search

fedora-silverblue / issue-tracker

Fedora Silverblue issue tracker
https://fedoraproject.org/atomic-desktops/silverblue/
126 stars 3 forks source link

Podman does not respect UID/GID set #450

Closed francoism90 closed 1 year ago

francoism90 commented 1 year ago

This issue tracker is intended only for Silverblue specific issues. We would like to ask you to try to reproduce the issue on a relevant Fedora Workstation release. If you will be able to reproduce there, then please report it in Red Hat Bugzilla (see How to file a bug) or in upstream (preferred for GNOME projects) and not in this issue tracker.

Describe the bug I'm really confused, but it does seem SELinux on Fedora Silverblue blocks Podman containers running rootless, from writing to a mounted volume:

time->Sun Apr 16 12:41:35 2023
type=AVC msg=audit(1681641695.065:959): avc:  denied  { open } for  pid=30365 comm="cat" path="/src/foo.txt" dev="dm-0" ino=9832898 scontext=system_u:system_r:container_t:s0:c32,c472 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1

I also need to explicit use uid and gid to get it working for rootless mode:

PODMAN_USERNS=keep-id:uid=1000,gid=1000 podman-compose up

It seems to be a configuration issue with the distro, as it seems to work fine with others (incl. Arch). Do you have any idea? The mount is on my home folder.

To Reproduce Please describe the steps needed to reproduce the bug:

  1. PODMAN_USERNS=keep-id:uid=1000,gid=1000 podman-compose up (or just podman command)
  2. Results in Permission Denied errors from SELinux (temporary disabling this fixes the issue)

Expected behavior Respect UID/GID in Podman containers and have SELinux permissions to do so.

Screenshots If applicable, add screenshots to help explain your problem.

OS version:

$ rpm-ostree status -b
State: idle
BootedDeployment:
● fedora:fedora/37/x86_64/silverblue
                  Version: 37.20230416.0 (2023-04-16T00:44:33Z)
               BaseCommit: 6839ba8eb19eb9b6cb87d947ddb80c0280eeaa35669590bccc1c051a26720bfe
             GPGSignature: Valid signature by ACB5EE4E831C74BB7C168D27F55AD3FB5323552A
      RemovedBasePackages: firefox firefox-langpacks 112.0-3.fc37
          LayeredPackages: btrfsmaintenance containerd.io dnf-plugins-core docker-ce docker-ce-cli docker-compose-plugin firewall-config fzf gnome-tweaks google-roboto-fonts
                           gstreamer1-plugin-openh264 gstreamer1-plugins-bad-freeworld gstreamer1-plugins-good-extras gstreamer1-plugins-good-gtk gstreamer1-plugins-ugly
                           gstreamer1-vaapi langpacks-en libde265 libvirt lm_sensors mozilla-fira-mono-fonts nss-tools openssl podman-compose powerline-fonts pygmentize
                           rpmfusion-free-release rpmfusion-nonfree-release samba tmux virt-manager x265 zsh zsh-autosuggestions zsh-syntax-highlighting

Additional context I didn't test without rootless mode.

travier commented 1 year ago

If you want to share files with a given container, you might want to look at the :z / :Z options in podman to make sure the SELinux labels are correct.

I'm going to close this one given that podman-compose is not included in Silverblue by default. Please reach out to the upstream project.

travier commented 1 year ago

Asking on https://discussion.fedoraproject.org/ might give you more suggestions.