUN --mount=type=cache,target=/root/.cache/pip     pip install py-cpuinfo  # Use this to gather CPU info and optimize based on ARM Neoverse cores
--> Using cache 2b853d593af968a1702c270c0ce236e427d8587dc9789c1c8d33594f8e3d6926
--> 2b853d593af9
[1/2] STEP 6/11: ENV LD_PRELOAD="/usr/lib/aarch64-linux-gnu/libtcmalloc_minimal.so.4"
--> Using cache ee27522b84d57809541a432d0aaf48894a37ac4a7cfd6da1df053adbd6aa41b0
--> ee27522b84d5
[1/2] STEP 7/11: RUN echo 'ulimit -c 0' >> ~/.bashrc
--> Using cache 4e7b7a5b864c26754a789140a8241440d9ea1f5178a944253ec457da7f7b2e17
--> 4e7b7a5b864c
[1/2] STEP 8/11: WORKDIR /workspace
--> Using cache 16f5ac2b003320665a945ea7fb00a904360f48ae07b4ca4ec4cbde09c67a8600
--> 16f5ac2b0033
[1/2] STEP 9/11: ARG PIP_EXTRA_INDEX_URL="https://download.pytorch.org/whl/cpu"
--> Using cache 08b53544af9c8eba8d5b49bf0c1d8766081e2dbe5bc48c0ee72e86bf6ec87faa
--> 08b53544af9c
[1/2] STEP 10/11: ENV PIP_EXTRA_INDEX_URL=${PIP_EXTRA_INDEX_URL}
--> Using cache 3c7ecb501a071db327daf6de056effe864805758901a15d730edef805fc63660
--> 3c7ecb501a07
[1/2] STEP 11/11: RUN --mount=type=cache,target=/root/.cache/pip     --mount=type=bind,src=requirements-build.txt,target=requirements-build.txt,relabel=private     pip install --upgrade pip &&     pip install -r requirements-build.txt
--> Using cache 1664b27e157ad25fd5005ad51300503ccedeecb908ae5835b2920a0a3311cbe4
--> 1664b27e157a
[2/2] STEP 1/12: FROM 1664b27e157ad25fd5005ad51300503ccedeecb908ae5835b2920a0a3311cbe4 AS build
[2/2] STEP 2/12: WORKDIR /workspace/vllm
--> Using cache 6c662a88473818cb35454b6147344adebfe15a04f897166e197161cead33d9c7
--> 6c662a884738
[2/2] STEP 3/12: RUN --mount=type=cache,target=/root/.cache/pip     --mount=type=bind,src=requirements-common.txt,target=requirements-common.txt,relabel=private     --mount=type=bind,src=requirements-cpu.txt,target=requirements-cpu.txt,relabel=private     pip install -v -r requirements-cpu.txt
