Closed elpepino89 closed 5 months ago
Looks to me like you have a labeling issue on your homedir, which is either caused by container-selinux blowing up on install or somehow labeling in the /home/podman directory is screwed up.
sudo dnf -y reinstall container-selinux sudo restorecon -R -v /home/podman/
Does this change the labels.
Where is there a fusefs_t file system? Fuse-overlay?
You are right, perfect! I have done a podman system reset --force
and executed your commands and now the container is working as expected. The system was just a few days old, so maybe really a problem during install. Next time I try setting up a new system first, just to be sure not wasting your time. Sorry for that.
Thank you for your quick reply (and for your blog posts as well).
Where is there a fusefs_t file system? Fuse-overlay?
The only fuse-overlay I am using is in the storage.conf (mount_program = "/usr/bin/fuse-overlayfs").
Issue Description
I am using a rootless podman container, which gets access denied errors when trying to initialize the data structure on a named volume. In the selinux log there are entries like:
Steps to reproduce the issue
Steps to reproduce the issue
podman run --rm -it -v checkmk_sites:/omd/sites/ docker.io/checkmk/check-mk-raw:2.2.0-latest
Describe the results you received
Describe the results you expected
The init process of checkmk should go through initializing the directory /omd/sites.
podman info output
Podman in a container
No
Privileged Or Rootless
None
Upstream Latest Release
No
Additional environment details
Additional environment details
Additional information
If doing some adjustments to the command it works, so the selinux problem is special for the volume. Examples are:
with tmpfs instead of volume:
podman run --rm -it --tmpfs /omd/sites/ docker.io/checkmk/check-mk-raw:2.2.0-latest
without volume:
podman run --rm -it docker.io/checkmk/check-mk-raw:2.2.0-latest
with disabled selinux:
podman run --rm -it --security-opt label=disable -v checkmk_sites:/omd/sites/ docker.io/checkmk/check-mk-raw:2.2.0-latest
In addition i also tried to add a custom selinux module generated with
audit2allow -a -M podman_checkmk_policy
. After installing the module, the rootless container works without any issues. To be honest I don't have much experience in selinux, so I do not know if the rule update is fine or if it opens a security whole.