Running SBOM as gitlab-runner fails with 'permission denied'

[thepip3r]

What happened: When running, docker sbom as root, the command works fine. When su-ing over to our 'gitlab-runner' user, installing the plugin for that user, docker reports it as an an "invalid plugin" with a "permission denied":

Invalid Plugins:
sbom failed to fetch metadata: fork/exec /home/gitlab-runner/.docker/cli-plugins/docker-sbom: permission denied

What you expected to happen: docker sbom to work for my 'gitlab-runner' user so I can integrate it into our CI/CD processes.

How to reproduce it (as minimally and precisely as possible): Run the install script for docker-sbom as the gitlab-runner user and once installed, just run docker [enter] to see the error.

Anything else we need to know?: Things I've tried or additional outputs:

• verified permissions on docker-sbom between working instance (root) and non-working instance (gitlab-runner)
• verified owner was properly set as root for root and gitlab-runner for gitlab-runner
  • but also tried changing gitlab-runner's docker-sbom's owner to 'root' and received the same error
• all of these tests were run with SELinux off (for testing)
  • /var/log/audit/audit.log was additionally not showing any block/deny actions for docker sbom or sbom prior to being disabled for testing (setenforce 0)
• output of id as gitlab-runner: uid=1002(gitlab-runner) gid=1002(gitlab-runner) groups=1002(gitlab-runner),979(docker) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
• gitlab-runner can successfully run other docker commands, e.g.: build, tag, push, images, ps, etc. (all other commands we use in our pipeline)

Environment:

• OS: RHEL 8.9
• Output of docker version: Docker version 24.0.7, build afdd53b
• Output of docker sbom version: sbom-cli-plugin 0.6.1, build 02cf1c8