--> Using cache 27d5a73057e38f4ebce7f6cf1fbd8ff58d2730818fa4955a948567307c2f57a7
--> 27d5a73057e3
[2/2] STEP 4/12: COPY . .
--> Using cache 4f69b409b0affd87ec3d50067120f767cc1ede7ae260034afee709d83b2bfc48
--> 4f69b409b0af
[2/2] STEP 5/12: ARG GIT_REPO_CHECK=0
--> Using cache afcfc6ee24f8a898babbefb7b6b3571ce7ae814219d72095eabf5fe9be200d31
--> afcfc6ee24f8
[2/2] STEP 6/12: RUN --mount=type=bind,source=.git,target=.git,relabel=private     if [ "$GIT_REPO_CHECK" != 0 ]; then bash tools/check_repo.sh ; fi
--> Using cache 198c385333b6fcaef590002c00fcb3c0eb300d037a465a67233336a2ad926c99
--> 198c385333b6
[2/2] STEP 7/12: ARG VLLM_CPU_DISABLE_AVX512="true"
--> Using cache 1bcf07e04d8649f8e6e1ddafed2a81009eefe58f7ecda366f863bca5a89f75f5
--> 1bcf07e04d86
[2/2] STEP 8/12: ENV VLLM_CPU_DISABLE_AVX512=${VLLM_CPU_DISABLE_AVX512}
--> Using cache 3b411d31e7b1886cafa51c6f328568b49513d8ad11e4525a44e05323012716ff
--> 3b411d31e7b1
[2/2] STEP 9/12: RUN --mount=type=cache,target=/root/.cache/pip     --mount=type=cache,target=/root/.cache/ccache     --mount=type=bind,source=.git,target=.git,relabel=private     VLLM_TARGET_DEVICE=cpu python3 setup.py bdist_wheel &&     pip install dist/*.whl &&     rm -rf dist
--> Using cache 480d73fed77434fb492c09fd7b1f9aaebdfcb71a253dc9cabf9670a0929c9d9d
--> 480d73fed774
[2/2] STEP 10/12: WORKDIR /workspace/
--> Using cache 2aed010cd23d5fcf755505ac06a558a2c25baeb8bba2faf063abf74e124acef9
--> 2aed010cd23d
[2/2] STEP 11/12: RUN ln -s /workspace/vllm/tests && ln -s /workspace/vllm/examples && ln -s /workspace/vllm/benchmarks
--> Using cache bc1acf69e043d84626af7ca7ded7ab5ebaaebc64e214eaf2224a65d36030cdc0
--> bc1acf69e043
[2/2] STEP 12/12: ENTRYPOINT ["python3", "-m", "vllm.entrypoints.openai.api_server"]
--> Using cache 01c4b9cee27e9946dd431b6360341be670b2054a9b0092690c87b541af16164f
[2/2] COMMIT vllm-cpu-env
--> 01c4b9cee27e
Successfully tagged localhost/vllm-cpu-env:latest
01c4b9cee27e9946dd431b6360341be670b2054a9b0092690c87b541af16164f

