[DSE-Dev] Bug#984879: podman does not work on Debian with selinux loaded

Laurent Bigonville bigon at debian.org
Thu May 13 09:14:38 BST 2021

Hello Reinhard,

I see that you reassigned this bug to the refpolicy package and FTR I 
don't completely agree with that.

Most of the other applications that manipulates SELinux objects are 
behaving nicely when they are running in permissive and the policy is 
not including the type they needed.

So having the policy implement the needed types is good for a security 
perspective, but podman shouldn't fail hard (and without a clear message).

This was partially addressed upstream in 
https://github.com/containers/storage/pull/879 (still need to test it)

 From a SELinux policy perspective, the main problem is that the 
"container" policy is 100% Red Hat specific and has not been upstreamed 
and the difficulty is that the RH SELinux policy is heavily patched 
compared to the debian and upstream one.

Not exactly sure what to do though.

Kind regards,

Laurent Bigonville

More information about the SELinux-devel mailing list