Podman And Selinux
Volume Labels
= this.source[0]
Instead of using -v ./linx-config.ini:/data/config.ini
Use -v ./linx-config.ini:/data/config.ini:Z
The :Z is IMPORTANT
https://stackoverflow.com/questions/58443334/why-does-podman-report-not-enough-ids-available-in-namespace-with-different-ui
:z is shared and :Z is private
“Shared” means that multiple containers can share the volume; “unshared” says that they can’t. In a little more detail,
:zlabels the volume inside each container with the appropriate label (container_file_t), and any given volume can be mounted inside multiple containers in parallel, and all running containers with the volume mount will have access to it. Any change made by the host, or any running container, will be visible to all running containers.
“Private” means that in addition, the label used inside the container will be private to that container. There’s no additional layering at the file system level, so this effectively means that the content is labelled privately even from the host’s perspective. Containers with the same mount can’t share their access to it — at least with Podman, the last container wins, and is the only container with access to the volume. The opposite of “private” here would be “shared” in my mind, which would explain why there’s no opposing term in the documentation (“shared shared label”).
https://www.redhat.com/sysadmin/supplemental-groups-podman-containers
Thus, the
:zoption is critical as it tells podman to at least set the context tosystem_u:object_r:container_file_t:s0.
SELINUX context for container access to directories
https://www.redhat.com/sysadmin/supplemental-groups-podman-containers
Change the SELinux type of the directory so that containers can use it:
# chcon -t container_file_t /mnt/engineeringIssues building with [[Buildah]]
Error unpacking rpm package libsemanage-2.9-9.el8_6.x86_64 Cleanup : dbus-1:1.12.8-24.el8.x86_64 33/60error: unpacking of archive failed on file /usr/lib/.build-id/72/3eabcf9ed221dfed1c7d40786459283852143b;64e8a984: cpio: utimeerror: libsemanage-2.9-9.el8_6.x86_64: install failedI believe this is the sealert message about it
SELinux is preventing fuse-overlayfs from setattr access on the lnk_file 1460.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that fuse-overlayfs should be allowed setattr access on the 1460 lnk_file by default.Then you should report this as a bug.You can generate a local policy module to allow this access.Doallow this access for now by executing:# ausearch -c 'fuse-overlayfs' --raw | audit2allow -M my-fuseoverlayfs# semodule -i my-fuseoverlayfs.pp
Additional Information:Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023Target Objects 1460 [ lnk_file ]Source fuse-overlayfsSource Path fuse-overlayfsPort <Unknown>Host lapie-lx-dtSource RPM PackagesTarget RPM PackagesPolicy RPM selinux-policy-3.13.1-268.el7_9.2.noarchSelinux Enabled TruePolicy Type targetedEnforcing Mode EnforcingHost Name lapie-lx-dtPlatform Linux lapie-lx-dt 3.10.0-1160.21.1.el7.x86_64 #1 SMP Mon Feb 22 18:03:13 EST 2021 x86_64 x86_64Alert Count 182First Seen 2023-08-24 12:53:19 PDTLast Seen 2023-08-24 12:53:53 PDTLocal ID 358d475c-658b-4201-bdb3-c9e80a769387
Raw Audit Messagestype=AVC msg=audit(1692906833.787:1034): avc: denied { setattr } for pid=18863 comm="fuse-overlayfs" name="1460" dev="proc" ino=6554016 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=lnk_file permissive=0
Hash: fuse-overlayfs,unconfined_t,unconfined_t,lnk_file,setattr- https://blog.christophersmart.com/2021/01/31/podman-volumes-and-selinux/