I can submit a PR to add that Containerfile, but that may not be the best long term solution so open to any thoughts!

How you are installing vllm

git clone https://github.com/vllm-project/vllm.git
cd vllm
uv venv myenv --python 3.12 --seed
source myenv/bin/activate
pip install -r requirements-cpu.txt
pip install -e . 
podman build -f Dockerfile.arm -t vllm-cpu-env --shm-size=4g .

Before submitting a new issue...

  • Make sure you already searched for relevant issues, and asked the chatbot living at the bottom right corner of the documentation page, which can answer lots of frequently asked questions.
@kush-gupt kush-gupt added the installation Installation problems label Feb 4, 2025
@kush-gupt kush-gupt mentioned this issue Feb 4, 2025
Closed
@rhatdan
Copy link

rhatdan commented Feb 4, 2025

You can do

podman build --security-opt label=disable ...

What AVC's are you seeing. I have a feeling is is something to do with one of the cache our mount types.

sudo ausearch -m avc

@kush-gupt
Copy link
Author

Dumping the AVC's from today below:

----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6814): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6815): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6816): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6817): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6818): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6819): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6820): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6821): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6822): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6823): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6824): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6825): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6826): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6827): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6828): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6829): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6830): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6831): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6832): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6833): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6834): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6835): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6836): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6837): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6838): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6839): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6840): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6841): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6842): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6843): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6844): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6845): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6846): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6847): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6848): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6849): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.180:6850): avc:  denied  { read } for  pid=242266 comm="logrotate" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:14:28 2025
type=AVC msg=audit(1738671268.293:6856): avc:  denied  { read } for  pid=242267 comm="unbound-anchor" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:15:32 2025
type=AVC msg=audit(1738671332.917:6859): avc:  denied  { read } for  pid=1042 comm="chronyd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 04:15:32 2025
type=AVC msg=audit(1738671332.917:6860): avc:  denied  { read } for  pid=1042 comm="chronyd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:20:23 2025
type=AVC msg=audit(1738678823.709:56): avc:  denied  { read } for  pid=1043 comm="chronyd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:20:23 2025
type=AVC msg=audit(1738678823.716:57): avc:  denied  { read } for  pid=1043 comm="chronyd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:20:23 2025
type=AVC msg=audit(1738678823.716:58): avc:  denied  { read } for  pid=1043 comm="chronyd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:20:23 2025
type=AVC msg=audit(1738678823.716:59): avc:  denied  { read } for  pid=1043 comm="chronyd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:20:23 2025
type=AVC msg=audit(1738678823.716:60): avc:  denied  { read } for  pid=1043 comm="chronyd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:20:23 2025
type=AVC msg=audit(1738678823.792:70): avc:  denied  { read } for  pid=1062 comm="systemd-hostnam" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:20:23 2025
type=AVC msg=audit(1738678823.837:74): avc:  denied  { read } for  pid=1073 comm="sshd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:20:24 2025
type=AVC msg=audit(1738678824.067:86): avc:  denied  { read } for  pid=1140 comm="sshd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:20:24 2025
type=AVC msg=audit(1738678824.128:102): avc:  denied  { read } for  pid=1139 comm="sshd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:20:24 2025
type=AVC msg=audit(1738678824.135:110): avc:  denied  { read } for  pid=1138 comm="sshd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:20:24 2025
type=AVC msg=audit(1738678824.255:163): avc:  denied  { read } for  pid=1131 comm="agetty" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:20:24 2025
type=AVC msg=audit(1738678824.256:164): avc:  denied  { read } for  pid=1132 comm="agetty" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:20:24 2025
type=AVC msg=audit(1738678824.285:173): avc:  denied  { read } for  pid=1131 comm="login" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:20:24 2025
type=AVC msg=audit(1738678824.286:175): avc:  denied  { read } for  pid=1132 comm="login" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:20:24 2025
type=AVC msg=audit(1738678824.761:194): avc:  denied  { read } for  pid=1381 comm="sshd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:20:48 2025
type=AVC msg=audit(1738678848.838:54): avc:  denied  { read } for  pid=1039 comm="chronyd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:20:48 2025
