[Virtio-fs] podman + virtiofs + SElinux issues
Vivek Goyal
vgoyal at redhat.com
Thu Jun 18 20:09:02 UTC 2020
Hi Dan,
I tried to run podman with virtiofs and ran into SELinux issues.
# mount -t virtiofs myfs /mnt/virtiofs/
# mount --bind /mnt/virtiofs/containers /var/lib/containers/
# podman run -ti fedora bash
# podman run -ti fedora bash
Trying to pull registry.fedoraproject.org/fedora...
Getting image source signatures
Copying blob 1657ffead824 done
Copying config eb7134a03c done
Writing manifest to image destination
Storing signatures
bash: error while loading shared libraries: /lib64/libc.so.6: cannot apply additional memory protection after relocation: Permission denied
I see following in audit.logs
type=AVC msg=audit(1592510365.898:387): avc: denied { read } for pid=5770 comm="bash" path="/usr/lib64/libc-2.31.so" dev="virtiofs" ino=2757637 scontext=system_u:system_r:container_t:s0:c211,c761 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
We had discussed that we will need to disable SELinux in guest so that
host policy continues to work. Right now I don't think guest SELinux
labels are stored on host.
Can I do a context mount of virtiofs to fake the labels which are
compatible with system_u:system_r:container_t:s0:c211,c761. So that
I don't have to disable selinux for whole container.
Thanks
Vivek
More information about the Virtio-fs
mailing list