* [Virtio-fs] podman + virtiofs + SElinux issues
@ 2020-06-18 20:09 Vivek Goyal
0 siblings, 0 replies; only message in thread
From: Vivek Goyal @ 2020-06-18 20:09 UTC (permalink / raw
To: virtio-fs-list, Daniel J Walsh; +Cc: Giuseppe Scrivano
Hi Dan,
I tried to run podman with virtiofs and ran into SELinux issues.
# mount -t virtiofs myfs /mnt/virtiofs/
# mount --bind /mnt/virtiofs/containers /var/lib/containers/
# podman run -ti fedora bash
# podman run -ti fedora bash
Trying to pull registry.fedoraproject.org/fedora...
Getting image source signatures
Copying blob 1657ffead824 done
Copying config eb7134a03c done
Writing manifest to image destination
Storing signatures
bash: error while loading shared libraries: /lib64/libc.so.6: cannot apply additional memory protection after relocation: Permission denied
I see following in audit.logs
type=AVC msg=audit(1592510365.898:387): avc: denied { read } for pid=5770 comm="bash" path="/usr/lib64/libc-2.31.so" dev="virtiofs" ino=2757637 scontext=system_u:system_r:container_t:s0:c211,c761 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
We had discussed that we will need to disable SELinux in guest so that
host policy continues to work. Right now I don't think guest SELinux
labels are stored on host.
Can I do a context mount of virtiofs to fake the labels which are
compatible with system_u:system_r:container_t:s0:c211,c761. So that
I don't have to disable selinux for whole container.
Thanks
Vivek
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2020-06-18 20:09 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-06-18 20:09 [Virtio-fs] podman + virtiofs + SElinux issues Vivek Goyal
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.