type=AVC msg=audit(1738678848.841:55): avc:  denied  { read } for  pid=1039 comm="chronyd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:20:48 2025
type=AVC msg=audit(1738678848.841:56): avc:  denied  { read } for  pid=1039 comm="chronyd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:20:48 2025
type=AVC msg=audit(1738678848.841:57): avc:  denied  { read } for  pid=1039 comm="chronyd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:20:48 2025
type=AVC msg=audit(1738678848.841:58): avc:  denied  { read } for  pid=1039 comm="chronyd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:20:48 2025
type=AVC msg=audit(1738678848.910:71): avc:  denied  { read } for  pid=1062 comm="systemd-hostnam" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:20:48 2025
type=AVC msg=audit(1738678848.943:80): avc:  denied  { read } for  pid=1081 comm="sshd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:20:49 2025
type=AVC msg=audit(1738678849.055:92): avc:  denied  { read } for  pid=1094 comm="agetty" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:20:49 2025
type=AVC msg=audit(1738678849.055:93): avc:  denied  { read } for  pid=1097 comm="agetty" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:20:49 2025
type=AVC msg=audit(1738678849.160:139): avc:  denied  { read } for  pid=1097 comm="login" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:20:49 2025
type=AVC msg=audit(1738678849.162:143): avc:  denied  { read } for  pid=1094 comm="login" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:20:49 2025
type=AVC msg=audit(1738678849.169:147): avc:  denied  { read } for  pid=1182 comm="sshd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:20:49 2025
type=AVC msg=audit(1738678849.186:160): avc:  denied  { read } for  pid=1181 comm="sshd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:20:49 2025
type=AVC msg=audit(1738678849.188:166): avc:  denied  { read } for  pid=1180 comm="sshd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:20:49 2025
type=AVC msg=audit(1738678849.511:194): avc:  denied  { read } for  pid=1389 comm="sshd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:20:49 2025
type=AVC msg=audit(1738678849.782:256): avc:  denied  { read } for  pid=1499 comm="sshd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:20:54 2025
type=AVC msg=audit(1738678854.045:269): avc:  denied  { read } for  pid=1039 comm="chronyd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:20:54 2025
type=AVC msg=audit(1738678854.045:270): avc:  denied  { read } for  pid=1039 comm="chronyd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:44:27 2025
type=AVC msg=audit(1738680267.417:285): avc:  denied  { read } for  pid=4837 comm="sshd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:45:36 2025
type=AVC msg=audit(1738680336.463:366): avc:  denied  { read } for  pid=5963 comm="sshd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:47:09 2025
type=AVC msg=audit(1738680429.458:435): avc:  denied  { read } for  pid=7303 comm="sshd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:47:47 2025
type=AVC msg=audit(1738680467.539:454): avc:  denied  { read } for  pid=7583 comm="sshd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:48:27 2025
type=AVC msg=audit(1738680507.011:540): avc:  denied  { read } for  pid=8684 comm="sshd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:48:31 2025
type=AVC msg=audit(1738680511.456:560): avc:  denied  { read } for  pid=8692 comm="sshd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:48:42 2025
type=AVC msg=audit(1738680522.059:579): avc:  denied  { read } for  pid=8722 comm="sshd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:49:13 2025
type=AVC msg=audit(1738680553.754:598): avc:  denied  { read } for  pid=8812 comm="sshd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:50:34 2025
type=AVC msg=audit(1738680634.377:686): avc:  denied  { read } for  pid=16835 comm="pip" name="requirements-build.txt" dev="vda4" ino=144775105 scontext=system_u:system_r:container_t:s0:c377,c666 tcontext=system_u:object_r:container_var_run_t:s0 tclass=file permissive=0
----
time->Tue Feb  4 06:53:28 2025
type=AVC msg=audit(1738680808.549:708): avc:  denied  { read } for  pid=17365 comm="polkitd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:53:28 2025
type=AVC msg=audit(1738680808.551:709): avc:  denied  { read } for  pid=17365 comm="polkitd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:53:28 2025
type=AVC msg=audit(1738680808.551:710): avc:  denied  { read } for  pid=17365 comm="polkitd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:53:28 2025
type=AVC msg=audit(1738680808.552:711): avc:  denied  { read } for  pid=17365 comm="polkitd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:53:28 2025
type=AVC msg=audit(1738680808.552:712): avc:  denied  { read } for  pid=17365 comm="polkitd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:57:26 2025
type=AVC msg=audit(1738681046.696:723): avc:  denied  { read } for  pid=17935 comm="sshd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 06:57:34 2025
type=AVC msg=audit(1738681054.216:743): avc:  denied  { read } for  pid=18175 comm="pip" name="requirements-build.txt" dev="vda4" ino=186672253 scontext=system_u:system_r:container_t:s0:c4,c967 tcontext=system_u:object_r:container_var_run_t:s0 tclass=file permissive=0
----
time->Tue Feb  4 07:02:15 2025
type=AVC msg=audit(1738681335.707:768): avc:  denied  { read } for  pid=18922 comm="sshd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 07:03:52 2025
type=AVC msg=audit(1738681432.957:905): avc:  denied  { read } for  pid=21284 comm="sshd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 08:10:21 2025
type=AVC msg=audit(1738685421.589:932): avc:  denied  { read } for  pid=30824 comm="sshd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 08:10:21 2025
type=AVC msg=audit(1738685421.624:940): avc:  denied  { read } for  pid=30824 comm="sshd" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 08:10:21 2025
type=AVC msg=audit(1738685421.680:948): avc:  denied  { read } for  pid=30834 comm="systemd-hostnam" name="localtime" dev="vda4" ino=15423 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0

