selinux and rootless podman

[OneMoreByte]

Hi

I've been struggling getting podman to run containers rootless.

When I try running containers as an unprivilaged user I get something like this:

$ podman run ubuntu
Error: lsetxattr /run/user/1000/containers/overlay-containers/98cd831d270613ae8cd5f245a08ebf14fedf62ca99bfeaf518b8e23dfbe8bcff/userdata/resolv.conf: invalid argument

Does anyone know off hand what I might need to change in the arch policy to get it working?

[Bai-Chiang]

I also have similar issue under permissive mode.

[Quallenauge]

I stumbled over this one too.

podman run -it \
registry.access.redhat.com/ubi8/ubi:8.4 bash -c 'ls -laZ /etc/resolv.conf'

Error: lsetxattr /run/user/1000/containers/overlay-containers/e25a662bd53a160ca620acf492f87d3efd50c48f97612d9eb6ce0ee2aba0bc4a/userdata/hosts: invalid argument

And I don't know if it is relevant, with root mode, the file label for /etc/hosts and /etcresolv.conf are broken too:

sudo podman run -it \
registry.access.redhat.com/ubi8/ubi:8.4 bash -c 'ls -laZ /etc/redhat-release /etc/resolv.conf /etc/hosts'
-rw-r--r--. 1 root root system_u:object_r:unlabeled_t      151 Jul 10 22:01 /etc/hosts
-rw-r--r--. 1 root root system_u:object_r:container_file_t  45 Mar 31  2021 /etc/redhat-release
-rw-r--r--. 1 root root system_u:object_r:unlabeled_t       23 Jul 10 22:01 /etc/resolv.conf

Using

• podman 5.1.1
• Kernel 6.9.8-arch1-1 #1 SMP PREEMPT_DYNAMIC Fri, 05 Jul 2024 22:11:24 +0000 x86_64 GNU/Linux.
• BTRFS filesystem
• Reference Policy from https://github.com/SELinuxProject/refpolicy

Not sure if it helps, but heres the inspect data:

