chown: cannot read directory '/var/log/suricata': Permission denied

[hyperreal64]

I get this error when running with podman:

sudo podman run -e PUID=0 -e PGID=0 --name suricata -it --net=host --cap-add=net_raw --cap-add=net_admin --cap-add=sys_nice -v /var/log/suricata:/var/log/suricata jasonish/suricata:latest -i ens3

Output:

Checking for capability sys_nice: yes
Checking for capability net_admin: yes
chown: cannot read directory '/var/log/suricata': Permission denied

The error occurs no matter where I map /var/log/suricata to on the host. The PUID and PGID env settings don't seem to have an effect. I haven't tested this on Docker so this may be specific to podman. I suspect that the user and group ownership on /var/log/suricata being the suricata user in the container has something to do with it.

[jasonish]

This setup works fine for me on plain Fedora 35. I tried PUID/PGID 0, as well as my own user ID's and the ownership was changed successfully. I wonder if this is further restrictions inside the CoreOS.

I've also typically not seed the PUID/PGID vars used with values of 0. I wonder if the following could work:

• On your host, created a suricata user and a suricata group.
• Make /var/log/suricata owned by the suricata user and group.
• Provide the UID and GID of the Suricata user instead of 0.

I'll try on Fedora SilverBlue in hopes its closer to Core, but haven't really been able to understand how to install Core.

[jasonish]

Ah, its selinux. Try add :z to your volume, ie)

sudo podman run -e PUID=0 -e PGID=0 --name suricata -it --net=host --cap-add=net_raw --cap-add=net_admin --cap-add=sys_nice -v /var/log/suricata:/var/log/suricata:z jasonish/suricata:latest -i ens3

[hyperreal64]

Yes, using :z on the volume works!