[DSE-Dev] Bug#984879: podman does not work on Debian with selinux loaded
Laurent Bigonville
bigon at debian.org
Thu May 13 09:14:38 BST 2021
Hello Reinhard,
I see that you reassigned this bug to the refpolicy package and FTR I
don't completely agree with that.
Most of the other applications that manipulates SELinux objects are
behaving nicely when they are running in permissive and the policy is
not including the type they needed.
So having the policy implement the needed types is good for a security
perspective, but podman shouldn't fail hard (and without a clear message).
This was partially addressed upstream in
https://github.com/containers/storage/pull/879 (still need to test it)
From a SELinux policy perspective, the main problem is that the
"container" policy is 100% Red Hat specific and has not been upstreamed
and the difficulty is that the RH SELinux policy is heavily patched
compared to the debian and upstream one.
Not exactly sure what to do though.
Kind regards,
Laurent Bigonville
More information about the SELinux-devel
mailing list