@rhatdan
Copy link

rhatdan commented Feb 4, 2025

Only one of those has anything about containers, but you could probably fix most of them via

sudo restorecon -R -v /etc

On the host.

@rhatdan
Copy link

rhatdan commented Feb 4, 2025

The AVC I am seeing looks like you Containerfile should have fixed it.

Could you try this again in enforcing mode and then send me the AVC's again.

BTW you could also do

sudo cat /dev/null > /var/log/audit/audit.log

@kush-gupt
Copy link
Author

kush-gupt commented Feb 4, 2025
edited
Loading

Those AVCs did come from a SELinux enforcing podman machine. I created a new machine and ran the failing build:

The new AVC that popped up after attempting a build with the Dockerfile.arm is:

----
time->Tue Feb  4 12:29:33 2025
type=AVC msg=audit(1738690173.501:425): avc:  denied  { read } for  pid=10721 comm="pip" name="requirements-build.txt" dev="vda4" ino=209717338 scontext=system_u:system_r:container_t:s0:c438,c483 tcontext=system_u:object_r:container_var_run_t:s0 tclass=file permissive=0

Total AVC dump:

----
time->Tue Feb  4 12:26:30 2025
type=AVC msg=audit(1738689990.704:88): avc:  denied  { read } for  pid=1776 comm="chronyd" name="localtime" dev="vda4" ino=15561 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 12:26:30 2025
type=AVC msg=audit(1738689990.747:105): avc:  denied  { read } for  pid=1792 comm="systemd-hostnam" name="localtime" dev="vda4" ino=15561 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 12:26:30 2025
type=AVC msg=audit(1738689990.765:109): avc:  denied  { read } for  pid=1815 comm="sshd" name="localtime" dev="vda4" ino=15561 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 12:26:30 2025
type=AVC msg=audit(1738689990.908:113): avc:  denied  { read } for  pid=1885 comm="sshd-session" name="localtime" dev="vda4" ino=15561 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 12:26:30 2025
type=AVC msg=audit(1738689990.962:123): avc:  denied  { read } for  pid=1883 comm="sshd-session" name="localtime" dev="vda4" ino=15561 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 12:26:31 2025
type=AVC msg=audit(1738689991.204:132): avc:  denied  { read } for  pid=1933 comm="sshd-session" name="localtime" dev="vda4" ino=15561 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 12:26:31 2025
type=AVC msg=audit(1738689991.468:195): avc:  denied  { read } for  pid=1994 comm="sshd-session" name="localtime" dev="vda4" ino=15561 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 12:26:31 2025
type=AVC msg=audit(1738689991.492:204): avc:  denied  { read } for  pid=1995 comm="sshd-session" name="localtime" dev="vda4" ino=15561 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 12:26:31 2025
type=AVC msg=audit(1738689991.548:225): avc:  denied  { read } for  pid=1967 comm="login" name="localtime" dev="vda4" ino=15561 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 12:26:31 2025
type=AVC msg=audit(1738689991.549:227): avc:  denied  { read } for  pid=1968 comm="login" name="localtime" dev="vda4" ino=15561 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 12:26:31 2025
type=AVC msg=audit(1738689991.853:249): avc:  denied  { read } for  pid=2167 comm="sshd-session" name="localtime" dev="vda4" ino=15561 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 12:26:31 2025
type=AVC msg=audit(1738689991.949:262): avc:  denied  { getattr } for  pid=2239 comm="coreos-boot-mou" path="/run/coreos/bootfs_uuid" dev="tmpfs" ino=1100 scontext=system_u:system_r:coreos_boot_mount_generator_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Tue Feb  4 12:26:31 2025
type=AVC msg=audit(1738689991.951:263): avc:  denied  { read } for  pid=2256 comm="cat" name="bootfs_uuid" dev="tmpfs" ino=1100 scontext=system_u:system_r:coreos_boot_mount_generator_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Tue Feb  4 12:26:31 2025
type=AVC msg=audit(1738689991.951:264): avc:  denied  { open } for  pid=2256 comm="cat" path="/run/coreos/bootfs_uuid" dev="tmpfs" ino=1100 scontext=system_u:system_r:coreos_boot_mount_generator_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Tue Feb  4 12:26:51 2025
type=AVC msg=audit(1738690011.793:327): avc:  denied  { read } for  pid=2333 comm="sshd-session" name="localtime" dev="vda4" ino=15561 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 12:26:51 2025
type=AVC msg=audit(1738690011.816:337): avc:  denied  { read } for  pid=2333 comm="sshd-session" name="localtime" dev="vda4" ino=15561 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
----
time->Tue Feb  4 12:29:33 2025
type=AVC msg=audit(1738690173.501:425): avc:  denied  { read } for  pid=10721 comm="pip" name="requirements-build.txt" dev="vda4" ino=209717338 scontext=system_u:system_r:container_t:s0:c438,c483 tcontext=system_u:object_r:container_var_run_t:s0 tclass=file permissive=0