Inspect Data of Pod running from root

``` [ { "Id": "d6bf5cff5134b6509db77dad6f50810fd86d4bb89a6751d81870e9abb9a3f6b9", "Created": "2024-07-10T22:03:31.203921786+02:00", "Path": "bash", "Args": [ "-c", "sleep 9000" ], "State": { "OciVersion": "1.2.0", "Status": "running", "Running": true, "Paused": false, "Restarting": false, "OOMKilled": false, "Dead": false, "Pid": 937065, "ConmonPid": 937063, "ExitCode": 0, "Error": "", "StartedAt": "2024-07-10T22:03:32.54172865+02:00", "FinishedAt": "0001-01-01T00:00:00Z", "CgroupPath": "/machine.slice/libpod-d6bf5cff5134b6509db77dad6f50810fd86d4bb89a6751d81870e9abb9a3f6b9.scope", "CheckpointedAt": "0001-01-01T00:00:00Z", "RestoredAt": "0001-01-01T00:00:00Z" }, "Image": "b1e63aaae5cffb78e4af9f3a110dbad67e8013ca3de6d09f1ef496d00641e751", "ImageDigest": "sha256:6f4f2ad88d7f6590d80e6cdeeddf9d9803e9df4648f9b5e0042927403ff2ec94", "ImageName": "registry.access.redhat.com/ubi8/ubi:8.4", "Rootfs": "", "Pod": "", "ResolvConfPath": "/run/containers/storage/overlay-containers/d6bf5cff5134b6509db77dad6f50810fd86d4bb89a6751d81870e9abb9a3f6b9/userdata/resolv.conf", "HostnamePath": "/run/containers/storage/overlay-containers/d6bf5cff5134b6509db77dad6f50810fd86d4bb89a6751d81870e9abb9a3f6b9/userdata/hostname", "HostsPath": "/run/containers/storage/overlay-containers/d6bf5cff5134b6509db77dad6f50810fd86d4bb89a6751d81870e9abb9a3f6b9/userdata/hosts", "StaticDir": "/storage/apps/var_lib_containers/storage/overlay-containers/d6bf5cff5134b6509db77dad6f50810fd86d4bb89a6751d81870e9abb9a3f6b9/userdata", "OCIConfigPath": "/storage/apps/var_lib_containers/storage/overlay-containers/d6bf5cff5134b6509db77dad6f50810fd86d4bb89a6751d81870e9abb9a3f6b9/userdata/config.json", "OCIRuntime": "crun", "ConmonPidFile": "/run/containers/storage/overlay-containers/d6bf5cff5134b6509db77dad6f50810fd86d4bb89a6751d81870e9abb9a3f6b9/userdata/conmon.pid", "PidFile": "/run/containers/storage/overlay-containers/d6bf5cff5134b6509db77dad6f50810fd86d4bb89a6751d81870e9abb9a3f6b9/userdata/pidfile", "Name": "practical_ptolemy", "RestartCount": 0, "Driver": "overlay", "MountLabel": "system_u:object_r:container_file_t", "ProcessLabel": "system_u:system_r:container_t", "AppArmorProfile": "", "EffectiveCaps": [ "CAP_CHOWN", "CAP_DAC_OVERRIDE", "CAP_FOWNER", "CAP_FSETID", "CAP_KILL", "CAP_NET_BIND_SERVICE", "CAP_SETFCAP", "CAP_SETGID", "CAP_SETPCAP", "CAP_SETUID", "CAP_SYS_CHROOT" ], "BoundingCaps": [ "CAP_CHOWN", "CAP_DAC_OVERRIDE", "CAP_FOWNER", "CAP_FSETID", "CAP_KILL", "CAP_NET_BIND_SERVICE", "CAP_SETFCAP", "CAP_SETGID", "CAP_SETPCAP", "CAP_SETUID", "CAP_SYS_CHROOT" ], "ExecIDs": [], "GraphDriver": { "Name": "overlay", "Data": { "LowerDir": "/storage/apps/var_lib_containers/storage/overlay/824ed164069a16eb227e1a0471597f04b5ae86d387b4a7eccf35cfca7dcf8a56/diff:/storage/apps/var_lib_containers/storage/overlay/5bc03dec623975972bc748cb1da06ce8b4cf854d38c854a9e5f5bcad48caf6cc/diff", "MergedDir": "/storage/apps/var_lib_containers/storage/overlay/7ae97b97143a4d07e19d17b61984bdebe32ceb94a545b968630c8c4c4a0d04a4/merged", "UpperDir": "/storage/apps/var_lib_containers/storage/overlay/7ae97b97143a4d07e19d17b61984bdebe32ceb94a545b968630c8c4c4a0d04a4/diff", "WorkDir": "/storage/apps/var_lib_containers/storage/overlay/7ae97b97143a4d07e19d17b61984bdebe32ceb94a545b968630c8c4c4a0d04a4/work" } }, "Mounts": [], "Dependencies": [], "NetworkSettings": { "EndpointID": "", "Gateway": "10.81.0.1", "IPAddress": "10.81.0.103", "IPPrefixLen": 16, "IPv6Gateway": "", "GlobalIPv6Address": "", "GlobalIPv6PrefixLen": 0, "MacAddress": "22:34:0b:d3:d3:1c", "Bridge": "", "SandboxID": "", "HairpinMode": false, "LinkLocalIPv6Address": "", "LinkLocalIPv6PrefixLen": 0, "Ports": {}, "SandboxKey": "/run/netns/netns-df447e5f-edcb-acdc-4984-0f5380d6fb43", "Networks": { "podman": { "EndpointID": "", "Gateway": "10.88.0.1", "IPAddress": "10.88.0.103", "IPPrefixLen": 16, "IPv6Gateway": "", "GlobalIPv6Address": "", "GlobalIPv6PrefixLen": 0, "MacAddress": "22:34:0b:d3:d3:1c", "NetworkID": "podman", "DriverOpts": null, "IPAMConfig": null, "Links": null, "Aliases": [ "d6bf5cff5134" ] } } }, "Namespace": "", "IsInfra": false, "IsService": false, "KubeExitCodePropagation": "invalid", "lockNumber": 37, "Config": { "Hostname": "d6bf5cff5134", "Domainname": "", "User": "", "AttachStdin": false, "AttachStdout": false, "AttachStderr": false, "Tty": false, "OpenStdin": false, "StdinOnce": false, "Env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "container=oci", "HOME=/root", "HOSTNAME=d6bf5cff5134" ], "Cmd": [ "bash", "-c", "sleep 9000" ], "Image": "registry.access.redhat.com/ubi8/ubi:8.4", "Volumes": null, "WorkingDir": "/", "Entrypoint": null, "OnBuild": null, "Labels": { "architecture": "x86_64", "build-date": "2021-10-26T13:03:15.222780", "com.redhat.build-host": "cpt-1003.osbs.prod.upshift.rdu2.redhat.com", "com.redhat.component": "ubi8-container", "com.redhat.license_terms": "https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI", "description": "The Universal Base Image is designed and engineered to be the base layer for all of your containerized applications, middleware and utilities. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly.", "distribution-scope": "public", "io.k8s.description": "The Universal Base Image is designed and engineered to be the base layer for all of your containerized applications, middleware and utilities. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly.", "io.k8s.display-name": "Red Hat Universal Base Image 8", "io.openshift.expose-services": "", "io.openshift.tags": "base rhel8", "maintainer": "Red Hat, Inc.", "name": "ubi8", "release": "213", "summary": "Provides the latest release of Red Hat Universal Base Image 8.", "url": "https://access.redhat.com/containers/#/registry.access.redhat.com/ubi8/images/8.4-213", "vcs-ref": "ed5adf70c28eb951940c72f4173fa32c4bca2165", "vcs-type": "git", "vendor": "Red Hat, Inc.", "version": "8.4" }, "Annotations": { "io.container.manager": "libpod", "org.opencontainers.image.stopSignal": "15" }, "StopSignal": "SIGTERM", "HealthcheckOnFailureAction": "none", "CreateCommand": [ "podman", "run", "registry.access.redhat.com/ubi8/ubi:8.4", "bash", "-c", "sleep 9000" ], "Timezone": "Europe/Berlin", "Umask": "0022", "Timeout": 0, "StopTimeout": 10, "Passwd": true, "sdNotifyMode": "container" }, "HostConfig": { "Binds": [], "CgroupManager": "systemd", "CgroupMode": "private", "ContainerIDFile": "", "LogConfig": { "Type": "journald", "Config": null, "Path": "", "Tag": "", "Size": "0B" }, "NetworkMode": "bridge", "PortBindings": {}, "RestartPolicy": { "Name": "no", "MaximumRetryCount": 0 }, "AutoRemove": false, "Annotations": { "io.container.manager": "libpod", "org.opencontainers.image.stopSignal": "15" }, "VolumeDriver": "", "VolumesFrom": null, "CapAdd": [], "CapDrop": [], "Dns": [], "DnsOptions": [], "DnsSearch": [], "ExtraHosts": [], "GroupAdd": [], "IpcMode": "shareable", "Cgroup": "", "Cgroups": "default", "Links": null, "OomScoreAdj": 0, "PidMode": "private", "Privileged": false, "PublishAllPorts": false, "ReadonlyRootfs": false, "SecurityOpt": [], "Tmpfs": {}, "UTSMode": "private", "UsernsMode": "", "ShmSize": 65536000, "Runtime": "oci", "ConsoleSize": [ 0, 0 ], "Isolation": "", "CpuShares": 0, "Memory": 0, "NanoCpus": 0, "CgroupParent": "", "BlkioWeight": 0, "BlkioWeightDevice": null, "BlkioDeviceReadBps": null, "BlkioDeviceWriteBps": null, "BlkioDeviceReadIOps": null, "BlkioDeviceWriteIOps": null, "CpuPeriod": 0, "CpuQuota": 0, "CpuRealtimePeriod": 0, "CpuRealtimeRuntime": 0, "CpusetCpus": "", "CpusetMems": "", "Devices": [], "DiskQuota": 0, "KernelMemory": 0, "MemoryReservation": 0, "MemorySwap": 0, "MemorySwappiness": 0, "OomKillDisable": false, "PidsLimit": 2048, "Ulimits": [ { "Name": "RLIMIT_NPROC", "Soft": 4194304, "Hard": 4194304 } ], "CpuCount": 0, "CpuPercent": 0, "IOMaximumIOps": 0, "IOMaximumBandwidth": 0, "CgroupConf": null } } ] ```

On Fedora Live CD the same command succeed as expected and gives the correct file labels.