/dev/null output was:

$ sudo cat /dev/null > /var/log/audit/audit.log
$ cat /var/log/audit/audit.log 
type=USER_ACCT msg=audit(1738690655.760:443): pid=11947 uid=0 auid=0 ses=8 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'UID="root" AUID="root"
type=USER_CMD msg=audit(1738690655.760:444): pid=11947 uid=0 auid=0 ses=8 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/var/roothome" cmd=636174202F6465762F6E756C6C exe="/usr/bin/sudo" terminal=pts/0 res=success'UID="root" AUID="root"
type=CRED_REFR msg=audit(1738690655.761:445): pid=11947 uid=0 auid=0 ses=8 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'UID="root" AUID="root"
type=USER_START msg=audit(1738690655.764:446): pid=11947 uid=0 auid=0 ses=8 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'UID="root" AUID="root"
type=USER_END msg=audit(1738690655.767:447): pid=11947 uid=0 auid=0 ses=8 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'UID="root" AUID="root"
type=CRED_DISP msg=audit(1738690655.767:448): pid=11947 uid=0 auid=0 ses=8 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'UID="root" AUID="root"

Running podman build with --security-opt label=disable did also let the image build on Dockerfile.arm!

@matzew
Copy link

matzew commented Feb 28, 2025 

podman build --security-opt label=disable ...

did the trick for me as well

below is my podman info:

host:
  arch: amd64
  buildahVersion: 1.39.0
  cgroupControllers:
  - cpu
  - io
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.12-3.fc41.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.12, commit: '
  cpuUtilization:
    idlePercent: 96.8
    systemPercent: 0.71
    userPercent: 2.48
  cpus: 16
  databaseBackend: boltdb
  distribution:
    distribution: fedora
    variant: workstation
    version: "41"
  eventLogger: journald
  freeLocks: 1817
  hostname: fedora
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 6.13.4-200.fc41.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 29461180416
  memTotal: 67103371264
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.14.0-1.fc41.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.14.0
    package: netavark-1.14.0-1.fc41.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.14.0
  ociRuntime:
    name: crun
    package: crun-1.20-2.fc41.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.20
      commit: 9c9a76ac11994701dd666c4f0b869ceffb599a66
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20250217.ga1e48a0-2.fc41.x86_64
    version: ""
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.3.1-1.fc41.x86_64
    version: |-
      slirp4netns version 1.3.1
      commit: e5e368c4f5db6ae75c2fce786e31eef9da6bf236
      libslirp: 4.8.0
      SLIRP_CONFIG_VERSION_MAX: 5
      libseccomp: 2.5.5
  swapFree: 8589930496
  swapTotal: 8589930496
  uptime: 5h 47m 54.00s (Approximately 0.21 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
store:
  configFile: /home/<USER_NAME>/.config/containers/storage.conf
  containerStore:
    number: 39
    paused: 0
    running: 0
    stopped: 39
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/<USER_NAME>/.local/share/containers/storage
  graphRootAllocated: 1022505254912
  graphRootUsed: 443279003648
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 1170
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/<USER_NAME>/.local/share/containers/storage/volumes
version:
  APIVersion: 5.4.0
  BuildOrigin: Fedora Project
  Built: 1739232000
  BuiltTime: Tue Feb 11 01:00:00 2025
  GitCommit: ""
  GoVersion: go1.23.5
  Os: linux
  OsArch: linux/amd64
  Version: 5.4.0

@ccamacho
Copy link

ARM images aren't published in Docker Hub -> https://hub.docker.com/r/vllm/vllm-openai/tags is it possible to get them also uploaded there?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
installation Installation problems
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Bugfix] Add Containerfile.arm for podman support kush-gupt/vllm
4 participants
@matzew @kush-gupt @rhatdan @ccamacho